Splunk Attack Range: Build, Simulate, Detect

Rumsha · ‎10-13-2022

Screen Shot 2022-10-13 at 12.41.35 PM.png

WATCH NOW

Splunk Attack Range: Build, Simulate, Detect
Video Player is loading.
Current Time 0:00
Duration 1:04:07
Loaded: 0.15%
Stream Type LIVE
Remaining Time 1:04:07

1x
Chapters
descriptions off, selected
captions settings, opens captions settings dialog
captions off, selected
en (Main), selected
Beginning of dialog window. Escape will cancel and close the window.
TextColorTransparency
BackgroundColorTransparency
WindowColorTransparency
Font Size
Text Edge Style
Font Family
End of dialog window.

(view in My Videos)

Can your security teams successfully perform attack simulations to visualize and record attacks?

Splunk Attack Range 2.0 allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk. Watch the Tech Talk, Splunk Attack Range: Build, Simulate, Detect and join the Splunk Threat Research Team for a demo of Splunk Attack Range v2.0 and to learn about:

How the Splunk Threat Research Team leverages the Splunk Attack Range
The newest features available in the Splunk Attack Range v2.0
Future plans for Splunk Attack Range v3.0

Also don’t forget to view all the resources available to continue your Splunk journey:

Blogs

Resources

Recommended .conf22 Sessions

Home on the Range: Detection Engineering with Splunk Attack Range
Linux Threat Detection with Attack Range
Purple Teaming - Build, Attack, and Defend Your Organization

Sign in and access sessions

Rumsha · ‎10-26-2022

Questions & Answers from the Splunk Attack Range Tech Talk:

Q. I manage ES and implement correl searches, including tuning and devising filtering etc. I would like to add a step where I deliberately 'oneshot' an attack dataset relevant to each rule to test that the notable fires. Attack Range looks excessive for this purpose. Is there simpler Splunk app or tool that would help me organize and manage 'oneshot' testing of my implemented correlations?

A. I think you could use the replay_attack python script for this purpose. You don't need to build a lab environment with the Attack Range to use the python script. However, you have to make sure that the attack data we have available matches the schema you are using.

Q. This would probably be a major re-engineering project but what would be the feasibility of "injecting" a backup of your own AD using a local version of the range install vs using the AD that's included with the range?

A. We allow folks to bring their own Splunk instance, but never consider a BYO AD instance, if you open a Github issue with this request we can easily triage it and consider it for a future version.

Q. Is it AWS only, or could one build it in VirtualBox (locally)?

A. version 3.0 now on the repo supports local

https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html

Q. Which one do you prefer, PurpleSharp or ART?

A. I think they serve different purposes. We may use one or the other depending on the requirement. The next demo will give you a better idea

Q. Looking at this python script, does it essentially perform a 'oneshot' of events into Splunk?

A. Pretty much. It uses the previously generated dataset and uses Splunks API to push the dataset

Visit Splunk Threat Research Team (STRT) to learn more.

Splunk Attack Range: Build, Simulate, Detect

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application