Splunk Tech Talks
Deep-dives for technical practitioners.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
New Article

Splunk Attack Range: Build, Simulate, Detect

Rumsha
Splunk Employee
Splunk Employee
‎10-13-2022 10:53 AM

Screen Shot 2022-10-13 at 12.41.35 PM.png

 

WATCH NOW 

(view in My Videos)

 

Can your security teams successfully perform attack simulations to visualize and record attacks? 

Splunk Attack Range 2.0 allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk. Watch the Tech Talk,  Splunk Attack Range: Build, Simulate, Detect  and join the Splunk Threat Research  Team for a demo of Splunk Attack Range v2.0 and to learn about:

  • How the Splunk Threat Research Team leverages the Splunk Attack Range
  • The newest features available in the Splunk Attack Range v2.0
  • Future plans for Splunk Attack Range v3.0

 

Also don’t forget to view all the resources available to continue your Splunk journey:

Blogs

 

Resources

 

Recommended .conf22 Sessions

  • Home on the Range: Detection Engineering with Splunk Attack Range
  • Linux Threat Detection with Attack Range
  • Purple Teaming - Build, Attack, and Defend Your Organization

Sign in and access sessions

Labels
0 Karma
1 Comment
Rumsha
Splunk Employee
Splunk Employee
‎10-26-2022 02:21 PM

Questions & Answers from the Splunk Attack Range Tech Talk:

 

Q. I manage ES and implement correl searches, including tuning and devising filtering etc. I would like to add a step where I deliberately 'oneshot' an attack dataset relevant to each rule to test that the notable fires. Attack Range looks excessive for this purpose. Is there simpler Splunk app or tool that would help me organize and manage 'oneshot' testing of my implemented correlations?

A. I think you could use the replay_attack python script for this purpose. You don't need to build a lab environment with the Attack Range to use the python script. However, you have to make sure that the attack data we have available matches the schema you are using.
 
LesediK_6-1666045427080.png
Q. This would probably be a major re-engineering project but what would be the feasibility of "injecting" a backup of your own AD using a local version of the range install vs using the AD that's included with the range?
 
A. We allow folks to bring their own Splunk instance, but never consider a BYO AD instance, if you open a Github issue with this request we can easily triage it and consider it for a future version.
 
LesediK_6-1666045427080.png

 

Q. Is it AWS only, or could one build it in VirtualBox (locally)?
 
A. version 3.0 now on the repo supports local 

 

 

https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html​

 

LesediK_6-1666045427080.png

 

Q. Which one do you prefer, PurpleSharp or ART?
 
A. I think they serve different purposes. We may use one or the other depending on the requirement. The next demo will give you a better idea
 
LesediK_6-1666045427080.png
 
Q. Looking at this python script, does it essentially perform a 'oneshot' of events into Splunk?
 
A. Pretty much. It uses the previously generated dataset and uses Splunks API to push the dataset
 
 
Visit Splunk Threat Research Team (STRT) to learn more.
0 Karma
Contributors
Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...