Splunk Tech Talks
Deep-dives for technical practitioners.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
New Article

Splunk Attack Range: Build, Simulate, Detect

Rumsha
Splunk Employee
Splunk Employee
‎10-13-2022 10:53 AM

Screen Shot 2022-10-13 at 12.41.35 PM.png

 

WATCH NOW 

(view in My Videos)

 

Can your security teams successfully perform attack simulations to visualize and record attacks? 

Splunk Attack Range 2.0 allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk. Watch the Tech Talk,  Splunk Attack Range: Build, Simulate, Detect  and join the Splunk Threat Research  Team for a demo of Splunk Attack Range v2.0 and to learn about:

  • How the Splunk Threat Research Team leverages the Splunk Attack Range
  • The newest features available in the Splunk Attack Range v2.0
  • Future plans for Splunk Attack Range v3.0

 

Also don’t forget to view all the resources available to continue your Splunk journey:

Blogs

 

Resources

 

Recommended .conf22 Sessions

  • Home on the Range: Detection Engineering with Splunk Attack Range
  • Linux Threat Detection with Attack Range
  • Purple Teaming - Build, Attack, and Defend Your Organization

Sign in and access sessions

Labels
0 Karma
1 Comment
Rumsha
Splunk Employee
Splunk Employee
‎10-26-2022 02:21 PM

Questions & Answers from the Splunk Attack Range Tech Talk:

 

Q. I manage ES and implement correl searches, including tuning and devising filtering etc. I would like to add a step where I deliberately 'oneshot' an attack dataset relevant to each rule to test that the notable fires. Attack Range looks excessive for this purpose. Is there simpler Splunk app or tool that would help me organize and manage 'oneshot' testing of my implemented correlations?

A. I think you could use the replay_attack python script for this purpose. You don't need to build a lab environment with the Attack Range to use the python script. However, you have to make sure that the attack data we have available matches the schema you are using.
 
LesediK_6-1666045427080.png
Q. This would probably be a major re-engineering project but what would be the feasibility of "injecting" a backup of your own AD using a local version of the range install vs using the AD that's included with the range?
 
A. We allow folks to bring their own Splunk instance, but never consider a BYO AD instance, if you open a Github issue with this request we can easily triage it and consider it for a future version.
 
LesediK_6-1666045427080.png

 

Q. Is it AWS only, or could one build it in VirtualBox (locally)?
 
A. version 3.0 now on the repo supports local 

 

 

https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html​

 

LesediK_6-1666045427080.png

 

Q. Which one do you prefer, PurpleSharp or ART?
 
A. I think they serve different purposes. We may use one or the other depending on the requirement. The next demo will give you a better idea
 
LesediK_6-1666045427080.png
 
Q. Looking at this python script, does it essentially perform a 'oneshot' of events into Splunk?
 
A. Pretty much. It uses the previously generated dataset and uses Splunks API to push the dataset
 
 
Visit Splunk Threat Research Team (STRT) to learn more.
0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...