Using the Splunk Threat Research Team’s Latest Security Content

Your Questions Answered

Q. Is there a place to see a demo and more resources on the use of Attack Range? 

A.  Absolutely, we're glad to see your interest in Splunk's Attack Range! For a hands-on demo and comprehensive resources, the best places to start are our latest release blog post on Attack Range v3.0 here, the GitHub project here for code and detailed guidance, and our documentation here for in-depth usage instructions. If you're looking for a quick setup, using Docker is highly recommended, with a guide available here.

Q. I've heard as part of best practices, we should clone correlation searches so that ECSU updates don't automatically update or change our customization (to account for other sources, unique exclusions, search timing, etc.). Is that a true best practice and how does this impact your ability to assess what coverage you have on correlation searches and analytic stories?

A.  Certainly! Cloning correlation searches in Splunk is a recommended best practice to protect your custom modifications when Enterprise Security Content Update (ESCU) releases new updates. This approach safeguards your tailored settings, like unique data source adjustments and specific exclusions, from being overwritten. However, it does present a challenge in tracking and assessing your security posture, as it's harder to keep up with which searches you've customized and how they align with ESCU's analytic stories. To manage this, maintain thorough documentation of your changes, use version control for easy tracking, regularly review your custom searches against ESCU updates, and adopt clear naming conventions. This strategy ensures you benefit from ESCU's enhancements while keeping your specific security needs addressed.

Q. Do you still recommend M365 and Azure data collection via Add-on for MSCS and Office 365, etc. Or using Event Hub and "Microsoft Defender Advanced Hunting Add-on for Splunk" Add-on?

A.  Choosing between specific Splunk Add-ons for Microsoft 365 (M365) and Azure data collection or integrating via Azure Event Hubs with the "Microsoft Defender Advanced Hunting Add-on for Splunk" largely depends on your specific needs and the volume of data you're dealing with. Microsoft recommends Azure Event Hubs for its scalability and efficiency in handling vast amounts of log data, making it ideal for organizations with extensive Microsoft service usage. This method, especially with the Defender Advanced Hunting Add-on, enhances security analytics by pulling in detailed threat intelligence. However, direct Add-ons for services like MSCS and Office 365 might still be preferable for targeted data collection needs or ease of setup in certain environments. Ultimately, the best approach could involve leveraging both options to align with your data collection and analysis goals, ensuring a comprehensive and efficient integration with Splunk.

Q. I could see there is a email logs delay in my environment. Is there any pre-built addons or apps to threat detections queries?

A.  For enhancing threat detection in your environment, you can utilize the Splunk Security Content (ESCU) available on Splunkbase and further explored at Splunk Research. ESCU offers a comprehensive collection of pre-built detection queries and analytics stories designed to help you efficiently identify and mitigate security threats. Integrating ESCU with your Splunk setup enables you to leverage advanced security analytics and improve your overall security posture.

Q. Can we get any source office365 threat detections?

A.  Yes, we have content for Office 365 threat detections. You can explore detailed analytics stories and detection techniques for Office 365 at the following links on Splunk Research:

Office 365 Account Takeover

Office 365 Collection Techniques

Office 365 Persistence Mechanisms

Key Resources