Key Resources Register for Community Office Hours: Threat Detection and Response on March 27  Check out the Threat Research Team's blogs  Register for Community Office Hours: Generative AI on March 13  Link to monthly ESCU update posts  Read the PEAK Threat Hunting Framework  ... View more

Your Questions Answered Q. Is there a place to see a demo and more resources on the use of Attack Range?  A.  Absolutely, we're glad to see your interest in Splunk's Attack Range! For a hands-on demo and comprehensive resources, the best places to start are our latest release blog post on Attack Range v3.0 here, the GitHub project here for code and detailed guidance, and our documentation here for in-depth usage instructions. If you're looking for a quick setup, using Docker is highly recommended, with a guide available here.   Q. I've heard as part of best practices, we should clone correlation searches so that ECSU updates don't automatically update or change our customization (to account for other sources, unique exclusions, search timing, etc.). Is that a true best practice and how does this impact your ability to assess what coverage you have on correlation searches and analytic stories? A.  Certainly! Cloning correlation searches in Splunk is a recommended best practice to protect your custom modifications when Enterprise Security Content Update (ESCU) releases new updates. This approach safeguards your tailored settings, like unique data source adjustments and specific exclusions, from being overwritten. However, it does present a challenge in tracking and assessing your security posture, as it's harder to keep up with which searches you've customized and how they align with ESCU's analytic stories. To manage this, maintain thorough documentation of your changes, use version control for easy tracking, regularly review your custom searches against ESCU updates, and adopt clear naming conventions. This strategy ensures you benefit from ESCU's enhancements while keeping your specific security needs addressed.   Q. Do you still recommend M365 and Azure data collection via Add-on for MSCS and Office 365, etc. Or using Event Hub and "Microsoft Defender Advanced Hunting Add-on for Splunk" Add-on? A.  Choosing between specific Splunk Add-ons for Microsoft 365 (M365) and Azure data collection or integrating via Azure Event Hubs with the "Microsoft Defender Advanced Hunting Add-on for Splunk" largely depends on your specific needs and the volume of data you're dealing with. Microsoft recommends Azure Event Hubs for its scalability and efficiency in handling vast amounts of log data, making it ideal for organizations with extensive Microsoft service usage. This method, especially with the Defender Advanced Hunting Add-on, enhances security analytics by pulling in detailed threat intelligence. However, direct Add-ons for services like MSCS and Office 365 might still be preferable for targeted data collection needs or ease of setup in certain environments. Ultimately, the best approach could involve leveraging both options to align with your data collection and analysis goals, ensuring a comprehensive and efficient integration with Splunk.   Q. I could see there is a email logs delay in my environment. Is there any pre-built addons or apps to threat detections queries? A.  For enhancing threat detection in your environment, you can utilize the Splunk Security Content (ESCU) available on Splunkbase and further explored at Splunk Research. ESCU offers a comprehensive collection of pre-built detection queries and analytics stories designed to help you efficiently identify and mitigate security threats. Integrating ESCU with your Splunk setup enables you to leverage advanced security analytics and improve your overall security posture.   Q. Can we get any source office365 threat detections? A.  Yes, we have content for Office 365 threat detections. You can explore detailed analytics stories and detection techniques for Office 365 at the following links on Splunk Research: Office 365 Account Takeover Office 365 Collection Techniques Office 365 Persistence Mechanisms ... View more

Your Questions Answered Q. How significant of an accuracy improvement is achieved with fine-tuned LLMs as compared to traditional approaches?  In order to measure improvements in accuracy, it’s important that you establish baselines before employing LLMs. Then, you can start implementing and fine-tuning your LLMs and measure the difference in accuracy. While the overall improvement may be small, we found that typically the model performed well for harder instances.   Q. What are the cost considerations while deploying LLMs?  One important cost consideration to keep in mind is the GPUs required to run LLMs. In general LLMs are resource hungry but with time, we are seeing more focused and efficient implementations.   Q. What are the privacy considerations when using Generative AI models for security use cases?  Preserving privacy while learning from sensitive data is always a challenge. However, these risks can be mitigated by adding carefully calibrated noise while training. Techniques such as Differential Privacy allow us to provide strong privacy guarantees.   Q. Probably not ML related, but is there a way/site to differentiate photos AI created on sites like this-person-does-not-exist from real ones?  This is very challenging. Once the adversary becomes aware of the defenses employed to filter out AI-generated images being used for malicious intent, they can adjust how they train the LLM to evade these defenses. So while today, my machine learning classifier may be able to correctly identify real versus fake images, the adversaries could adapt tomorrow.   Q. Beyond DGA and mis-information can you think of any user uses of generative AI by adversaries ? can you give some practical examples of generative models applied over data in the security field? or maybe a reference/link to such examples and use cases?  TWhen it comes to adversaries’ use of generative AI, there are two things to keep in mind: 1. Not every adversary is equipped to use LLMs and generative AI, given how sophisticated they are. 2. For those adversaries that are employing these technologies, it’s a bit of a cat and mouse game. For example, just like we can train LLMs to help detect certain threats or threat indicators, adversaries can then train their own LLMs to evade detection. Security focused Generative AI use cases: 1. Detecting DGAs 2. Detecting Typosquatting 3. Detecting spam 4. Detecting phished webpages 5. Privacy-friendly data generation to train models 6. Data generation to supplement sparse datasets The above mentioned use cases can also be used by the adversary to strengthen their attacks.   ... View more

Key Resources Community Office Hours: Generative AI on March 13 Enterprise Security Content Update (ESCU) | New Releases Splunk Blogs ... View more

@wslow  We apologize for our delay in response to you and also wanted to check to see if you were still experiencing issues with finding the release?  The GA date was actually in November to be timed along with our Tech Talk on this topic.  Hopefully you are up and running with it now, but please let me know if I can assist! Thank you, Whitney ... View more

Here are a few top of mind questions from the live Tech Talk   Q. How long does it take to upgrade from 7.1.1 to 7.2.0 ? A. It depends on your architecture and how many other components also require upgrades. The core Enterprise Security search head upgrade app runs in about 10 minutes, however backups and other app updates add to the time.   Q. Do you have any detection search to find anomaly login? A. We have a list of detections in this analytic story: Suspicious AWS Login Activities, that cover various detections related to anomalous login activity, you can repurpose this SPL logic to a data source of your choice. Q. Can you list the recommended steps for upgrading ES to version 7.2? A. Please see our documentation here: https://docs.splunk.com/Documentation/ES/7.2.0/Install/Beforeupgrading Q. My incident review looks nothing like this. How can I get this view? A. In ES 7.2.0, follow these steps to turn on the enhanced analyst workflows on the Incident Review page: From the Splunk ES menu bar, select Configure > General > General Settings. Locate the card for Enhanced Incident Review Workflows. Select Turn on to turn on the ability to use shared views, table filters, and table columns on the Incident Review page. ... View more

Please find materials to continue your journey below: Splunk Security Content for Threat Detection & Response: Q2 Roundup Amadey Threat Analysis and Detections Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT Sharing is Not Caring: Hunting for Network Share Discovery Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs See More, Act Faster, and Simplify Investigations with Customizable Workflows from Splunk Enterprise Security 7.2 ... View more

Continue your journey AI Use Cases for Observability Guide 5 Big Myths of AI and Machine Learning Debunked AI and Machine Learning in Your Organization 6 Myths of AIOps Debunked ... View more

You have questions, we have answers! Here are the questions and answers from our Tech Talk:   Q: What products do I need for this? A: Splunk Core (version 8.2.x and above) and Chrome Browser Cloud Management.    Q: Do I need to have Splunk Enterprise Security? A: Splunk Enterprise Security is not required. All events are CIM tagged so any Splunk Enterprise Security content built on the data models that an event is tagged to will populate with the tagged event.   Q: Where can I find this app?  Will it be Splunk supported? A: In Splunkbase. The chrome add-on and app are built by "Splunk Works", Splunk Field Solutions (internal Splunk teams). They don't carry the official Splunk SLAs but there is an internal team that actively works on it, bug fixes and enhancements.    Q: Per splunkbase, this app is not supported by Splunk.  Safe to assume it is? A: ^Same answer as above.   Q: Will there be automatic updates of the add-on for users, so that new security issues are continually being protected against? A: Yes. We will monitor the list of chrome events that are being released by Google Chrome team and build new use cases or enhance existing ones within Splunk.   ... View more

Continue your journey Getting Started with the Google Chrome App for Splunk Guide Configuring Alert Actions Guide Using Splunk to Enhance Enterprise Security Capabilities of Google Chrome Check the solution out here           ... View more

How to Get Started with Google Chrome Add-On for Splunk Navigate over to Splunkbase to install the Google Chrome Add-on for Splunk and Google Chrome App for Splunk. If you need helping getting started, take a look at our resources below: Getting Started Guide for the App and FAQ Chrome Browser Cloud Management set up, enrollment, and admin console Eradicate the risks that come from risky browser behavior and make your enterprise more resilient by installing the Google Chrome Add-on for Splunk and the Google Chrome App for Splunk today!   ... View more

@dokaas_2  Thanks for the question.  The topology and MITRE will show if there is data associated to and the visualization should display on 7.1.1.  You should not need to make any changes to your configurations.  The matrix will show for all notable events that have the following fields: risk_object risk_object_type annotations.mitre_attack.mitre_technique_id Here is a resource with more information: Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise Security. ... View more