Hi everyone!  Hey everyone! Our session  has been rescheduled to next Thursday, 4/24 at 1 PM PST / 4 PM EST. Please keep an eye out for the updated invitation if you have already registered. If you don’t receive it today, feel free to reach out to me directly. Thank you so much for your understanding.  I’m looking forward to connecting with you soon! We have a great lineup of experts and some excellent questions to dive into.  Best regards   ... View more

Hi everyone!  We are sorry to inform you that today’s Security Office Hours session on SOAR topic will need to be rescheduled due to unexpected Zoom-related technical issues. It appears the issue is affecting all users, and as a result, we are postponing the session. We apologize for the inconvenience and appreciate your understanding.  Please bear with us as we work to arrange a new time. We will send out the updated invitation shortly. Looking forward to connecting with you soon! Best regards ... View more

Q1: Any Machine Learning insights in threat investigation and analysis?   A:  MLTK Splunk Threat Research Team detections using MLTK   Additional Resources Security Use Cases Enhanced by AI and ML Splunk App for Data Science and Deep Learning STRT detections using MLTK   Q2: How does Splunk Attack Analyzer analyze common phishing attacks?   A:  Go deep in our analysis and present everything we saw in our analysis. Splunk Attack Analyzer jump through all of these hoops that attackers have put in the way of our analysis Additional Resources How Splunk Attack Analyzer engines and integrations with third-party engines help detect threats Splunk Demo Day: Automating Threat Analysis With Splunk Attack Analyzer   Q3: How can we automate the threat investigation and analysis using Splunk Attack Analyzer? Do we have to pair it with SOAR?   A:  Understanding what would a SOC analyst do next and logically walk through the entire attack chain.   Additional Resources The Essential Guide to Automated Threat Analysis Introducing Splunk Add-On for Splunk Attack Analyzer & Splunk App for Splunk Attack Analyzer   For more questions and answers, please refer to the deck and live recording.  ... View more

Hi Singh2025! You sill be receiving my email with the recording and deck soon. Thanks for your patience!  ... View more

Q1: Can you share some recommended tactics for investigating threats? A:  https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html Congrats to David Bianco, Sydney Marrone, and Dr Ryan Fetterman Criticality and Impact to production operations and/or business Any sentence that starts with “Hmm, I wonder why…” is worth investigating. Never threat hunt on a Friday.   Q2: Do you have any insights on leveraging machine learning to identify and investigate threats? A:  https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html ML hunting is a thing! Establish baselines of behavior using known good systems Remember that anomaly != incident Set dynamic threshold alerts where ever you can.   Q3:  In Splunk environment, how to minimize the amount of traffic indexers have to endure when the majority of your environment does not meet the minimum hardware requirements?  A:  SF/RF settings will dictate how much buckets are replicated. Limiting knowledge object replication Completely disabling real=time searching (you did this already, right?) Convert classic “index & sourcetype” searches to tstats Improperly sized environments, and especially mismatched sized environment, can have severe performance degradation and impact.   For more questions and answers, please refer to the deck and live recording.    ... View more

Q1: What is the best practice to follow the latest security content? Security Content Repository: Listing for all detections and analytic stories, filterable by date added Splunk Community: Monthly recaps of new and updated detections and analytics stories Splunk Blogs: Posts authored by the Splunk Threat Research Team In-depth research and guidance into the latest threats Quarterly recaps   Q2. Can you also talk about Splunk Attack Range? How can Splunk Attack Range be extended to also test detection appliances (like NIDS or NDR)? Blog - Introducing Splunk Attack Range v3.1: https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v3-1.html Github repository - Splunk Attack Range: https://github.com/splunk/attack_range  Latest on Attack Range: https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v3-1.html   Q3. How will Splunk Threat Research Team content change to align to the new detections in ES 8.0? Will content now be a mix of event-based detections and findings-based detections? Will intermediate findings be used? No changes on our end.  Finding based detections on ES 8.0 that are out of the box.  Detections are configured to be disabled out of the box. Generates a risk event or risk event + notable depending on the type Check out our updated site: research.splunk.com       ... View more

Q1: Is ES 8.0 available to everybody now? I only see ES 7.3 on the download page? A:  Enterprise Security is generally available for cloud deployments now and upgrades are in progress. ES on-prem (CMP) deployment will be GA in about 1-2 weeks from now (late November) and at that time available via Splunkbase   Q2: How is risk based alerting/detection look like in ES 8.0? A: Risk-based alerting (RBA) as it existed in ES 7.x is fully supported in ES 8.0 (i.e. fully backwards compatible) With 8.0 we have the following key enhancements Risk Events are now referred to as Intermediate Findings Entity and risk score modifiers are required fields going forward for both Findings (Notable Events) and Intermediate Findings (Risk Events) whenever an Event-based Detection is created or updated The two Risk Incident Rules (7 Day ATT&CK Tactic Threshold Exceeded and 24 Hour Risk Threshold Exceeded) continue to exist and be supported Finding-based Detections are a new (Preview) innovation that enable simpler ways to track risk and group similar findings   Q3: Is there a way to search ES investigations artifacts? Could you talk more about the ES and SOAR integration, and case management capabilities in ES 8.0?  A: Explained via live demo screen share. With ES 8.0, the Incident Review is being replace with Mission Control’s Analyst Queue.  Within this area, one can open an investigation and browser through all attached artifacts.  For more details on case management and SOAR integration, see the high-level summary at the start of the deck, or feel free to look at the Additional Resources slide for more details.  ... View more

Q1: Can we get a demo for ES and SOAR before the actual subscription? Please refer to the live demo in the recording   Q2: Will SOAR 6.3 support any other than CentOS and Amazon free Linuxes? Such as Rocky Linux or Oracle Linux? CentOS no longer supported. Oracle Linux now officially supported.   Q3: How can I send the event_id field from Splunk ES to Splunk SOAR after running Adaptive Response Actions (Notable, Risk Analysis, Send to SOAR) in a Correlation Search with the mode to Manual or Guided Search SPL. ? Adaptive Response is not sequential The dispatch to soar doesn't have the event id because it's generated after dispatch  You can eval the event id manually and send to soar Check out the notable macro for a way to do that using SPL   Live Questions: (refer to the recording) When we use prompts and assign it to a group of analysts, is there a way to see which analyst responded to the prompt? I tried debug statements to see what comes back and I can't find anywhere where the name is saved. Is there much in the pipeline/roadmap or already in ES 8.0 that brings more functionality to workbooks?  When do the external prompts come? Is that with ES 8.0? External prompts are GA in SOAR Cloud and GA in SOAR on-prem today (10/10/24) ... View more

Q1: Where should a novice begin with RBA? A:    plan a small use case ensure risk notables are in QA mode create a tag/eventtype for risk rule QA mode play / dig into risk index occasionally   Q2: RBA asks for a static risk score, but how do I manage this with a dynamic risk score depending on the query(SPL)? A:  eval is your best friend | index=edr_alerts NOT severity IN (“critical”,”high”) | eval risk_score = case( severity="medium","50", severity=”low”,”25”, severity=”info”,”10”)   Q3: Can you talk about the best practice of using a variable/token for the risk score? A: separate noisy sub-types of results to find them, try various | stats count by field1, field2, field3 OR patterns tab separating out low signal makes every event more meaningful   Live Questions: (refer to the recording) How are you going to determine if a particular machine is attacked and our asset score has not breached the default targeted risk but still that is a true positive? When using RBA in our lab, the notable RBA constantly repeats itself in ES Incident Review. How to deal with that? What's the best way to whitelist known activities or users performing business activities, without suppressing notables? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel) Q1: How can one hone threat detection skills by setting up projects for threat detection and incident response at home? What are the recommended steps?    Previous BOTS have their data out on github (i.e. https://github.com/splunk/botsv3) that can be used for this purpose. Alternatively, on the BOTS site (https://bots.splunk.com) there are multiple self-paced scenarios for learning where you can learn as well. Defcon Blue Team Village recordings https://www.youtube.com/watch?v=-upNhwmNGp8&list=PL9fPq3eQfaaDdj_DjG61x9Iz9O8mfC4mJ Read up on the PEAK framework https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html If you work in a SOC ask for 5%     Q2: What is the best practice of Data Parsing? For field breakouts, if the data is formatted (CSV,etc), utilizing the built-in parsers is really the “easy button” here. When working with custom fields or data, having a firm grasp of regular expressions (regex) to parse the data is a must. Field/character offsets are too non-deterministic to be considered a best practice, but can be utilized in quick and dirty methods. “Logging best practices in an app or add-on for Splunk Enterprise” https://dev.splunk.com/view/logging-best-practices/SP-CAAADP6   Q3: Can we create ML used queries in correlation search alerting? How to incorporate ML based threat hunting using Splunk? Do you need a model or just a dynamic threshold? Depending on the ML in use, a baseline or model will need to be created and from that queries can be run to do analysis against the model itself.   Enterprise Security has multiple pieces of content (Correlation Searches, etc) based on ML approaches. ML Toolkit Splunk Security Essentials Threat Hunting with ML can be done https://www.splunk.com/en_us/blog/security/peak-framework-math-model-assisted-threat-hunting.html   Other Questions (check the #office-hours Slack channel for responses): Could you talk about tablos in ES? For detections, do you prefer 'index=' or 'tstats'? Resources recommendations for someone starting in the security realm coming from a systems background? For customer that start out with InfoSec in the cloud, do you have any recommendations on getting started and making it efficient? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel)   Q1: How to define the license for Splunk Enterprise Security? Enterprise Security is licensed by either the volume (per GB) of security data that will be leveraged by ES to perform security related detections or by the workload associated (VCPU/SVC) to leverage the features in the ES platform.  When sizing Enterprise Security, it is important to ensure that you are encompassing the scope of all data that will be security relevant and used within Enterprise Security. Easy way to look at it:  Will I use this for context, detections, Risk analysis, or any other function within Enterprise Security?  If yes, it needs to be considered in scope. Q2: How to get started with Enterprise Security? Data onboarding and mapping to CIM  Asset and Identity configuration OOTB use case identification Splunk Security Essentials, ES Use Case Library, ES Analytic Stories Q3: Any general suggestions on use cases development? Start with what you are protecting and identify the use cases around that. For example, if you are protecting intellectual property then you need to be cognizant of not just access to the IP itself.  But, also taking into account how it would be accessed, from where it is permitted to be accessed, by whom it can be accessed, and how/where/when it can be used amongst many things.   Other Questions (check the #office-hours Slack channel for responses): What to expect for Cisco XDR integration with Splunk? Assets identity and Cidr  Advice for learning Splunk cloud query   Questions answered during demo: I am in Splunk>Cloud. How do I access this threat management dashboard/app. Do I need to install a new app? Is there a relationship between the threat dashboard and the risk dashboard? On the risk page, how that list of risk sources is actually populated?   ... View more