Q1: What is the best practice to follow the latest security content? Security Content Repository: Listing for all detections and analytic stories, filterable by date added Splunk Community: Monthly recaps of new and updated detections and analytics stories Splunk Blogs: Posts authored by the Splunk Threat Research Team In-depth research and guidance into the latest threats Quarterly recaps   Q2. Can you also talk about Splunk Attack Range? How can Splunk Attack Range be extended to also test detection appliances (like NIDS or NDR)? Blog - Introducing Splunk Attack Range v3.1: https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v3-1.html Github repository - Splunk Attack Range: https://github.com/splunk/attack_range  Latest on Attack Range: https://www.splunk.com/en_us/blog/security/introducing-splunk-attack-range-v3-1.html   Q3. How will Splunk Threat Research Team content change to align to the new detections in ES 8.0? Will content now be a mix of event-based detections and findings-based detections? Will intermediate findings be used? No changes on our end.  Finding based detections on ES 8.0 that are out of the box.  Detections are configured to be disabled out of the box. Generates a risk event or risk event + notable depending on the type Check out our updated site: research.splunk.com       ... View more

Q1: Is ES 8.0 available to everybody now? I only see ES 7.3 on the download page? A:  Enterprise Security is generally available for cloud deployments now and upgrades are in progress. ES on-prem (CMP) deployment will be GA in about 1-2 weeks from now (late November) and at that time available via Splunkbase   Q2: How is risk based alerting/detection look like in ES 8.0? A: Risk-based alerting (RBA) as it existed in ES 7.x is fully supported in ES 8.0 (i.e. fully backwards compatible) With 8.0 we have the following key enhancements Risk Events are now referred to as Intermediate Findings Entity and risk score modifiers are required fields going forward for both Findings (Notable Events) and Intermediate Findings (Risk Events) whenever an Event-based Detection is created or updated The two Risk Incident Rules (7 Day ATT&CK Tactic Threshold Exceeded and 24 Hour Risk Threshold Exceeded) continue to exist and be supported Finding-based Detections are a new (Preview) innovation that enable simpler ways to track risk and group similar findings   Q3: Is there a way to search ES investigations artifacts? Could you talk more about the ES and SOAR integration, and case management capabilities in ES 8.0?  A: Explained via live demo screen share. With ES 8.0, the Incident Review is being replace with Mission Control’s Analyst Queue.  Within this area, one can open an investigation and browser through all attached artifacts.  For more details on case management and SOAR integration, see the high-level summary at the start of the deck, or feel free to look at the Additional Resources slide for more details.  ... View more

Q1: Can we get a demo for ES and SOAR before the actual subscription? Please refer to the live demo in the recording   Q2: Will SOAR 6.3 support any other than CentOS and Amazon free Linuxes? Such as Rocky Linux or Oracle Linux? CentOS no longer supported. Oracle Linux now officially supported.   Q3: How can I send the event_id field from Splunk ES to Splunk SOAR after running Adaptive Response Actions (Notable, Risk Analysis, Send to SOAR) in a Correlation Search with the mode to Manual or Guided Search SPL. ? Adaptive Response is not sequential The dispatch to soar doesn't have the event id because it's generated after dispatch  You can eval the event id manually and send to soar Check out the notable macro for a way to do that using SPL   Live Questions: (refer to the recording) When we use prompts and assign it to a group of analysts, is there a way to see which analyst responded to the prompt? I tried debug statements to see what comes back and I can't find anywhere where the name is saved. Is there much in the pipeline/roadmap or already in ES 8.0 that brings more functionality to workbooks?  When do the external prompts come? Is that with ES 8.0? External prompts are GA in SOAR Cloud and GA in SOAR on-prem today (10/10/24) ... View more

Q1: Where should a novice begin with RBA? A:    plan a small use case ensure risk notables are in QA mode create a tag/eventtype for risk rule QA mode play / dig into risk index occasionally   Q2: RBA asks for a static risk score, but how do I manage this with a dynamic risk score depending on the query(SPL)? A:  eval is your best friend | index=edr_alerts NOT severity IN (“critical”,”high”) | eval risk_score = case( severity="medium","50", severity=”low”,”25”, severity=”info”,”10”)   Q3: Can you talk about the best practice of using a variable/token for the risk score? A: separate noisy sub-types of results to find them, try various | stats count by field1, field2, field3 OR patterns tab separating out low signal makes every event more meaningful   Live Questions: (refer to the recording) How are you going to determine if a particular machine is attacked and our asset score has not breached the default targeted risk but still that is a true positive? When using RBA in our lab, the notable RBA constantly repeats itself in ES Incident Review. How to deal with that? What's the best way to whitelist known activities or users performing business activities, without suppressing notables? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel) Q1: How can one hone threat detection skills by setting up projects for threat detection and incident response at home? What are the recommended steps?    Previous BOTS have their data out on github (i.e. https://github.com/splunk/botsv3) that can be used for this purpose. Alternatively, on the BOTS site (https://bots.splunk.com) there are multiple self-paced scenarios for learning where you can learn as well. Defcon Blue Team Village recordings https://www.youtube.com/watch?v=-upNhwmNGp8&list=PL9fPq3eQfaaDdj_DjG61x9Iz9O8mfC4mJ Read up on the PEAK framework https://www.splunk.com/en_us/blog/security/peak-threat-hunting-framework.html If you work in a SOC ask for 5%     Q2: What is the best practice of Data Parsing? For field breakouts, if the data is formatted (CSV,etc), utilizing the built-in parsers is really the “easy button” here. When working with custom fields or data, having a firm grasp of regular expressions (regex) to parse the data is a must. Field/character offsets are too non-deterministic to be considered a best practice, but can be utilized in quick and dirty methods. “Logging best practices in an app or add-on for Splunk Enterprise” https://dev.splunk.com/view/logging-best-practices/SP-CAAADP6   Q3: Can we create ML used queries in correlation search alerting? How to incorporate ML based threat hunting using Splunk? Do you need a model or just a dynamic threshold? Depending on the ML in use, a baseline or model will need to be created and from that queries can be run to do analysis against the model itself.   Enterprise Security has multiple pieces of content (Correlation Searches, etc) based on ML approaches. ML Toolkit Splunk Security Essentials Threat Hunting with ML can be done https://www.splunk.com/en_us/blog/security/peak-framework-math-model-assisted-threat-hunting.html   Other Questions (check the #office-hours Slack channel for responses): Could you talk about tablos in ES? For detections, do you prefer 'index=' or 'tstats'? Resources recommendations for someone starting in the security realm coming from a systems background? For customer that start out with InfoSec in the cloud, do you have any recommendations on getting started and making it efficient? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel)   Q1: How to define the license for Splunk Enterprise Security? Enterprise Security is licensed by either the volume (per GB) of security data that will be leveraged by ES to perform security related detections or by the workload associated (VCPU/SVC) to leverage the features in the ES platform.  When sizing Enterprise Security, it is important to ensure that you are encompassing the scope of all data that will be security relevant and used within Enterprise Security. Easy way to look at it:  Will I use this for context, detections, Risk analysis, or any other function within Enterprise Security?  If yes, it needs to be considered in scope. Q2: How to get started with Enterprise Security? Data onboarding and mapping to CIM  Asset and Identity configuration OOTB use case identification Splunk Security Essentials, ES Use Case Library, ES Analytic Stories Q3: Any general suggestions on use cases development? Start with what you are protecting and identify the use cases around that. For example, if you are protecting intellectual property then you need to be cognizant of not just access to the IP itself.  But, also taking into account how it would be accessed, from where it is permitted to be accessed, by whom it can be accessed, and how/where/when it can be used amongst many things.   Other Questions (check the #office-hours Slack channel for responses): What to expect for Cisco XDR integration with Splunk? Assets identity and Cidr  Advice for learning Splunk cloud query   Questions answered during demo: I am in Splunk>Cloud. How do I access this threat management dashboard/app. Do I need to install a new app? Is there a relationship between the threat dashboard and the risk dashboard? On the risk page, how that list of risk sources is actually populated?   ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel): Q1: How to best optimize threat analysis? Your goal should be to get to auto-containment / auto-reinforcement Using a trustworthy analysis signal is key for you to take containment actions via automation Splunk Attack Analyzer with its consistent, comprehensive and automated threat analysis can provide a strong foundation Q2: How does Splunk differentiate from Palo Alto Networks? Attack Chain Following - Allows SAA to navigate complex attack chains involving obfuscation techniques like lure pages, QR codes, captchas. Sandbox analysis often ends up incomplete in such scenarios Phishing Detection - Traditional sandboxes provide very little coverage for phishing which is often the highest volume of analysis for SOC/IR teams Q3: Is Attack Analyzer part of a standard Splunk package or a separate application? Attack Analyzer is an independent solution with close integrations to Splunk SOAR, Splunk ES and Splunk Platform It’s pricing is determined by answers to the following questions: How many individuals gain value from it - # of seats How many artifacts need to be analyzer - # of submissions   Other Questions (check the #office-hours Slack channel for responses): Is it possible to have a free version of it installed for a limited time for a small POC? How does Attack Analyzer integrate with Splunk Enterprise Security? How does Attack Analyzer compare to a sandbox tool? How does Attack Analyzer deal with things like QR codes or Cloudflare Captchas?   Live Questions: To detect this kind of phishing attacks, Splunk Attack Analyzer is scanning the mail server or the client? Or does it work with the firewall? Does Splunk Attack Analyzer works on the object objectives expose to Internet or acts inside a company. Mostly,we know that there aren't usually eyes on a monitor 24/7.  So what mechanism does SAA use to notify security team members that some high percentage risk was identified, a particular Soar playbook was triggered, or where no Soar playbook is associated with the finding then what is the notification mechanism to make security team members aware of the situation? Besides phishing and URL scanning, are there any other use cases for this product? Is there an option to get scannings of other users/customers like of IOC, etc... ? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel): Q1: What is the best approach to get started with security content? Install the ESCU or Splunk Enterprise Security app Getting started with Splunk Enterprise Security   Q2: What is the best practice of giving points to assets?  Implementing risk-based alerting (RBA)  UEBA: Tracking based on assets and identities   Q3:  How to build an effective SOC program utilizing detections found in the ESCU? Threat research tooling, metrics, workflows and use cases: https://research.splunk.com/stories/   Other Questions (check the #office-hours Slack channel for responses): What is the best automation that can be achieved for the notables to create an incident with BMC Remedy Ticketing Tool? How to properly ingest MS Defender’s incidents? What is the best practice of creating custom dashboards? What is the best practice in threat cases creation? What are the Splunk content creation for Fraud? What are some of the future developments planned? Can you share some customer use cases where Splunk was used for IT modernization efforts? How to manage custom detection content with Git + contentctl? Live Questions: How are you folks reconciling those datamodel searches with the new index time feature in ES 7.3? Any plans to change up ESCU stuff? Do you recommend translating the defender alerts to ES notables/risk events? How does splunk research team manage the detection/usecase life cycle ( e.g., from TI/research, mitre mapping, tuning, version control, depracation). Is it done in splunk platform or another platform/integration? ... View more

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel): Q1: What are some of Splunk’s best practices for artificial intelligence? - Splunk’s trustworthy AI principles: Accountability - Shaped by humans Transparency - Transparency Privacy - Data trust Fairness - Institutionally unbiased Resilience - Built to withstand - Before starting a new AI / ML project, make sure to assess: The objectives The risks Methodology Foundations Q2: What are some issues to keep in mind associated with security and Generative AI? - Preserving privacy Mitigating risk when learning from sensitive data Maintaining control over data - Adversaries’ use of GenAI We can train GenAI to help detect threats; adversaries can train it to help evade detection Q3:  How is Splunk using AI / ML in its products? What are some common use cases for Splunk ES and SOAR? - Incorporating AI / ML into Splunk products: AI / ML capabilities built into security and observability solutions Apps that support advanced and custom AI use cases Assistive workflow - Example use cases: Simplifying workflows ML-powered detections Assisted response actions Event correlation and alert noise reduction Predictive analytics - Built on solid foundations such as Good quality data Risk Based Alerting (RBA) Incident Response Processes/Automation Q4: How can Gen AI be used to support threat and anomaly detection? What are some examples? - Sample use cases: Tackling phishing with autoencoder-based deep neural network architectures Using GANs (a class of neural networks) for private synthetic data Detecting spurious domain names with LLMs - Guidance & Examples Tech Talk: Understanding Generative AI Techniques and Their Application in Cybersecurity Other Questions (check the #office-hours Slack channel for responses): How can I train models to support fraud detection using Splunk and Enterprise Security? Can you give an overview of fraud identification using ML commands in Spunk?  How to deal with voice fakes for user calls for verification and access? The DGA app from 2020 can we get a Splunk Cloud compatible version of that? Setting up ML datasets akin to DGA app for Botnet DDNS detection related to IOCs. Using Splunk AI Assistant Live Questions: On the Splunk Threat Research Team, are you mostly concerned with building GenAI into Splunk to improve threat detection, or are you also considering GenAI as the threat itself (or something that can be monitored in Splunk where we may have users using GenAI inside the business)? I'd wish similar "Clippy" assistant for Splunk that supports with dashboarding (suggestions, Chat Questions etc.), configuration Management, Troubleshooting support and General Environment Evaluation / optimization suggestions. Currently I'm using Github Copilot for These Tasks but that's externally and requires Manual application of suggestions etc. Hope that Splunk AI Assist goes into this direction How does Splunk use Generative AI - Or how would one use Generative AI to query the data in Splunk. How does Splunk approach the privacy and sensitivity of data when it comes to training your models? I currently use Splunk Enterprise for logs , where exactly does enterprise security/SOAR fit in? Are they separate solutions or they are just new apps on top of  Splunk enterprise How does Splunk approach the privacy and sensitivity of data when it comes to training your models? Is there gonna be a way to add your own models? DSDL deep science and deep learning was a good app but kind of like project built. Will this be a part of that project or separate? The use case apps are good but need a way to load and test the models. I’m thinking something like SageMaker from AWS. Are these gonna be on prem and cloud? I see all the ai alerts and in Splunk Olly. Is those open source or see what it’s looking for? How about an AI app to dynamically tag ES data models tags akin to Splunk Essentials for Predictive Maintenance | Splunkbase  but more geared for the Open CyberSecurity Framework (OCFS) like OCSF Datamodels Security Add On | Splunkbase   Anything about Retrieval-Augmented Generation, aka RAG? ... View more