This document summarizes a presentation about using Splunk to enrich data through geolocation, third-party data sources, and open-source intelligence (OSINT). The presentation discusses using Splunk's built-in geolocation capabilities to track user activity by location. It also provides examples of enriching data by integrating Twitter data, Shodan data, and other online sources to add context to security data in Splunk. The presentation concludes with a demonstration of Splunk's lookup commands and how to integrate external data sources.
Owasp osint presentation - by adam nurudiniAdam Nurudini
Open-Source Intelligence (OSINT) is intelligence collected from public available sources
“Open” refers overt, public available sources (as opposed to covert sources)
Its not related to open-source software or public intelligence
This information comes from a variety of sources, including the social media pages of your company and staff. These can be a goldmine of information, revealing information such as the design of ID badges, layout of the buildings and software used on internal systems.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Durante l’intervento verranno presentati i cardini del processo di ricerca delle informazioni mediante la consultazione di fonti di pubblico accesso. Sarà illustrata la teoria alla base di questo processo che prevede l’identificazione delle fonti, la selezione e la valutazione del loro contenuto informativo per arrivare infine all’utilizzo stesso dell’informazione estratta. Nella seconda fase della presentazione verranno mostrati i tool e le metodologie per l’estrazione di informazioni mediante l’analisi di documenti, foto, social network e altre fonti spesso trascurate. In ultimo saranno mostrati sistemi in grado di correlare diverse informazioni provenienti dalle fonti aperte e verranno discussi i relativi scenari di utilizzo nonché le possibili contromisure.
Owasp osint presentation - by adam nurudiniAdam Nurudini
Open-Source Intelligence (OSINT) is intelligence collected from public available sources
“Open” refers overt, public available sources (as opposed to covert sources)
Its not related to open-source software or public intelligence
This information comes from a variety of sources, including the social media pages of your company and staff. These can be a goldmine of information, revealing information such as the design of ID badges, layout of the buildings and software used on internal systems.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Durante l’intervento verranno presentati i cardini del processo di ricerca delle informazioni mediante la consultazione di fonti di pubblico accesso. Sarà illustrata la teoria alla base di questo processo che prevede l’identificazione delle fonti, la selezione e la valutazione del loro contenuto informativo per arrivare infine all’utilizzo stesso dell’informazione estratta. Nella seconda fase della presentazione verranno mostrati i tool e le metodologie per l’estrazione di informazioni mediante l’analisi di documenti, foto, social network e altre fonti spesso trascurate. In ultimo saranno mostrati sistemi in grado di correlare diverse informazioni provenienti dalle fonti aperte e verranno discussi i relativi scenari di utilizzo nonché le possibili contromisure.
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
OSINT is a reconnaissance of intelligence from publicly available information to address a specific intelligence requirement. The slides are used in UCCU's workshop of OSINT.
With 1.2 billion monthly active users on Facebook alone, it’s not surprising that social media networks can be a rich source of information for investigators. And because Americans spend more time on social media than any other major Internet activity, including email, social media information and evidence is plentiful. You just need to know how to get it.
Finding, preserving and collecting social media evidence often requires some forensic skills, as well as an understanding of the laws that govern its collection and use. It’s important for investigators to be aware of both the possibilities and limitations of social media forensics.
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
OSINT - Open Source Intelligence by Rohit Srivastwa at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.htm
OSINT: Open Source Intelligence gathering 101
Slides from my talk on OSINT. I listed examples in the slides about tools, legal methods for both online and physical information security reconnaissance.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Vicente Aguilera vuelve en la NcN 2015 impartiendo el taller: Técnicas OSINT para investigadores de seguridad. El taller pretende dar a conocer, de forma práctica, como utilizar fuentes de acceso público en Internet para recopilar información detallada sobre un objetivo. Además de las redes sociales de uso masivo, se mostrarán recursos online y herramientas útiles en la búsqueda de información como parte del proceso de investigación en distintos ámbitos. Dirigido a investigadores, pentesters, ingenieros sociales, personal de cuerpos y fuerzas de seguridad, analistas de mercado y estudios sociológicos, así como cualquier persona interesada en evaluar su reputación online.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
This is the slides of the online talk given at @NullBhopal. This introduces people to Open Source INTelligence and their uses in daily life and pentesting.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
OSINT is a reconnaissance of intelligence from publicly available information to address a specific intelligence requirement. The slides are used in UCCU's workshop of OSINT.
With 1.2 billion monthly active users on Facebook alone, it’s not surprising that social media networks can be a rich source of information for investigators. And because Americans spend more time on social media than any other major Internet activity, including email, social media information and evidence is plentiful. You just need to know how to get it.
Finding, preserving and collecting social media evidence often requires some forensic skills, as well as an understanding of the laws that govern its collection and use. It’s important for investigators to be aware of both the possibilities and limitations of social media forensics.
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
OSINT - Open Source Intelligence by Rohit Srivastwa at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.htm
OSINT: Open Source Intelligence gathering 101
Slides from my talk on OSINT. I listed examples in the slides about tools, legal methods for both online and physical information security reconnaissance.
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
Vicente Aguilera vuelve en la NcN 2015 impartiendo el taller: Técnicas OSINT para investigadores de seguridad. El taller pretende dar a conocer, de forma práctica, como utilizar fuentes de acceso público en Internet para recopilar información detallada sobre un objetivo. Además de las redes sociales de uso masivo, se mostrarán recursos online y herramientas útiles en la búsqueda de información como parte del proceso de investigación en distintos ámbitos. Dirigido a investigadores, pentesters, ingenieros sociales, personal de cuerpos y fuerzas de seguridad, analistas de mercado y estudios sociológicos, así como cualquier persona interesada en evaluar su reputación online.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
This is the slides of the online talk given at @NullBhopal. This introduces people to Open Source INTelligence and their uses in daily life and pentesting.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Take an Analytics-driven Approach to Container Performance with Splunk for Co...Docker, Inc.
Docker containers add portability but can also introduce complexity into your environment. In this session learn about why monitoring your container environment is essential to maintaining service reliability, and how Splunk software can help you monitor different layers of infrastructure running in a Docker environment, including third-party tools, instances, and custom code.
Learn how to use Splunk software to collect, search and correlate container data with other infrastructure data for better service context, root cause monitoring and reporting. Additionally, receive introduction to the product integrations between Splunk and Docker such as the Splunk Logging Driver, Splunk Forwarder, and Splunk Logging Libraries.
Cloud Connected Devices on a Global Scale (CPN303) | AWS re:Invent 2013Amazon Web Services
Increasingly, mobile and other connected devices are leveraging the scalability and capabilities of the cloud to deliver services to end users. However, connecting these devices to the cloud presents unique challenges. Resource constraints make it impossible to use many common frameworks and transport restrictions make it difficult to use dynamic cloud resources. In this session, learn how you can develop and deploy highly-scalable global solutions using Amazon Web Services (Amazon Virtual Private Cloud, Elastic IP addresses, Amazon Route 53, Auto Scaling) and tools like Puppet. Hear how Panasonic and Banjo architect their cloud infrastructure from both a start-up and enterprise perspective.
Terraform is an open source tool that helps you control your infrastructure configuration through code. This talk will serve as a primer showing how to build a basic infrastructure in the Google Cloud and how we can re-use our code to construct multiple, identical environments.
Drilling Cyber Security Data With Apache DrillCharles Givre
This deck walks you through using Apache Drill and Apache Superset (Incubating) to explore cyber security datasets including PCAP, HTTPD log files, Syslog and more.
How to Get IBM i Security and Operational Insights with SplunkPrecisely
IBM i systems handle some of the most mission-critical transactions in your organization. In the past, they operated in relative isolation, but today they’re connected to other systems across your IT infrastructure to support mission-critical business services. They’re also connected to networks or the Internet, making them vulnerable to cybersecurity threats and incidents.
It’s critical that the operational and security data generated by your IBM i systems is visible in your Splunk platform for enterprise-wide analysis, but it’s difficult to capture it and make it usable for reporting.
View this webinar on-demand to learn how organizations like yours are using Ironstream to forward IBM i log data to Splunk, to gain insight into operations, security and service delivery for the ultimate success of their business. We will cover:
• Key use cases for IBM i log analysis
• Challenges of using IBM i data in Splunk
• How Ironstream and Splunk deliver key insight into IBM i operational health and security in the broader context of your enterprise
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Headaches and Breakthroughs in Building Continuous ApplicationsDatabricks
At SpotX, we have built and maintained a portfolio of Spark Streaming applications -- all of which process records in the millions per minute. From pure data ingestion, to ETL, to real-time reporting, to live customer-facing products and features, continuous applications are in our DNA. Come along with us as we outline our journey from square one to present in the world of Spark Streaming. We'll detail what we've learned about efficient processing and monitoring, reliability and stability, and long term support of a streaming app. Come learn from our mistakes, and leave with some handy settings and designs you can implement in your own streaming apps.
Similar to "Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk" (20)
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
"Hunting the Bad Guys: Using OSINT, Social Media & other tools within Splunk"
1. SPLUNKERS DC USER GROUP
HUNTING THE BAD GUYS: USING OSINT, SOCIAL MEDIA & OTHER TOOLS WITHIN
SPLUNK
Jake Babbin
Copper River Enterprise Services
Splunk Services
Splunk DC User Group – April 2018
2. ABOUT ME
• Over 15 year career spanning a variety of customers in US
Military, Intelligence Community, and Federal Law Enforcement
• Published Author
• Speaker at Security Conferences, assistant instructor
• Currently
• Architect Engineer, Copper River Enterprise Services
• Prior
• Director of Threat Intelligence, The Crypsis Group
• Practice Director – Incident Response and Forensics McAfee/Intel
Security (Americas)
• Incident Response Auditor for DoD CIO CND-SP/CCRI team
• Lead Analyst The White House Security Operation Center (EOP)
• Founded The White House Cyber Threat Cell
3. AGENDA
• Data Enrichment – why should we care ?
• Splunk and Geo-location
• Splunk enrichment options
Examples - 3rd Party Data
• Twitter Data
• Status and information
• Data Enrichment New ideas
• Shodan
• Censys
• Demo
• Conclusion
5. TRACKING USER ACTIVITY
Contractor who sold their RSA token to stay at home
watching cat videos and going out
• “He physically FedExed his RSA [security] token to China”
• U.S.-based company discovered its computer systems were being
accessed from China
• Company's own employee gave access to Chinese programmers he
personally outsourced
• Employee, known as "Bob", seen as "someone you wouldn't look at
twice in an elevator"
• "Bob" earned several hundred thousand dollars a year, paying
Chinese firm $50,000 a year
• Even kept a schedule
“The Verizon team even found that "Bob" kept a regular schedule at
his office:
• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat
videos
• 11:30 a.m. – Take lunch
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home”
6. LESSONS LEARNED FROM “CAT VIDEO” USER
Bottom line – could have been caught with a single Geo-
location lookup in Splunk
• Control physical access to security devices
• Possibly require physical validation/maintenance of devices on some time window (1 year,
etc)
• Setup Geo-location fencing
• For remote/home users trace the originating IP for matching
• Some ISPs and geo-location data may only put in approximate location
• Create and coordinate with HR locations or home sites for remote users
• For travel implement a travel tracking system
• Create asset tracking system
• Provides endpoint validation for other security requirements
• Current AV levels, security posture, etc prior to allowing VPN access
8. SPLUNK AND GEO-LOCATION
• Crash course into Maxmind
• Splunk uses Maxmind’s GeoLite2 databases to match IPv4 addresses to
physical locations
• Can be referenced in Splunk searches using an SPL command ‘iplocation’
• Mysearch | iplocation <field>
• Outputs contain Latitude, Longitude, Country, City, address
9. MAXMIND AND SPLUNK
Maxmind is a company who tracks IPv4
addresses (now also tracks IPv6)
• Provide geographic coordinate
information about the IP address.
• Data is provided in a 2 formats
(GeoIP2Country, GeoIP2City) that are
paid allowing for updates and accurate
• Also available in a Free format
(GeoLiteIP2Country).
• Major differences are in updates and
accuracy.
• Provide API access in a variety of
languages
10. IP GEO-LOCATION 101
• Definition
• Term for matching IPv4 addresses to their closest Latitude/Longitude coordinates
• Several services perform this lookup and reference information
• Maxmind, LLC is the major provider of this service
• Usually closest match is the datacenter or area of a major Internet Service Providers
office.
• Below – an example of the full Maxmind data record (from Maxmind Product
GeoIP2City)
10
11. GETTING SPLUNK TO UPDATE MAXMIND
• Previous work
TA-Geoip (https://github.com/georgestarcher/TA-geoip)
• Updated work
Script and Splunk app (Deploy among Search Heads)
http://blog.hortonew.com/splunk-automatically-update-geoip-database-across-
environment
12. SPLUNK AND UPDATING MAXMIND
Splunk ships with a copy of Maxmind’s free
product GeoLite2-City
• Stored in ‘%SPLUNK_HOME%/share/’
• IP’s change ownership, but the shipped version of
the database doesn’t between Splunk releases.
How to update Splunk’s Maxmind GeoLite2-City
database
Create an app on your Deployment Server –
Splunk_int_geoip
%SPLUNK_HOME%/etc/deployment-apps/
…/Bin/
……get_maxmind_db.sh
…/default/
…….inputs.conf
…….limits.conf
Great example used is from
http://blog.hortonew.com/splunk-automatically-update-geoip-
database-across-environment
----- get_maxmind_db.sh
#!/bin/bash
# Author: Andrew Wurster
# Date: 13 Jan 2015
cd/opt/splunk/etc/apps/Splunk_int_geoip/bin
wget -O GeoLite2-City-Latest.mmdb.gz
http://geolite.maxmind.com/download/geoip/database/GeoLite2-
City.mmdb.gz || {echo'Could not download MaxMind GeoIP DB,
exiting.';exit1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644 GeoLite2-City-Latest.mmdb
----- inputs.conf
# Download at 11pm the 1st Tuesday of the month
[script:///opt/splunk/etc/apps/Splunk__int_geoip/bin/get_maxmind_db.sh]
index = main
interval = 0 23 1-7 * 2
sourcetype= splunk_geoip
disabled=false
------ limits.conf
# redirects the defalt location to this app’s directory
[iplocation]
db_path = /opt/splunk/etc/apps/Splunk_int_geoip/bin/GeoLite2-City-
Latest.mmdb
14. SPLUNK ENRICHMENT OPTIONS
• Splunk Natively has several options available
• Lookups – Called in SPL (Splunk Processing Language) Queries
• File based
• Geolocation
• External (scripts)
• KV Store
• Automatic lookups – Added to content and fields automatically
• Useful for Web Log data to automatically convert HTTP field Codes to Common Names
• Adding site and location information to logs such as VPN data, endpoints, etc
15. LOOKUP DEFINITIONS – GIVE THAT DATA CONTEXT
15
• Splunk Community created a CSV file for HTTP
Status messages.
• http://wiki.splunk.com/Http_status.csv
Fields:
Status, status_description, status_type
•Create a Lookup File and Definition
•Call Lookup and provide Output column
Mysearch | Lookup HttpSstatusLookup status AS
status OUTPUT status_description AS
Description
16. EASY WIN -
GEO-LOCATION MAPPING
• Simple Country filtering
Mysearch | iplocation src_ip |
search (Country=India OR
Country="South Africa" OR
Country="Germany") | geostats
latfield=lat longfield=lon count
• Splunk embedded commands used
• iplocation/geostats – geo-coding
information
• geom - Allows for Geo-fencing
framing via polygons
• geomfilter – geo-fencing limiting
| IOCfilter regex=“.*”
ignorecase=True
| search value_type=”ipv4-
addr”
| rename value as src_ip
| iplocation src_ip
| search (Country=India OR
Country=“South Africa” OR
Country=“Germany”)
| geostats latfield=lat
longfield=lon count
17. Real-world Example:
Suricata: Protocol Analysis DNS
Fun things to do with DNS data
• Find out who’s mapping your network using DNS
index=CUSTOMER_sec_suricata event_type=dns
dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN"
AND src_ip!=”CUSTOMER_IP.*" | stats count values(dns.rrname)
by dns.rrtype, src_ip | sort – count
• Find a specific country that is walking DNS to get information
Example: Libya
index=CUSTOMER_sec_suricata event_type=dns
dns.type=query AND dns.rrname="*.CUSTOMER_DOMAIN"
AND src_ip!=”CUSTOMER_IP.*"
| iplocation src_ip
| search Country="Libya"
| stats count values(dns.rrname) by dns.rrtype, src_ip
| sort – count
19. TOR LOOKUPS
• The Tor Project – Provides both web and
script access to public repository
information related to the Tor network –
https://metrics.torproject.org
• Hosts are broken down into functions
• Exit Nodes – End points from the Tor
network to the public Internet
• Directory Servers – Onion network
routing control servers
• Bridges – Control connections between
Tor clients, Directory Servers and Exit
Nodes
• Example IP: 162.247.72.201
20. INTERACTING WITH EXTERNAL COMMANDS
20
Interacting with other API’s Lookups, search scripts and more
• Search for an IP address to see if it's
part of the Tor
index=security_logs
sourcetype=nids
| lookup torlookup ip AS clientip
OUTPUT torvalue AS TorInfo
| fillnull value=NotTorHost TorInfo
| table sourcetype. clientip, TorInfo
Positive Hit
Negative Hit – (Custom result)
NotTorHost
21. DEMO – LOOKUPS
- Show Script
- Show lookup creation
- Show Example
22. DEMO – WALKTHROUGH
• Script uses external lookup from DNS for a
hosted site
• Dan.co.uk maintains a DNS response that lists
Tor information about IP
• https[:]www.dan.me.uk/dnsbl
• Take IPv4 address (Can to IPv6)
• Reverse the IP to embed it into a DNS A
record query
192.2.0.123
123.0.2.192.torexit.dan.me.uk
• Response
• If IP is a match response will be A record
of 127.0.0.100
• Following up with a TXT record with extra
information
N:<nodename>/P:<port1[,port2]>/F:<flags>
• Grab Response data Add Flag Info return
results to Splunk
BUILD THE SPLUNK LOOKUP COMMAND/SCRIPT
Apply to transforms.conf
$SPLUNK_HOME/etc/system/local/
#
# Lookup NAME
[torlookup]
External_cmd = Tor_DNS_lookup.py EXT_IP TorResult
Fields_list = EXT_IP, TorResult
RUN A SEARCH
index=zimperium "threat.general.external_ip"="*"
| stats count by threat.general.external_ip,
"threat.name"
| rename "threat.general.external_ip" AS EXT_IP
| lookup torlookup EXT_IP OUTPUT TorResult
| table EXT_IP,"threat.name", TorResult
26. FOLLOW THAT BOTNET –MARAI IOT BOTNET
• Background
Mirai(Japanese for "the future", ) is a
malware that turns networked devices running
Linux into remotely controlled "bots" that can be
used as part of a botnet in large-scale network
attacks. It primarily targets online consumer
devices such as IP cameras and home routers.
The Mirai botnet was first found in August 2016
by MalwareMustDie, a whitehat malware
research group, and has been used in some of
the largest and most disruptive distributed
denial of service (DDoS) attacks, including an
attack on 20 September 2016on computer
security journalist Brian Krebs's web site, an
attack on French web host OVH, and the
October 2016 Dyn cyberattack. According to a
leaked chat log between Anna-senpai and
Robert Coelho, Mirai was named after the 2011
TV anime series Mirai Nikki.
- Wikipedia -
https://en.wikipedia.org/wiki/Mirai_(malware)
27. TWITTER TRACKING OF MIRAI BOTNET
• Internet researchers (2sec4u
and MalwareTechBlog)
started a live feed of the
DDoS Ips used in the Mirai
botnet.
• Twitter Posts contain
information such as IP, attack
type, name, duration and
protocol
• Lets use that to store into
Splunk!
• Twitter can be logged into Splunk using a JSON
RESTful endpoint.
• Follow the handle you want ‘@MiraiAttacks’ in this
case.
• Dump the Twitter text and parse for fields
• Add to a lookup table?, Compare to other threat
feeds/info available in Splunk
28. Example of using Twitter data
• Parse Twitter index for ‘tweets’ ( message info)
• Then look for my handle of interest
’@MiraiAttacks’
• Then make sure the tweet has an IPv4 address as
part of the tweet
• Extract fields for parsing
• BotnetNumber – Internal tracker
• BotnetProto – Type of IP protocol used
• BotnetDuration – Time (seconds) for the attack
• BotnetTarget – IPv4 address
• BotnetCIDR – CIDR notation for the IP (in case not
a single IP (/32)
GET THAT THREAT INTEL
index=socialmedia sourcetype=twitter_tweet
| rename user.screen_name AS "Handle", count AS "Num_Tweets"
| search Handle=MiraiAttacks
| regex text="d{1,3}.d{1,3}.d{1,3}.d{1,3}”
| rex field=text "w+sW(?<BotnetNumber>d+)s-
s(?<BotnetProto>w+)sw+w+w+sw+s(?<BotnetDuration>
d+)sw+s[w+]s(?<BotnetTarget>d+.d+.d+.d+)S(
?<BotnetCIDR>d+)”
| stats count values(BotnetTarget) by BotnetNumber
30. SOCIAL MEDIA DASHBOARD
30
Quick Stats
• Useful for
Profile/brand status
and awareness
Example Content
• Last 30 minutes of
tweets
• Last 24 Hours
• Top Hashtags
• Top Posters
• All Time
• Top Poster
31. LAZY ME – RECORDING AND TRACKING MY TWITTER FEED IN
SPLUNK
• REST API as data input (It’s only JSON right? J )
• Store in index only for messages, urls and names for now
• Run a lookup of ‘dirty’ words then add to alert
• Generates a daily report of tweets per day
32. COLLECT LEAKED INFORMATION - PASTEBIN
• Twitter Handle ‘dumpmon’
reports and links to
pastebin and pastie posts
that appear to have leaked
information in them.
36. INGESTING RSS DATA
• Splunk can ingest Syndication
feeds such as RSS, Atom and RDF
formats (any RSS-like format)
• Add-on Syndication Input (2646)
• Simple method of taking collections
of feeds and ingesting into Splunk.
38. SPLUNK UI – MAKING LINKS CLICKABLE
• Syndication Links and others
can be made to be clickable
• Splunk SimpleXML
• Make the Originial_Link open
in a new browser window
• Use the Drilldown option
• Pick up the field from the
table
Snippet -
<drilldown target="_blank">
<link>$row.Original_Link|n$</link> </drilldown>
• Takes the table and grabs the row value and opens a new
browser
• Note the link contains “$row.Original_Link|n$”
This tells the Splunk web framework to treat the row field as
a direct link rather than an internal Splunk link like a dashboard.
• Thanks Ryan Thibodeaux for the help in
solving this
40. SHAPESTER EXAMPLE
Splunk App (2893)
• This app lets you draw your own shapes and
polygons directly on the map and save them as
a geospatial lookup.
• You can then use this lookup to set up alerts
based on geo-fences. Or you can create a
building map by drawing the buildings of your
campus.
• Example taken using GPS coordinates from a
mobile team around Breckenridge Ski resort
• Created Choropleth zones of different
areas of the resort
• Based on likely avalanche zones using other
data
40
Source: http://blogs.splunk.com/2016/01/20/splunking-avalanches-of-data/
42. DATA ENRICHMENT NEW IDEAS
Use security researcher search engine’s to identify and track public information
• Shodan
• HL app
• Direct query with local cache storage ideas
• Censys
44. SHODAN – GOOGLE FOR OPEN-SOURCE INTELLIGENCE
• Shodan (http://shodan.io) – Search engine for security researchers
• Functions like a search engine
• Interrogates ports and grabs banners for collection
• Data is gathered from Shodan crawlers that ‘walk’ the Internet IP space.
• Designed to locate specific content and specific node information (desktops, servers,
routers, etc)
• Splunk and Shodan
• Common app is Hurricane Labs search Add-on (1766)
• Creates a new Splunk SPL keyword ‘shodan’ that allows to query an IP
• Also used by Hurricane Labs Shodan App (1767)
• Adaptive Response app available as well (3700)
• Workflow action app (3509)
45. SHODAN EXAMPLES
• Search by IP
‘| shodan 4.4.4.4 ‘
• Search by hostname/FQDN
‘| shodan badsite.com ‘
• Pivot on larger grouping such as
• BGP ASN (useful for grouping IP’s to larger
ASN)
‘ my_search by src_ip | stats count by asn’
• Geolocation (lat/long) - useful for geospatial
bounding results
‘my_search | where Country=“Russia”
• Map Bitcoin servers
- search in Shodan (CLI or script or web)
for popular bitcoin port 8333/tcp
- Run scripted input to update list
* Place in a KV Store for larger data sets*
- Organize by geo-location, server type, etc
Shodan search for ‘lighttpd/1.4.32’
80.http.get.headers.www_authenticate=
‘antMiner’
80.http.get.headers.server = ‘lighttpd/1.4.32’
48. CENSYS – A NEW SEARCH ENGINE FOR RESEARCHERS
• “Censys is a search engine that
allows computer scientists to ask
questions about the devices and
networks that compose the
Internet. Driven by Internet-wide
scanning, Censys lets researchers
find specific hosts and create
aggregate reports on how devices,
websites, and certificates are
configured and deployed.” states
the description on the
Censys official website.
49. CENSYS GRAB SSL CERTIFICATES THAT CONTAIN
ANTMINER
• Using Python library for Censys
sh-3.2# python censys_io.py --api_id <MY_ID> --api_secret <MY_API_SECRET> -i "Let's Encrypt" antminer --limit 20 --
verbose
• Search limited to 20 results but output JSON (raw) data
• Where the SSL issuer is the EFF’s ”Let’s Encrypt” free SSL CA
• And where somewhere in the record it also contains the string ‘antminer’
• Fun Result Example
• Host in Germany
• Victim’s Synology backup server ….
• u'title': u'Hallo! Herzlich Willkommen bei Synology Web Station!'}}},
• Check marks for Antminer web control
• Right Web Server - u'server': u'lighttpd/1.4.32’,
• Right HTTP authentication - u'www_authenticate': u'Digest realm="antMiner Configuration",
• Wrap this in a script to collect the IP and drop into Splunk watchlist
Adding IP, DNS name, and Country to the KV Store ‘antminercoll’
• curl -k -u admin:changeme
https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/antminercoll -H 'Content-Type:
application/json' -d ‘{ “IP": ”217.72.209.42", ”Country": “Germany”, ”SSLCommonName": “loisl.ddnss.de”}'
51. MORE FUN WITH CENSYS AND SHODAN
Tracking and Exploiting AntMiner and Claymore web backends
https://medium.com/@s3yfullah/hacking-cryptocurrency-miners-
with-osint-techniques-677bbb3e0157
In this example the Author’s are using the SHODAN search to find
and exploit AntMiner poor web configurations to take over the
Miner backend
53. DEMO – PUTTING IT TOGETHER
• Pray to Demo Gods
Show
- Shodan
• Gather list of Questionable Servers (with SSL port enabled)
• Censys
• Combine output to find CA’s of interest “Let’s Encrypt” (EFF) for example
54. FUTURE IDEAS
• Add other data sources
• SSL blocklist
• Extract/compare with NIDS like Bro and Suricata for SSL certificate
• Allow extra pivoting based on threat information sources
55. SURICATA IDS
• Network IDS that supports snort rules
as well as protocol decoding.
• Useful for grabbing SSL certificates
SSL Investigation and Matching
Find all EFF ‘Let’s Encrypt’ certificates being used
on US Gov’t servers
index=<CUSTOMER>_sec_suricata
event_type=tls “Let’s encrypt” tls.sni=“*.gov”
Find Suspect certificates (PICTURE)
Anything stand out as suspicious?
• Self-signed SSL certificate
• Fake state, city, organization, and conical
name/server name
56. BRO IDS
• BRO IDS – Application decoding
platform
• Processes Layer 4 to 7 traffic
• Rebuilds, HTTP, SSL, FTP, SMTP, etc
protocols
• Think of manual process in Wireshark
to ‘Follow TCP Stream’ or ‘Follow HTTP
Stream’
• This example Bro is parsing into
Splunk SSL as ‘bro_ssl’
• NOTE the “JA3” field that’s a
method/tool to enable cataloging of
SSL certificates for comparison with
known lists
57. HEY THERE’S A SPLUNK BLOG POST ABOUT THIS
EXACT THING!
• https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html
” They developedJA3,a technique for creating SSL client fingerprints from thepre-encryption handshakes of the SSL
protocol. At this time, you cangenerate JA3 fingerprints with either a Bro JA3 scriptor customizing an instance of
Suricata.”
What you need to know
• Supports both BRO and Suricata
• Creates and calculates an MD5 ’hash’ for an SSL certificate that can be searched by Splunk
• Monitor via Lookup for example from list of JA3 certificates
Example list - https://github.com/trisulnsm/trisul-
scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json
Title Description Value
ja3_version SSL Version 769
ja3_ciphers SSL Cipher(s) 47-53-5-10-49161-49162-
49171-49172-50-56-19-4
ja3_extensions SSL Extension 0-10-11
ja3_ec SSL Elliptic Curve 23-24-25
ja3_ec_fmt SSL Elliptic Curve PointFormat 0
58. WRAPPING UP
• Splunk is a powerful tool
• When leveraged with 3rd party and data enrichment Splunk Security Users and Managers
can more clearly defend their environment
• Integration of Social Media information can provide useful information
• Tracking threats, priority events, etc
• News and information for situational awareness in the environment
• Threat Intelligence comes in many forms that can be useful for Splunk
• Leverage and use every component in your environment (Network IDS for example) to better
defend the network(s).
• Hopefully these demo’s and examples have given ideas to take–a-way for your environment.