Join our Security Experts and learn about our Analytics-Driven SIEM, Splunk Enterprise Security (ES) in a live, hands-on session. You will start off with a hands-on tour of Splunk's award-winning SIEM, Splunk Enterprise Security and understand its key frameworks and its unique capabilities. Then, you will work on hands-on exercises that involve threat detection, incident investigation and how to take rapid responses using data from a range of sources such as threat list intelligence feeds, endpoint activity logs, e-mail logs, and web logs. This session is a must session for all security practitioners.

1. © 2016 SPLUNK INC. CONFIDENTIAL. INTERNAL USE ONLY.© 2017 SPLUNK INC.
Splunk Enterprise Security:
The Analytics SIEM

2. © 2017 SPLUNK INC.
Agenda:

3. © 2017 SPLUNK INC.
3
Course Outline
Section 1: bad news/ good news
Section 2: What’s a SIEM?
Section 3: Security Posture
& Incident Review
Section 4: Event Investigators
and Adaptive Response
Section 5: Security Domains
Section 6: Security Intelligence
Section 7: Investigative Journal
Section 8: Wrap-Up
Section 9: Appendix

4. © 2017 SPLUNK INC.
Section 1:
good news | bad news

5. © 2017 SPLUNK INC.
the anatomy of a breach

6. © 2017 SPLUNK INC.
Modern APT are Essentially Attack Transactions – but the attacker is trying to hide from you
13
WEB
Conduct
business
Create additional
environment
Gain access
to systemTransaction
Threat Data
Endpoint
Access/Security
Network
Access/Security
Technology
MAIL
.pdf Svchost.exeCalc.exe
Events that
contain link to file
Proxy log
C2 communication
to blacklist
How was
process started?
What created the
program/process?
Process making
C2 traffic
Web
Portal
.pdf

7. © 2017 SPLUNK INC.
First…
the bad news

8. © 2017 SPLUNK INC.
Security Today:

9. © 2017 SPLUNK INC.
30% of phishing
emails get opened
* 2016 Verizon breach digest

10. © 2017 SPLUNK INC.
one minute and forty
seconds to open a malicious
email upon receipt
* 2016 Verizon breach digest

11. © 2017 SPLUNK INC.
one in ten users open
the attachments
* 2016 Verizon breach digest

12. © 2017 SPLUNK INC.
three minutes and forty
five seconds to open an
attachment upon receipt
* 2016 Verizon breach digest

13. © 2017 SPLUNK INC.
3% of users alert
management of a
possible phishing email
* 2016 Verizon breach digest

14. © 2017 SPLUNK INC.
it only takes one user
to open one email to
compromise an entire
network
* 2016 Verizon breach digest

15. © 2017 SPLUNK INC.
two-thirds of all breaches
are the result of weak or
stolen passwords
* 2016 Verizon breach digest

16. © 2017 SPLUNK INC.
* 2016 Verizon breach digest
new vulnerabilities come out every day

17. © 2017 SPLUNK INC.
99% of attacks
compromise
systems within days
* 2016 Verizon breach digest

18. © 2017 SPLUNK INC.
1/3rd of breaches are
detected by a 3rd party
* 2016 Verizon breach digest

19. © 2017 SPLUNK INC.
only 4% of alerts are investigated.

20. © 2017 SPLUNK INC.
59,476 un-investigated
tickets.
1 single incident.
40,000,000 customer
records.

21. © 2017 SPLUNK INC.
46% of organizations
don’t even have a SOC
* 2016 Verizon breach digest

22. © 2017 SPLUNK INC.
* 2016 Verizon breach digest
and no one is immune

23. © 2017 SPLUNK INC.
prevention starts with the SOC

24. © 2017 SPLUNK INC.
now, the good news

25. © 2017 SPLUNK INC.
3 equal parts make a mature security program
Process
PeopleTechnology

26. © 2017 SPLUNK INC.

27. © 2017 SPLUNK INC.
let’s do some maths!

28. © 2017 SPLUNK INC.
the average analyst handles between
14 and 28 cases in an 8 hour shift.

29. © 2017 SPLUNK INC.
assuming 25 cases per day.
according to Optiv

30. © 2017 SPLUNK INC.
assuming 25 cases per day.
20 minutes per case.

31. © 2017 SPLUNK INC.
assuming 25 cases per day.
20 minutes per case.
500 cases per month.

32. © 2017 SPLUNK INC.
assuming 25 cases per day.
20 minutes per case.
500 cases per month.
= 166 hours

33. © 2017 SPLUNK INC.
20 days.

34. © 2017 SPLUNK INC.
what if we could cut that in half?

35. © 2017 SPLUNK INC.
166 hours
2
= 83 hours

36. © 2017 SPLUNK INC.
88 hours
8
= 10 days

37. © 2017 SPLUNK INC.
you get 10 days back.

38. © 2017 SPLUNK INC.
per month.

39. © 2017 SPLUNK INC.
what could you do with an additional 10 days per month?

40. © 2017 SPLUNK INC.
up your security training?

41. © 2017 SPLUNK INC.
up your security training?
work on automating basic alerting?

42. © 2017 SPLUNK INC.
up your security training?
work on automating basic alerting?
concentrate on accuracy over speed?

43. © 2017 SPLUNK INC.
up your security training?
work on automating basic alerting?
concentrate on accuracy over speed?
write a haiku?

44. © 2017 SPLUNK INC.
up your security training?
work on automating basic alerting?
concentrate on accuracy over speed?
write a haiku?
more family time?

45. © 2017 SPLUNK INC.
up your security training?
work on automating basic alerting?
concentrate on accuracy over speed?
write a haiku?
more family time?
start a fight club?

46. © 2017 SPLUNK INC.
the possibilities are endless.

47. © 2017 SPLUNK INC.
there’s the old way.

48. © 2017 SPLUNK INC.
escalate or ignore.

49. © 2017 SPLUNK INC.
then there’s the right way.

50. © 2017 SPLUNK INC.
find out wtf is actually going on.

51. © 2017 SPLUNK INC.
let’s work smarter, not harder

52. © 2017 SPLUNK INC.
and I’ll show you how.

53. © 2017 SPLUNK INC.
Section 2:
What’s a SIEM?

54. © 2017 SPLUNK INC.
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Authentication
2006 called. They want their SIEM back.
Legacy SIEM

55. © 2017 SPLUNK INC.
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom Apps
Physical
Access
Badges
Threat Intelligence
Mobile
CMBD
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Authentication
All Machine Data is Security Relevant
Traditional SIEM

56. © 2017 SPLUNK INC.
learning objectives
•Overview to Splunk Enterprise Security (ES)
•Introduce notable event
•How to login to ES
•Introduce ES home page

57. © 2017 SPLUNK INC.
Enterprise Security Overview
•Out of the box content in all its glory
- alerts | reports | dashboards
•Captures data from all sorts of
device | systems | applications, then
smacks it up, flips it, and rubs it
down
•Built on top of Splunk Core (so you
can still get down and get funky with
SPL).
•Made with real bits of jaguar, so you
know it’s good.

58. © 2017 SPLUNK INC.
Rapid 5 Year Ascension in Gartner SIEM MQ
Niche Player
2011 2016
Leader

59. © 2017 SPLUNK INC.
Splunk Positioned as a Leader in Security Analytics Platforms
Splunk is a Leader in
The Forrester Wave™:
Security Analytics
Platforms, Q1 2017*
Splunk receives highest possible
scores in 17 criteria
*The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester
and Forrester Wave™ are trademarks of Forrester Research, Inc. The
Forrester Wave™ is a graphical representation of Forrester's call on a market
and is plotted using a detailed spreadsheet with exposed scores, weightings,
and comments. Forrester does not endorse any vendor, product, or service
depicted in the Forrester Wave. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change*.
Report is available for redistribution:
https://www.splunk.com/goto/forrester-wave-security-analytics-platform

60. © 2017 SPLUNK INC.
Actionable Info Through Normalization
Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Security Domains
Access
Network
Endpoint
Identity
On-the-Fly
Data Normalization

61. © 2017 SPLUNK INC.
Threat IntelligenceNetwork Endpoint Access/Identity
Data Sources Required

62. © 2017 SPLUNK INC.
Known relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Who talked to whom, traffic, malware download/
delivery, C2, exfiltration, lateral movement
Running process, services, process owner, registry
mods, file system changes, patching level, network
connections by process/service
Access level, privileged use/escalation, system
ownership, user/system/service business criticality
Data Sources Required
• 3rd party threat data
• Open source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Web Proxy
• NetFlow
• Network
• AV/IPS/FW
• Malware detection
• Config Management
• Performance
• OS logs
• File System
• Directory Services
• Asset Mgmt.
• Authentication Logs
• Application
Services
• VPN, SSO
Threat intelligence
Access/Identity
Endpoint
Network

63. © 2017 SPLUNK INC.
Single Platform for Security Intelligence
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
DETECT
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT

64. © 2017 SPLUNK INC.
Enterprise Security Home

65. © 2017 SPLUNK INC.
Enterprise Security Home (cont.)
Click Security Posture to view
the Security Posture dashboard,
which provides a real-time
overview of your organization's
security posture
Click Incident Review to see the
Incident Review dashboard,
enabling you to view and work
with current notable events

66. © 2017 SPLUNK INC.
Enterprise Security Home (cont.)
Click Documentation to
view the Splunk App for
Enterprise Security
documentation
Click Community to
connect with other Splunk
users on Splunk Answers

67. © 2017 SPLUNK INC.
lab time!
let’s get ready to rumble!

68. - If you were born January through March: https://54.227.105.231
- If you were born April through June: https://54.88.149.63
- If you were born July through September: https://184.72.210.97
- If you were born October through December: https://54.90.243.77
Username: demo Password: atlanta2017
Enterprise Security Hands-On: What’s your Birth Month?

69. 1. Click Security Posture to view the Security Posture dashboard, this
dashboard provides a near real-time overview view into elements of
an organization's security posture
2. Click Incident Review to view the Incident Review dashboard, this
dashboard provides a view into recent notable events that have
occurred
3. Click Documentation to view the Enterprise Security documentation
hosted on docs.splunk.com
4. Click Community to connect with other Splunk users on
answers.splunk.com
Briefly explore the Enterprise Security’s navigation menu

70. © 2017 SPLUNK INC.
Section 2:
Dashboard Overview

71. © 2017 SPLUNK INC.
Learning Objectives for this Section
1. Introduce the default ES dashboards
2. Describe common dashboardfeatures
3. Introduce Extreme Search
4. Introduce Key Indicators

72. © 2017 SPLUNK INC.
Dashboard Overview
Splunk Enterprise Security
provides a range of
dashboards that form a high-
level overview of all security
threats on your system

73. © 2017 SPLUNK INC.
Default Dashboards
• Security Posture
• Incident Review
• My Investigations
• Glass Tables
• Security Intelligence
• Security Domains
• Audit
• Search
• Configure

74. © 2017 SPLUNK INC.

75. © 2017 SPLUNK INC.

76. © 2017 SPLUNK INC.

77. © 2017 SPLUNK INC.

78. © 2017 SPLUNK INC.

79. © 2017 SPLUNK INC.

80. © 2017 SPLUNK INC.

81. © 2017 SPLUNK INC.

82. © 2017 SPLUNK INC.
Common Dashboard Elements

83. © 2017 SPLUNK INC.
Dashboard Filters
Many dashboards have a filter bar to restrictthe view on the currentdashboard to
events that match the selected criteria

84. © 2017 SPLUNK INC.
Dashboard Drilldowns
• The tables and charts that comprise an
ES dashboard presents a consolidated
view of the events
• Tosee a detailed breakout of the
events, click a point or segment on any
chart, or a row in a table

85. © 2017 SPLUNK INC.
Panel Editor

86. © 2017 SPLUNK INC.
Workflow Actions
• Enable interactions between
specified fields in your data
and other applications or
webresources
• The Event Action and
Action menus contain the
relevant workflow actions, and
are available on any
dashboard that displays the
source events

87. © 2017 SPLUNK INC.
Extreme Search
• An enhancement to the Splunk
Enterprise search language (SPL)
• As implemented in ES, you can
use the Extreme search
commands to:
• Builddynamicthresholds
baseduponeventdata
• Providecontext
awarenessbyreplacing
eventcountswithnatural
language

88. © 2017 SPLUNK INC.
Extreme Search | Example
In the MalwareCenter dashboard,the Key Security Indicator Total Infections
displays the total number of systems with malware infections over the last 24 hours

89. © 2017 SPLUNK INC.
Extreme Search
The same indicator using Extreme search displays the relevant information, but
includes a depth that was not available with the prior Total Infections indicator

90. © 2017 SPLUNK INC.
Key Indicators
• The Enterprise Security app contains a number of pre-defined key indicators,
• Each is use case based:
• avalue indicator
• atrendamount
• atrendindicator
• athreshold (toindicate theimportanceorpriorityofthevalue count)
• Key indicators are populated by searches that representan event count over time

91. © 2017 SPLUNK INC.
Section 3:
Security Posture &
Incident Review

92. © 2017 SPLUNK INC.
what’s a notable event?

93. © 2017 SPLUNK INC.
It’s a correlated alert.

94. © 2017 SPLUNK INC.
Security Posture Dashboard

95. © 2017 SPLUNK INC.

96. © 2017 SPLUNK INC.
How Urgency of an Event is Assigned
The severity of an event and the priority are combined to generate the urgency of an event.
Theurgency allows events to beweightedaccording to the asset, thus causing events
against higher priority assets to be treated with higher urgency.

97. © 2017 SPLUNK INC.
Incident Review Dashboard
56

98. © 2017 SPLUNK INC.
lab time!
Start high. Get low. FromSecurity Posture to Incident Review.

100. now it’s your turn.
add some additional KPIs to your
dashboard.

103. drilldown into critical urgency.
where does that take you?

106. explore some of the notable events in the
Incident Review dashboard.

108. take ownership of an alert.
now investigate.

110. what’s your next step?

112. Pivot through some of the links.
Full disclosure: Some of the external links aren’t configured.

114. © 2017 SPLUNK INC.
Section 4:
Asset investigator, identity
investigator, adaptive response

115. © 2017 SPLUNK INC.
Event Investigator Dashboards
• Visually aggregates security-related events by categories over time
using swimlanes
• Each swim lane represents an event category, such as authentication,
malware, or notable events
• Ananalyst can visually link activity across theevent categories, and
form acomplete view of a host or a users interactions in the
environment

116. © 2017 SPLUNK INC.
Asset Investigator

117. © 2017 SPLUNK INC.
Asset Investigator
Also available for ad-hoc searching by browsing to Event Investigator > Asset Investigator in the
main menu: An analyst uses the dashboard to triage an asset's interactions with the environment

118. © 2017 SPLUNK INC.
Multiple swim
lanes are
displayed
simultaneously
to assist the
analyst in tracking
the actions of an
asset across
event categories
Using the Asset Investigator Dashboard
Contains multiple event categories bound to swim lanes
Each event category represents a data model with relevant events
For example, the Malware Attacks swim lane displays events
from an anti-virus management or other malware data source
scoped to the asset searched

119. © 2017 SPLUNK INC.
lab time!
let’s do this together

120. make sure 10.11.36.20 is in your search bar.
change timeline to Last 7 days.

123. click one of the blue bars.

125. If this were an actual breach,
what shape would this be in?

126. © 2017 SPLUNK INC.
Identity Investigator

127. © 2017 SPLUNK INC.
Identity Investigator
Displays information about knownor unknownuser identities across a pre-defined set of
event categories, such as change analysis and malware
Initiated through a workflow action from any dashboard that displays events with network
source or destination address
Available for ad-hoc searching by browsing to Security Intelligence > User Intelligence in the
Enterprise Security app, typing in the user credential in the search bar with an optional wildcard,
setting a time range, and choosing Search

128. © 2017 SPLUNK INC.
lab time!
let’s do this together!

129. Navigate to: Security Intelligence >
User Intelligence > Identity Investigator

130. search for user Hax0r

131. (yes. I’m serious.)

134. let’s switch back to the Incident Review tab.

136. © 2017 SPLUNK INC.
adaptive response

137. © 2017 SPLUNK INC.

138. © 2017 SPLUNK INC.
lab time!
(that was quick.)
Adaptive Response

139. © 2017 SPLUNK INC.
Adaptive Response

140. © 2017 SPLUNK INC.
Adaptive Response

142. © 2017 SPLUNK INC.
Adaptive Response

143. your turn. peruse the response actions.
see what comes out of the box.

144. © 2017 SPLUNK INC.

145. © 2017 SPLUNK INC.
Section 5:
Security Domains

146. © 2017 SPLUNK INC.

147. © 2017 SPLUNK INC.
• Introduce the Access Domain dashboards
• Introduce the Endpoint Domain dashboards
• Introduce the Network Domain dashboards
• Introduce the Identity Domain dashboards
Learning Objectives for This Section

148. © 2017 SPLUNK INC.
Access Domain

149. © 2017 SPLUNK INC.
Endpoint Domain

150. © 2017 SPLUNK INC.
Network Domain

151. © 2017 SPLUNK INC.
Identity Domain

152. © 2017 SPLUNK INC.
lab time!
Security Domains

153. you’re trying to track down lateral movement.
what dashboards would help identify it?

154. what would cause a time skew on hosts?
why is that important?

155. © 2017 SPLUNK INC.
Section 6:
Security Intelligence

156. © 2017 SPLUNK INC.

157. © 2017 SPLUNK INC.
Risk Analysis

158. © 2017 SPLUNK INC.
companies are changing to a risk based strategy

159. © 2017 SPLUNK INC.
Risk Analysis Dashboard
• Displays the recent
changes to risk scores
and the objects that
have the highest risk
score
• You can review this
dashboard to assess
the relative change in
risk scores and
examine the events
that contributed to an
object's risk score

160. © 2017 SPLUNK INC.
Risk Analysis Dashboard

161. © 2017 SPLUNK INC.
Use the Risk Analysis Dashboard
Use to review changes to an object's risk score, determine the source of the
risk increase, and decide if additional action is warranted

162. © 2017 SPLUNK INC.
lab time!
is it getting risky in here?

163. what users are the highest risk in an organization?

164. © 2017 SPLUNK INC.
Protocol Intelligence

165. © 2017 SPLUNK INC.
Protocol Center

166. © 2017 SPLUNK INC.
lab time!
What’s the protocol?

168. © 2017 SPLUNK INC.
DNS Activity

169. © 2017 SPLUNK INC.
DNS Search

170. © 2017 SPLUNK INC.
SSL Activity

171. © 2017 SPLUNK INC.
Email Activity

172. © 2017 SPLUNK INC.
Email Search

173. © 2017 SPLUNK INC.
Threat Intelligence

174. © 2017 SPLUNK INC.
Threat Activity Dashboard

175. © 2017 SPLUNK INC.
Threat Intelligence | Threat Activity Dashboard

176. © 2017 SPLUNK INC.
Threat Artifacts Dashboard

177. © 2017 SPLUNK INC.
lab time!
are you threatening me?

179. © 2017 SPLUNK INC.
User Intelligence

180. © 2017 SPLUNK INC.
Access Anomalies

181. © 2017 SPLUNK INC.
User Activity

182. © 2017 SPLUNK INC.
Web Intelligence

183. © 2017 SPLUNK INC.
HTTP User Agent Analysis

184. © 2017 SPLUNK INC.
HTTP User Agent Analysis Dashboard
Use to investigate long user agent
strings in your proxy data and
determine if there is a possible
threat to your environment
• Abad user agent string,
where the browser name
misspelled (ex. Mozila) or
the version number is
completely wrong(ex.
v666), can indicate an
attacker or threat

185. © 2017 SPLUNK INC.
*note: SANS has a fantastic User Agent Analysis
paper you should check out.
https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874

186. © 2017 SPLUNK INC.
Traffic Size Analysis

187. © 2017 SPLUNK INC.
URL Length Analysis

188. © 2017 SPLUNK INC.
URL Length Analysis Dashboard
Looks at any proxy or
HTTP data that includes
URL string information
• Any traffic data
containing URL
string or path
information --
firewall, router,
switch, or network
flows -- can be
summarized and
viewed in this
dashboard

189. what legitimate sites might have an
extremely long URL?

190. © 2017 SPLUNK INC.
HTTP Category Analysis

191. © 2017 SPLUNK INC.
HTTP Category Analysis Dashboard
Looks at categories of traffic data
Any traffic data -- firewall,
router, switch, or network flows --
can besummarized and viewed
in this dashboard
For info on Websense:
http://www.websense.com/c
ontent/support/library/web/v76/sie
m/siem.pdf

192. © 2017 SPLUNK INC.
New Domain Analysis

193. © 2017 SPLUNK INC.
lab time!
well… that’s new…

194. Under New Domain Analysis, find a
list of machines that went to that
URL, and the activity taken.

195. © 2017 SPLUNK INC.
lab time!
security intelligence

196. the average breach lasts (roughly) 240 days.
where would you look to identify a breach
happening on day one?

197. © 2017 SPLUNK INC.
Section 7:
Investigative Journal

198. © 2017 SPLUNK INC.

206. © 2017 SPLUNK INC.
lab time!
security intelligence

207. it’s your turn!
- create an investigation.
- add some notable events.
- add some notes to describe the activity.

208. © 2017 SPLUNK INC.
Section 8:
Wrap-Up

209. © 2017 SPLUNK INC.
Splunk Quick Starts for Security Investigation
Endpoint Quick Start Apps / Add-OnsInfrastructure Quick Start Apps / Add-Ons

210. © 2017 SPLUNK INC.
continuing education
Splunk Tutorial (The Free eLearning Module):
Search Tutorial Manual:
Splunkbook.com
Splunk Education Videos:

211. © 2017 SPLUNK INC.
now, the call to action

212. © 2017 SPLUNK INC.
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
.conf2017
The 8th Annual Splunk Conference
conf.splunk.com
You will receive an email after registration
opens with a link to save over $450 on the
full conference rate.
You’ll have 30 days to take advantage of this
special promotional rate!
SAVE OVER $450

213. Thank you for your time!
We do appreciate it.

214. © 2017 SPLUNK INC.
Section 9:
Appendix

215. © 2017 SPLUNK INC.
Manual Notable Event
Creation

216. © 2017 SPLUNK INC.
Manual Notable Event Creation
• A new notableevent canbe createdfrom an event you are viewing in the Access Search, Malware
Search, Traffic Search, Intrusion Search, Proxy Search, or Search dashboards
• Create a new notable eventfrom an existingeventshown as part of a search result or by using New
Notable Event in the Configure panel
• A non-administrator role, such as an ES analyst, needs to havean administrator grant additional
permissions to the role, in order to manually create and edit a new notableevent
• Note: Do not create a new notable eventfrom an existingnotableevent
• For instance, do not create a new notable event from an event shownon the Incident
Review dashboard

217. © 2017 SPLUNK INC.
Create a Notable Event from Existing Event
Tocreate a new notable event
from an event in the Malware
Search dashboard:
1. Finalize the search in the
MalwareSearch
dashboard
2. Select "Create notable
event" from theOptions
menu for the event
Anotableeventis
createdusingparametersofthe
selectedevent

218. © 2017 SPLUNK INC.
Notable Event Suppression

219. © 2017 SPLUNK INC.
Notable Event Suppressions
• A searchfilter that hidesany notableeventsmatchingthe searchconditions
• Thesuppressionfilter is createdto stopan excessiveorunwanted numberofnotable
eventsfrom beingdisplayed onthe IncidentReviewdashboard
• Example | you may want to preventcertaintypes of notable eventsfrom appearingon
the Incident Review dashboardorcontributingtodefinedalert thresholds
• Suppressionis appliedto eventsthat arealreadyin the notable index
• A suppressionfilter hidesnotableeventssothey will not beseen
• Throttlingis appliedto eventsbefore they areaddedto the notableindexpreventing
them from beingcreated

220. © 2017 SPLUNK INC.
Create a Suppression From Incident Review
1. Find the notable event that you want to suppress in the Incident Review dashboard
2. From the Actions select: Suppress events to/from... which opens the New Notable Event
Suppression page
3. Review the contents of the fields
4. An Expiration Time field is available to define a time limit for the suppression filter and save
the changes
5. After the time limit is met, the suppression filter is disabled
6. Toreview the suppression filter, browse to Configure > Incident Management > Notable
Event Suppressions

221. © 2017 SPLUNK INC.
Review Notable Event Suppressions
To reviewthe suppressionfilter, browseto Configure> IncidentManagement> NotableEvent Suppressions

222. © 2017 SPLUNK INC.
Create a Suppression from Configure
1. Browse to Configure > Incident Management > Notable Event Suppressions
2. Click on New to create a new notable event suppression
3. Set the Name and Description used for the suppression filter
4. Populate the Search field with the search that finds the events to suppress
5. Set the Expiration Time (defines a time limit for the suppression filter)
6. If the time limit is met, the suppression filter is disabled

223. © 2017 SPLUNK INC.
Edit Notable Event Suppressions
1. Browse to Configure > Incident Management > Notable Event Suppressions
2. Selecting a notable event suppression opens the Edit Notable Event Suppression page
3. Edit the Description and Search fields used for the suppression filter

224. © 2017 SPLUNK INC.
Disable Notable Event Suppressions
1. Browse to Configure > Incident Management > Notable Event Suppressions
2. Select Disable in the Status column for the notable event suppression

225. © 2017 SPLUNK INC.
Remove a Notable Event Suppression
1. Browse to Settings > Event types
2. Search for the the suppression event: notable_suppression-<suppression_name>
3. Select delete in the Actions column for the notable event suppression

226. © 2017 SPLUNK INC.
Suppression Activity Audit
Enterprise Security tracks all suppression activityfor auditing on the SuppressionAudit dashboard

227. © 2017 SPLUNK INC.
Predictive Analytics

228. © 2017 SPLUNK INC.
Learning Objectives for This Section
- Introduce predictive analysis functionality
- How to create query
- How to turn query into correlated search

229. © 2017 SPLUNK INC.
Predictive Analytics Dashboard
• Used to search for different varieties of
anomalous events in your data
• Leverages the predictive analysis
functionality in Splunk to provide statistical
information about the results, and identify
outliers in your data
• Filters are implemented in a series from
left to right
• Example: Object filter is populated based
on the Data Model selection

230. © 2017 SPLUNK INC.
Predictive Analytics Dashboard
To analyze data, choosea datamodel,an object,a function,an attribute,and a time rangeand click Search

231. © 2017 SPLUNK INC.
Dashboard Filters
Use the available dashboard filters to refine the results displayed on the dashboard panels
Filter by Description Action
Data Model Specifies the data model for the search. Available data models are shown in the
drop-down list.
Drop-down: select to filter by
Object Specifies the object within the data model for the search. There must be a Data
Model selection to apply an Object.
Drop-down: select to filter in
Function Specifies the function within the object for the search. Functions specify the type
of analysis to perform on the search results. For example, choose "avg" to
analyze the average of search results. Choose "dc" to create a distinct count of
the results.
Drop-down: select to filter in
Attribute Specifies the constraint attributes within the object for the search.
Attributes are constraints on the search results. For example, choose "src" to
look at results from sources. There must be a Object selection to apply an
Attribute.
Drop-down: select to filter in
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Access to the advanced predict options. Link: A window of optional predict settings

232. © 2017 SPLUNK INC.
Dashboard Panels
For more info on data models, associated objects, functions, and attributes visit the following link:
docs.splunk.com/Documentation/CIM/latest/User/Overview
Panel Description
Prediction Over Time The Prediction Over Time panel shows a predictive analysis
of the results over time, based on the time range you chose.
The shaded area shows results that fall within two standard
deviations of the mean value of the total search results.
Outliers The Outliers panel shows those results that fall outside of
two standard deviations of the search results.

233. © 2017 SPLUNK INC.
Correlation Search Builder

234. © 2017 SPLUNK INC.
The flow.

235. © 2017 SPLUNK INC.
1. Search for authentication source events from an application
2. Count the number of failures by user
3. If the count of authentication failures is >6 for a selected time
period, then execute an Adaptive Response action

236. © 2017 SPLUNK INC.
What data sources will answer the question?

237. © 2017 SPLUNK INC.
1. In this case, we are focused on authentication data, so the
Authentication data model will expose the underlying data
relevant to our analytic
2. Note that although a deep dive on data models in Splunk is
outside the scope of this workshop, it is beneficial to
understand what Splunk data models are and how they relate
to Splunk Enterprise Security
3. More information on data models in Splunk is available at
the link below:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutdatamodels

238. © 2017 SPLUNK INC.
so let’s make one.

239. © 2017 SPLUNK INC.
Create a Correlation Search
1. Toaccess this functionality, you will
need to have additional capabilities
added to your role by the Splunk
Administrator
2. From this dashboard, create a
correlation search based on the
search parameters for your current
predictive analytics search
• This correlation search will create
an alert when the correlation
search returns anevent
3. Click Save as Correlation Search...
to open the Create Correlation Search
dialog

240. © 2017 SPLUNK INC.
Create a Correlation Search (continued)
4. Select the Security domain and
Severity for the notable event created
by this search
5. Add a search name and search
description then click Save
6. Toview and edit correlation searches,
go to Configure > General >
Custom Searches

241. © 2017 SPLUNK INC.
Notify an Analyst
A correlation search is available to notify an analyst if a notable event has not been triaged
1. Under General > Custom Searches, search for the Untriaged Notable Events
correlation search
2. Modify the search, changing the notable event owner or status fields as desired
3. Set the desired alert action
4. Save thechanges
5. Enable theUntriaged Notable Events correlation search

242. © 2017 SPLUNK INC.
lab time!
correlation rule creation!

246. Add Filter Screenshot

252. © 2017 SPLUNK INC.
Risk Scoring
Example Scenario

253. © 2017 SPLUNK INC.
Risk Scoring | Example Scenario
• Inaggregate,thisbehavior
seemslessinterestingthenif
thesamebehavioroccurredon
theproductionDNSserver
• It'stemptingto ignoreor
suppressnotableevents
comingfromanyhostthat'sa
knownjumpserverduetothe
relativenoisecreated
• You needtoknowthehostis
beingmonitored,butwould
preferitwas measuredunder a
differentsetofrules

254. © 2017 SPLUNK INC.
Risk Scoring | Example Scenario
The host RLOG-10 is a jump server
that is generating several notable
events:
• Thecorrelationsearches
Excessive FailedLogins,and
DefaultAccount Activity
Detectedarecreatingone
notableeventa dayforthat
system
• AsRLOG-10isa jumpserver,
thereare manynetwork
credentialsbeingusedagainst
thishost,andsoftwareor other
utilitiesmayhavebeeninstalled

255. © 2017 SPLUNK INC.
Risk Scoring | Example Solution
One solution is a new correlation
search that assigns a risk modifier
when the correlation matches on
hosts that serve as jump servers:
1. Useawhitelistto isolate the
jumpservers from the
existing correlation searches
2. Create and scheduleanew
correlation searchbasedon
Excessive Failed Logins,
but isolate the searchto the
jumpserverhosts andassign
a risk modifier alert type only

256. © 2017 SPLUNK INC.
Risk Scoring | Example Solution (cont.)
3. Verify the risk modifiers are
applied tothe jump server
hosts, raising their risk
score incrementally
• Withthenewcorrelation
search,nonotable
eventswill becreated
forthosehostsbased
uponfailedlogins

257. © 2017 SPLUNK INC.
Risk Scoring | Example Solution Summary
As the relative risk score goes up, RLOG-10 can be compared to all network servers
and to other jump servers:
• IftherelativeriskscoreforRLOG-10exceedsitspeers,thathostwouldbe
investigatedby ananalyst
• Iftheriskscoresofalljumpserversarehigherrelativetoothernetworkhosts,an
internalsecuritypolicymayneedtobe reviewedor implementeddifferently
For a deeper dive:
http://blogs.splunk.com/2014/08/12/risk-analysis-with-enterprise-security-3-1/

258. © 2017 SPLUNK INC.
Additional Content:
- Splunk Tutorial (The Free eLearning Module):
- Search Tutorial Manual:
- Splunkbook.com
- Splunk Education Videos: