Security Jiujitsu

More documents

Recommendations

Info

Analysis Technique – Combine MulEple Vectors If you have a number of correlaEon searches firing, you can track the output of those searches and do a meta analysis. If you use Enterprise <strong>Security</strong>, use index=notable. If you use a EckeEng system, query that. If you use the alert manager, use | rest “/services/alerts/fired_alerts” CraR a search that looks for mulEple event endpoint alerts, and then create a high confidence high severity event based on that. 46
Analysis Technique – Combine MulEple Vectors Example: index=notable | stats dc(search_name) as NumRules values(search_name) by dest| where NumRules>2 More Powerful Example: (index=notable AnEvirus OR ids) OR (index=proxy category=uncategorized) | eval dest=case(index=“proxy”, src, index=“notable”, dest) | stats count(search_name) as NumRuleHits count(eval(index=“proxy”)) as NumUncategorizedHits by dest In ES >= 3.2, search index=risk_acEvity for correlaEons w/o notables 47
Page 1 and 2: Copyright © 2015 Splunk Inc.
Page 3 and 4: Personal IntroducEon David Veuve
Page 5 and 6: For Each Scenario • Focus on
Page 7 and 8: Who Are You? 1. Security Engine
Page 9 and 10: Security CorrelaEon In Splunk
Page 11 and 12: Splunk CorrelaEon Rules Easy in
Page 13 and 14: Visibility, Analysis, AND AcEon
Page 15 and 16: CorrelaEon Across MulEple Source
Page 17 and 18: Search Example Raw Search 71 S
Page 19 and 20: Techniques - Expand Base Search
Page 21 and 22: Techniques - The Other Stats S
Page 23 and 24: Techniques - Higher Confidence
Page 25 and 26: How Does it Scale? Tstats vers
Page 27 and 28: About Endpoint Logs Curious abo
Page 29 and 30: Privileged User Monitoring
Page 31 and 32: Visibility AuthenEcaEon Data Mod
Page 33 and 34: Analysis Alert when users who
Page 35 and 36: Analysis - Part Two -‐ Exa
Page 37 and 38: Analysis - Part Three (ES Spec
Page 39 and 40: Conquering Alert FaEgue
Page 41 and 42: Visibility A typical Eer one a
Page 43 and 44: Analysis Technique - StaEsEcal
Page 45: Analysis Technique - StaEsEcal
Page 49 and 50: Analysis Techniques - Machine L
Page 51 and 52: Threat Feeds
Page 53 and 54: Great Threat Feed Tools Enterpr
Page 55 and 56: But That’s Not all for Threa
Page 57 and 58: We Looked at a Lot of Things
Page 59 and 60: Give Me Feedback! Rate it in
Page 61 and 62: Appendix Network HunEng
Page 63 and 64: Techniques -‐ Frequency Unde
Page 65 and 66: Techniques -‐ Coherence Cohe
Page 67: Analysis | tstats prestats=t su

Security Jiujitsu

Create successful ePaper yourself

Delete template?

Save as template?