Introduction to Splunk Platform

Illuminate\Database\Eloquent\Collection Object ( [items:protected] => Array ( [0] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 14 [author_id] => 1 [category_id] => 2 [title] => Power distribution firm seeks ML to detect data transfer anomalies [seo_title] => Power distribution firm seeks ML to detect data transfer anomalies [excerpt] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection [body] =>

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.

CHALLENGES

• Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
• False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.

SOLUTIONS

• Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
• Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
• Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
• The selected model was packaged and deployed in the production environment successfully.

BENEFITS

• Visibility into insider threats.
• Reduced false positive alerts.
• Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit

[image] => posts/March2023/7dRwSVXLelMbeWGpIB9O.png [image_alt] => data-transfer-anomalies [slug] => power-distribution-firm-seeks-ml-to-detect-data-transfer-anomalies [meta_description] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:23:25 [updated_at] => 2023-05-26 13:22:22 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 14 [author_id] => 1 [category_id] => 2 [title] => Power distribution firm seeks ML to detect data transfer anomalies [seo_title] => Power distribution firm seeks ML to detect data transfer anomalies [excerpt] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection [body] =>

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.

CHALLENGES

• Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
• False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.

SOLUTIONS

• Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
• Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
• Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
• The selected model was packaged and deployed in the production environment successfully.

BENEFITS

• Visibility into insider threats.
• Reduced false positive alerts.
• Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit

[image] => posts/March2023/7dRwSVXLelMbeWGpIB9O.png [image_alt] => data-transfer-anomalies [slug] => power-distribution-firm-seeks-ml-to-detect-data-transfer-anomalies [meta_description] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:23:25 [updated_at] => 2023-05-26 13:22:22 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [1] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 15 [author_id] => 1 [category_id] => 2 [title] => Helping a telecom service provider to remote user monitoring [seo_title] => Helping a telecom service provider to remote user monitoring [excerpt] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [body] =>

The Telecom Service Utility has been facing the challenge of monitoring and analyzing the access and authentication activities of its users while they are working remotely. This problem is due to a change in the work model, where employees accessing sensitive data is a big concern and visibility to monitor the user activity has become essential in this work scenario.

CHALLENGES

• Due to the change in the remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
• Improve current security posture where they can monitor remote users, security incidents &
• check where the risk is happening by using security use cases.
• Providing secure remote access to the employees regardless of their location.

 

SECURITY THREAT

Account compromise	Reconnaissance
Data exfiltration	DDOS attack
Insider Threat	Brute force
Command and control	Unauthorized access
Privilege escalation	Lateral movement

 

SOLUTIONS

• Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
• Implementation of specific use cases to detect all the user access and authentication activities.
• The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
• 25+ use cases are implemented from 9 different types of data sources.
• Some of the implemented Use cases are:
  • Brute force detection
  • SQL Injection
  • User activity after office hours
  • Account lockout detection
  • Unusual download activity detection

 

BENEFITS

• Real-time visibility to the CSIRT team on user access and authentication activities.
• CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
• Reduction of manual intervention in detecting unauthorized activity.

Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, and RDS services logs.

Users: CSIRT Team

Product: Splunk Enterprise

[image] => posts/February2023/384iYcj7WZeW1jppTRFS.png [image_alt] => user-monitoring [slug] => helping-a-telecom-service-provider-to-remote-user-monitoring [meta_description] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:36:47 [updated_at] => 2023-04-05 09:14:52 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 15 [author_id] => 1 [category_id] => 2 [title] => Helping a telecom service provider to remote user monitoring [seo_title] => Helping a telecom service provider to remote user monitoring [excerpt] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [body] =>

The Telecom Service Utility has been facing the challenge of monitoring and analyzing the access and authentication activities of its users while they are working remotely. This problem is due to a change in the work model, where employees accessing sensitive data is a big concern and visibility to monitor the user activity has become essential in this work scenario.

CHALLENGES

• Due to the change in the remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
• Improve current security posture where they can monitor remote users, security incidents &
• check where the risk is happening by using security use cases.
• Providing secure remote access to the employees regardless of their location.

 

SECURITY THREAT

Account compromise	Reconnaissance
Data exfiltration	DDOS attack
Insider Threat	Brute force
Command and control	Unauthorized access
Privilege escalation	Lateral movement

 

SOLUTIONS

• Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
• Implementation of specific use cases to detect all the user access and authentication activities.
• The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
• 25+ use cases are implemented from 9 different types of data sources.
• Some of the implemented Use cases are:
  • Brute force detection
  • SQL Injection
  • User activity after office hours
  • Account lockout detection
  • Unusual download activity detection

 

BENEFITS

• Real-time visibility to the CSIRT team on user access and authentication activities.
• CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
• Reduction of manual intervention in detecting unauthorized activity.

Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, and RDS services logs.

Users: CSIRT Team

Product: Splunk Enterprise

[image] => posts/February2023/384iYcj7WZeW1jppTRFS.png [image_alt] => user-monitoring [slug] => helping-a-telecom-service-provider-to-remote-user-monitoring [meta_description] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:36:47 [updated_at] => 2023-04-05 09:14:52 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [2] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 23 [author_id] => 1 [category_id] => 2 [title] => Successful completion of Splunk cloud migration for Fintech company [seo_title] => Successful completion of Splunk cloud migration for Fintech company [excerpt] => Splunk cloud migration for fintech company to manage their payment infrastructure. [body] =>

The Fintech Company had a remarkable payment infrastructure, but no matter how good the system seemed to be, there were always problems. Despite having the latest and greatest technology available, their systems kept going down, resulting in data loss. The reports and alerts were also delayed, causing a lack of real-time monitoring. The Company collaborated with Positka, a Splunk Cloud partner, to resolve the issue.

Challenges:

• Frequent Infrastructure downtime which resulted in Data loss
• Delayed Alerts and Reports which had an impact on real-time monitoring
• Improper index retention settings
• Applications were deployed on Kubernetes and the logs were ingested into Splunk, due to the frequent downtime data loss that occurred.
• Historical data migration of 16 TB
• Splunk Cloud configuration and migration of Knowledge Objects
• Vetting of customs apps, add-ons, and knowledge objects
• Preparing and migrating custom apps, KOs, and add-ons from on-prem to Splunk Cloud stack

Solution:

• A holistic review of the existing Splunk architecture and implemented Splunk deployment best practices wherever applicable for a smooth migration path to Splunk Cloud
• Identifying potential pitfalls clearly to take any remediation actions
• Collaborative engagement to thoroughly execute a plan to migrate configurations and historical data content.
• Following a prescriptive approach to identify and prioritize the migration with defined milestones
• Adhering to Splunk Cloud Security best practices
• Online smart store data migration

Benefits:

• Retired On-prem Splunk and moved to Splunk Cloud stack by migrating successfully
• No downtime on the Infra side and data loss is evicted
• Have all the configurations, apps, and K0’s for full functionality as it was before
• Migration of historical data which allows searching old data
• Improved search performance
• Moving to Splunk Cloud, the customer now can reallocate their time to focusing higher value tasks that are tied to business outcomes rather than spending effort on platform management which is now taken care of by Splunk on Cloud

 

Users: Information Security Team

Product: Splunk Cloud

[image] => posts/February2023/TtxnDwDvonZtps0vMdt8.png [image_alt] => splunk-cloud-migration [slug] => successful-completion-of-splunk-cloud-migration-for-fintech-company [meta_description] => Splunk cloud migration for fintech company to manage their payment infrastructure [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-28 06:19:11 [updated_at] => 2023-04-06 05:14:51 [tags] => Splunk cloud, Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 23 [author_id] => 1 [category_id] => 2 [title] => Successful completion of Splunk cloud migration for Fintech company [seo_title] => Successful completion of Splunk cloud migration for Fintech company [excerpt] => Splunk cloud migration for fintech company to manage their payment infrastructure. [body] =>

The Fintech Company had a remarkable payment infrastructure, but no matter how good the system seemed to be, there were always problems. Despite having the latest and greatest technology available, their systems kept going down, resulting in data loss. The reports and alerts were also delayed, causing a lack of real-time monitoring. The Company collaborated with Positka, a Splunk Cloud partner, to resolve the issue.

Challenges:

• Frequent Infrastructure downtime which resulted in Data loss
• Delayed Alerts and Reports which had an impact on real-time monitoring
• Improper index retention settings
• Applications were deployed on Kubernetes and the logs were ingested into Splunk, due to the frequent downtime data loss that occurred.
• Historical data migration of 16 TB
• Splunk Cloud configuration and migration of Knowledge Objects
• Vetting of customs apps, add-ons, and knowledge objects
• Preparing and migrating custom apps, KOs, and add-ons from on-prem to Splunk Cloud stack

Solution:

• A holistic review of the existing Splunk architecture and implemented Splunk deployment best practices wherever applicable for a smooth migration path to Splunk Cloud
• Identifying potential pitfalls clearly to take any remediation actions
• Collaborative engagement to thoroughly execute a plan to migrate configurations and historical data content.
• Following a prescriptive approach to identify and prioritize the migration with defined milestones
• Adhering to Splunk Cloud Security best practices
• Online smart store data migration

Benefits:

• Retired On-prem Splunk and moved to Splunk Cloud stack by migrating successfully
• No downtime on the Infra side and data loss is evicted
• Have all the configurations, apps, and K0’s for full functionality as it was before
• Migration of historical data which allows searching old data
• Improved search performance
• Moving to Splunk Cloud, the customer now can reallocate their time to focusing higher value tasks that are tied to business outcomes rather than spending effort on platform management which is now taken care of by Splunk on Cloud

 

Users: Information Security Team

Product: Splunk Cloud

[image] => posts/February2023/TtxnDwDvonZtps0vMdt8.png [image_alt] => splunk-cloud-migration [slug] => successful-completion-of-splunk-cloud-migration-for-fintech-company [meta_description] => Splunk cloud migration for fintech company to manage their payment infrastructure [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-28 06:19:11 [updated_at] => 2023-04-06 05:14:51 [tags] => Splunk cloud, Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) ) [escapeWhenCastingToString:protected] => ) 1