Illuminate\Database\Eloquent\Collection Object ( [items:protected] => Array ( [0] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 14 [author_id] => 1 [category_id] => 2 [title] => Power distribution firm seeks ML to detect data transfer anomalies [seo_title] => Power distribution firm seeks ML to detect data transfer anomalies [excerpt] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection [body] =>

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.

 

CHALLENGES

• Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
• False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.

 

SOLUTIONS

• Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
• Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
• Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
• The selected model was packaged and deployed in the production environment successfully.

 

BENEFITS

• Visibility into insider threats.
• Reduced false positive alerts.
• Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit

[image] => posts/March2023/7dRwSVXLelMbeWGpIB9O.png [slug] => power-distribution-firm-seeks-ml-to-detect-data-transfer-anomalies [meta_description] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:23:25 [updated_at] => 2023-03-15 11:31:23 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 14 [author_id] => 1 [category_id] => 2 [title] => Power distribution firm seeks ML to detect data transfer anomalies [seo_title] => Power distribution firm seeks ML to detect data transfer anomalies [excerpt] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection [body] =>

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.

 

CHALLENGES

• Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
• False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.

 

SOLUTIONS

• Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
• Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
• Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
• The selected model was packaged and deployed in the production environment successfully.

 

BENEFITS

• Visibility into insider threats.
• Reduced false positive alerts.
• Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit

[image] => posts/March2023/7dRwSVXLelMbeWGpIB9O.png [slug] => power-distribution-firm-seeks-ml-to-detect-data-transfer-anomalies [meta_description] => Power distribution organisation aims to detect insider threat via suspicious upload/download activity with focus on ML capabilities for anomaly detection. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:23:25 [updated_at] => 2023-03-15 11:31:23 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [1] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 15 [author_id] => 1 [category_id] => 2 [title] => Helping a telecom service provider to remote user monitoring [seo_title] => Helping a telecom service provider to remote user monitoring [excerpt] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [body] =>

The Telecom Service Utility has been facing the challenge of monitoring and analyzing the access and authentication activities of its users while they are working remotely. This problem is due to a change in the work model, where employees accessing sensitive data is a big concern and visibility to monitor the user activity has become essential in this work scenario.

CHALLENGES

• Due to the change in the remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
• Improve current security posture where they can monitor remote users, security incidents &
• check where the risk is happening by using security use cases.
• Providing secure remote access to the employees regardless of their location.

 

SECURITY THREAT

Account compromise	Reconnaissance
Data exfiltration	DDOS attack
Insider Threat	Brute force
Command and control	Unauthorized access
Privilege escalation	Lateral movement

 

SOLUTIONS

• Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
• Implementation of specific use cases to detect all the user access and authentication activities.
• The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
• 25+ use cases are implemented from 9 different types of data sources.
• Some of the implemented Use cases are:
  • Brute force detection
  • SQL Injection
  • User activity after office hours
  • Account lockout detection
  • Unusual download activity detection

 

BENEFITS

• Real-time visibility to the CSIRT team on user access and authentication activities.
• CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
• Reduction of manual intervention in detecting unauthorized activity.

Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, and RDS services logs.

Users: CSIRT Team

Product: Splunk Enterprise

[image] => posts/February2023/384iYcj7WZeW1jppTRFS.png [slug] => helping-a-telecom-service-provider-to-remote-user-monitoring [meta_description] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:36:47 [updated_at] => 2023-03-15 11:32:00 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 15 [author_id] => 1 [category_id] => 2 [title] => Helping a telecom service provider to remote user monitoring [seo_title] => Helping a telecom service provider to remote user monitoring [excerpt] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [body] =>

The Telecom Service Utility has been facing the challenge of monitoring and analyzing the access and authentication activities of its users while they are working remotely. This problem is due to a change in the work model, where employees accessing sensitive data is a big concern and visibility to monitor the user activity has become essential in this work scenario.

CHALLENGES

• Due to the change in the remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
• Improve current security posture where they can monitor remote users, security incidents &
• check where the risk is happening by using security use cases.
• Providing secure remote access to the employees regardless of their location.

 

SECURITY THREAT

Account compromise	Reconnaissance
Data exfiltration	DDOS attack
Insider Threat	Brute force
Command and control	Unauthorized access
Privilege escalation	Lateral movement

 

SOLUTIONS

• Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
• Implementation of specific use cases to detect all the user access and authentication activities.
• The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
• 25+ use cases are implemented from 9 different types of data sources.
• Some of the implemented Use cases are:
  • Brute force detection
  • SQL Injection
  • User activity after office hours
  • Account lockout detection
  • Unusual download activity detection

 

BENEFITS

• Real-time visibility to the CSIRT team on user access and authentication activities.
• CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
• Reduction of manual intervention in detecting unauthorized activity.

Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, and RDS services logs.

Users: CSIRT Team

Product: Splunk Enterprise

[image] => posts/February2023/384iYcj7WZeW1jppTRFS.png [slug] => helping-a-telecom-service-provider-to-remote-user-monitoring [meta_description] => Telecom Service Utility struggles to monitor remote user access and authentication. Essential for sensitive data protection and visibility in new work model. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-22 12:36:47 [updated_at] => 2023-03-15 11:32:00 [tags] => Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [2] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 23 [author_id] => 1 [category_id] => 2 [title] => Successful completion of Splunk cloud migration for Fintech company [seo_title] => Successful completion of Splunk cloud migration for Fintech company [excerpt] => Splunk cloud migration for fintech company to manage their payment infrastructure. [body] =>

The Fintech Company had a remarkable payment infrastructure, but no matter how good the system seemed to be, there were always problems. Despite having the latest and greatest technology available, their systems kept going down, resulting in data loss. The reports and alerts were also delayed, causing a lack of real-time monitoring. The Company collaborated with Positka, a Splunk Cloud partner, to resolve the issue.

Challenges:

• Frequent Infrastructure downtime which resulted in Data loss
• Delayed Alerts and Reports which had an impact on real-time monitoring
• Improper index retention settings
• Applications were deployed on Kubernetes and the logs were ingested into Splunk, due to the frequent downtime data loss that occurred.
• Historical data migration of 16 TB
• Splunk Cloud configuration and migration of Knowledge Objects
• Vetting of customs apps, add-ons, and knowledge objects
• Preparing and migrating custom apps, KOs, and add-ons from on-prem to Splunk Cloud stack

Solution:

• A holistic review of the existing Splunk architecture and implemented Splunk deployment best practices wherever applicable for a smooth migration path to Splunk Cloud
• Identifying potential pitfalls clearly to take any remediation actions
• Collaborative engagement to thoroughly execute a plan to migrate configurations and historical data content.
• Following a prescriptive approach to identify and prioritize the migration with defined milestones
• Adhering to Splunk Cloud Security best practices
• Online smart store data migration

Benefits:

• Retired On-prem Splunk and moved to Splunk Cloud stack by migrating successfully
• No downtime on the Infra side and data loss is evicted
• Have all the configurations, apps, and K0’s for full functionality as it was before
• Migration of historical data which allows searching old data
• Improved search performance
• Moving to Splunk Cloud, the customer now can reallocate their time to focusing higher value tasks that are tied to business outcomes rather than spending effort on platform management which is now taken care of by Splunk on Cloud

 

Users: Information Security Team

Product: Splunk Cloud

[image] => posts/February2023/TtxnDwDvonZtps0vMdt8.png [slug] => successful-completion-of-splunk-cloud-migration-for-fintech-company [meta_description] => Splunk cloud migration for fintech company to manage their payment infrastructure [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-28 06:19:11 [updated_at] => 2023-03-15 11:33:15 [tags] => Splunk cloud, Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 23 [author_id] => 1 [category_id] => 2 [title] => Successful completion of Splunk cloud migration for Fintech company [seo_title] => Successful completion of Splunk cloud migration for Fintech company [excerpt] => Splunk cloud migration for fintech company to manage their payment infrastructure. [body] =>

The Fintech Company had a remarkable payment infrastructure, but no matter how good the system seemed to be, there were always problems. Despite having the latest and greatest technology available, their systems kept going down, resulting in data loss. The reports and alerts were also delayed, causing a lack of real-time monitoring. The Company collaborated with Positka, a Splunk Cloud partner, to resolve the issue.

Challenges:

• Frequent Infrastructure downtime which resulted in Data loss
• Delayed Alerts and Reports which had an impact on real-time monitoring
• Improper index retention settings
• Applications were deployed on Kubernetes and the logs were ingested into Splunk, due to the frequent downtime data loss that occurred.
• Historical data migration of 16 TB
• Splunk Cloud configuration and migration of Knowledge Objects
• Vetting of customs apps, add-ons, and knowledge objects
• Preparing and migrating custom apps, KOs, and add-ons from on-prem to Splunk Cloud stack

Solution:

• A holistic review of the existing Splunk architecture and implemented Splunk deployment best practices wherever applicable for a smooth migration path to Splunk Cloud
• Identifying potential pitfalls clearly to take any remediation actions
• Collaborative engagement to thoroughly execute a plan to migrate configurations and historical data content.
• Following a prescriptive approach to identify and prioritize the migration with defined milestones
• Adhering to Splunk Cloud Security best practices
• Online smart store data migration

Benefits:

• Retired On-prem Splunk and moved to Splunk Cloud stack by migrating successfully
• No downtime on the Infra side and data loss is evicted
• Have all the configurations, apps, and K0’s for full functionality as it was before
• Migration of historical data which allows searching old data
• Improved search performance
• Moving to Splunk Cloud, the customer now can reallocate their time to focusing higher value tasks that are tied to business outcomes rather than spending effort on platform management which is now taken care of by Splunk on Cloud

 

Users: Information Security Team

Product: Splunk Cloud

[image] => posts/February2023/TtxnDwDvonZtps0vMdt8.png [slug] => successful-completion-of-splunk-cloud-migration-for-fintech-company [meta_description] => Splunk cloud migration for fintech company to manage their payment infrastructure [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-02-28 06:19:11 [updated_at] => 2023-03-15 11:33:15 [tags] => Splunk cloud, Splunk [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [3] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 29 [author_id] => 1 [category_id] => 2 [title] => Automating malware investigation for one of the top investment firms [seo_title] => Automating malware investigation for one of the top investment firms [excerpt] => Leading investment firms security team deals with 30-40 malware alerts daily, considering automation to speed up investigation process. [body] =>

Background:

As one of the world’s leading investment firms with more than 21 offices spanning the globe, it’s not uncommon for the security team at Blackstone to see as many as 30 to 40 malware alerts in a single day. Blackstone’s Incident Response team investigates each malware alert as if a compromise has already occurred, a process that requires 30 to 45 minutes to address each alert fully if done manually.

Challenges:

• Difficulty maintaining automation scripts across a large number of security vendors.
• Needed to tie together existing security products to reduce the response and remediation gap.

Benefits:

• Processing malware email alerts in about 40 seconds versus 30 minutes or more.
• Ensuring a repeatable and auditable process for investigating malware alerts.

Business Impact:

• Dramatically reduce time to investigate malware alerts.
• Drive accuracy and consistency in the incident response process.
• Incident response automation enables the team to investigate issues faster.

Splunk Product:

Splunk SOAR (Previously Splunk Phantom) Enterprise Edition

[image] => posts/March2023/oBgfBlISB9TaOPeFF9CX.png [slug] => automating-malware-investigation-for-one-of-the-top-investment-firms [meta_description] => Leading investment firms security team deals with 30-40 malware alerts daily, considering automation to speed up investigation process. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 10:47:02 [updated_at] => 2023-03-15 11:25:56 [tags] => Splunk-SOAR, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 29 [author_id] => 1 [category_id] => 2 [title] => Automating malware investigation for one of the top investment firms [seo_title] => Automating malware investigation for one of the top investment firms [excerpt] => Leading investment firms security team deals with 30-40 malware alerts daily, considering automation to speed up investigation process. [body] =>

Background:

As one of the world’s leading investment firms with more than 21 offices spanning the globe, it’s not uncommon for the security team at Blackstone to see as many as 30 to 40 malware alerts in a single day. Blackstone’s Incident Response team investigates each malware alert as if a compromise has already occurred, a process that requires 30 to 45 minutes to address each alert fully if done manually.

Challenges:

• Difficulty maintaining automation scripts across a large number of security vendors.
• Needed to tie together existing security products to reduce the response and remediation gap.

Benefits:

• Processing malware email alerts in about 40 seconds versus 30 minutes or more.
• Ensuring a repeatable and auditable process for investigating malware alerts.

Business Impact:

• Dramatically reduce time to investigate malware alerts.
• Drive accuracy and consistency in the incident response process.
• Incident response automation enables the team to investigate issues faster.

Splunk Product:

Splunk SOAR (Previously Splunk Phantom) Enterprise Edition

[image] => posts/March2023/oBgfBlISB9TaOPeFF9CX.png [slug] => automating-malware-investigation-for-one-of-the-top-investment-firms [meta_description] => Leading investment firms security team deals with 30-40 malware alerts daily, considering automation to speed up investigation process. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 10:47:02 [updated_at] => 2023-03-15 11:25:56 [tags] => Splunk-SOAR, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [4] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 30 [author_id] => 1 [category_id] => 2 [title] => Automating phishing investigations for a Top-rated cloud company [seo_title] => Automating phishing investigations for a Top-rated cloud company [excerpt] => Leading Managed Cloud Company secures millions of users' businesses against phishing attacks. Splunk Phantom helps automate response process. [body] =>

Background:

As the world’s leading managed cloud company, Rackspace has more than 6,000 employees and an infrastructure that spans four continents. Investigating phishing emails is just one of many issues the security team addresses. Rackspace needed a security orchestration, automation and response platform, and selected Splunk Phantom.

Challenges:

• Needed a security orchestration, automation and response platform to improve security.

Benefits:

• Automating a manual process that required up to 10 different security products and took 90 minutes or more.
• Increasing efficiency, consistency and improving security.
• Freeing the team to focus time on investigations that require human insight.

Business Impact:

• Saving time by automating and orchestrating the management of phishing incidents and other security issues.
• Simplifying workflow across security and other teams.
• Gaining flexibility to address the company’s dynamic network without requiring specialized DevOps skills.

Splunk Products:

• Splunk Enterprise
• Splunk SOAR (Previously Splunk Phantom) Enterprise Edition

[image] => posts/March2023/m7wJkS2vxYjpd0tdcP44.png [slug] => automating-phishing-investigations-for-a-top-rated-cloud-company [meta_description] => Leading Managed Cloud Company secures millions of users' businesses against phishing attacks. Splunk Phantom helps automate response process. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:09:01 [updated_at] => 2023-03-15 11:26:27 [tags] => Splunk SOAR, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 30 [author_id] => 1 [category_id] => 2 [title] => Automating phishing investigations for a Top-rated cloud company [seo_title] => Automating phishing investigations for a Top-rated cloud company [excerpt] => Leading Managed Cloud Company secures millions of users' businesses against phishing attacks. Splunk Phantom helps automate response process. [body] =>

Background:

As the world’s leading managed cloud company, Rackspace has more than 6,000 employees and an infrastructure that spans four continents. Investigating phishing emails is just one of many issues the security team addresses. Rackspace needed a security orchestration, automation and response platform, and selected Splunk Phantom.

Challenges:

• Needed a security orchestration, automation and response platform to improve security.

Benefits:

• Automating a manual process that required up to 10 different security products and took 90 minutes or more.
• Increasing efficiency, consistency and improving security.
• Freeing the team to focus time on investigations that require human insight.

Business Impact:

• Saving time by automating and orchestrating the management of phishing incidents and other security issues.
• Simplifying workflow across security and other teams.
• Gaining flexibility to address the company’s dynamic network without requiring specialized DevOps skills.

Splunk Products:

• Splunk Enterprise
• Splunk SOAR (Previously Splunk Phantom) Enterprise Edition

[image] => posts/March2023/m7wJkS2vxYjpd0tdcP44.png [slug] => automating-phishing-investigations-for-a-top-rated-cloud-company [meta_description] => Leading Managed Cloud Company secures millions of users' businesses against phishing attacks. Splunk Phantom helps automate response process. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:09:01 [updated_at] => 2023-03-15 11:26:27 [tags] => Splunk SOAR, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [5] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 31 [author_id] => 1 [category_id] => 2 [title] => Early threat detection and intelligent alerts during file transmissions [seo_title] => Early threat detection and intelligent alerts during file transmissions [excerpt] => Banking firm aims to detect early employee transfer of sensitive data. Real-time Splunk analysis catches threats early, enabling timely mitigation [body] =>

Background:

A leading banking and financial services company want to detect early on whether employees are transferring sensitive data. By using Splunk and analyzing data in real-time, the company catches threats sooner and takes the steps necessary to mitigate them before they can cause damage.

Challenges:

• Thousand files/protocol types to report/act on
• File transmission status, Suspicious File Uploads, User anomalous activities, Compromised accounts
• Troubleshooting required manual login to multiple systems to identify the root cause for transmission failures/abnormal behavior
• Monitor and Manage SLAs for several thousand File transmissions

Solutions:

• Centralized File Transmission tracker dashboard for global file transmissions with user interactive drill-downs that tracks transmission time, status, file format, file size, etc.
• Alerts on Suspicious File Uploads – Splunk matches logs with allowed file formats for malicious activity.
• Infosecurity dashboard to track User Anomalous Activity across the globe using Machine Learning techniques and interactive visualizations such as Choropleth/Clustermaps
• Automated alerting setup for File Transmission SLA management: Proactive and Reactive alerts if an SLA is missed or about to be missed

Benefits:

• Improved Security Posture – Early Threat detection and response and cost savings
• Reduced Cycle time (improved MTTR)
• Improved File Transmission SLAs
• Single UI with End-to-End view of a system depicting File transmission status in real-time

Monitored Systems/Data Sources: Centralized File transmission servers (10,000+ files), No. of Transmission Protocols – 14

Users: Operations Team, Information Security Team

Product: Splunk Enterprise

 

[image] => posts/March2023/IuJnT7CRziGayoZ8KNZO.png [slug] => early-threat-detection-and-intelligent-alerts-during-file-transmissions [meta_description] => Banking firm aims to detect early employee transfer of sensitive data. Real-time Splunk analysis catches threats early, enabling timely mitigation [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:18:39 [updated_at] => 2023-03-15 11:27:02 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 31 [author_id] => 1 [category_id] => 2 [title] => Early threat detection and intelligent alerts during file transmissions [seo_title] => Early threat detection and intelligent alerts during file transmissions [excerpt] => Banking firm aims to detect early employee transfer of sensitive data. Real-time Splunk analysis catches threats early, enabling timely mitigation [body] =>

Background:

A leading banking and financial services company want to detect early on whether employees are transferring sensitive data. By using Splunk and analyzing data in real-time, the company catches threats sooner and takes the steps necessary to mitigate them before they can cause damage.

Challenges:

• Thousand files/protocol types to report/act on
• File transmission status, Suspicious File Uploads, User anomalous activities, Compromised accounts
• Troubleshooting required manual login to multiple systems to identify the root cause for transmission failures/abnormal behavior
• Monitor and Manage SLAs for several thousand File transmissions

Solutions:

• Centralized File Transmission tracker dashboard for global file transmissions with user interactive drill-downs that tracks transmission time, status, file format, file size, etc.
• Alerts on Suspicious File Uploads – Splunk matches logs with allowed file formats for malicious activity.
• Infosecurity dashboard to track User Anomalous Activity across the globe using Machine Learning techniques and interactive visualizations such as Choropleth/Clustermaps
• Automated alerting setup for File Transmission SLA management: Proactive and Reactive alerts if an SLA is missed or about to be missed

Benefits:

• Improved Security Posture – Early Threat detection and response and cost savings
• Reduced Cycle time (improved MTTR)
• Improved File Transmission SLAs
• Single UI with End-to-End view of a system depicting File transmission status in real-time

Monitored Systems/Data Sources: Centralized File transmission servers (10,000+ files), No. of Transmission Protocols – 14

Users: Operations Team, Information Security Team

Product: Splunk Enterprise

 

[image] => posts/March2023/IuJnT7CRziGayoZ8KNZO.png [slug] => early-threat-detection-and-intelligent-alerts-during-file-transmissions [meta_description] => Banking firm aims to detect early employee transfer of sensitive data. Real-time Splunk analysis catches threats early, enabling timely mitigation [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:18:39 [updated_at] => 2023-03-15 11:27:02 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [6] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 32 [author_id] => 1 [category_id] => 2 [title] => Automating Trade Reconciliation for trade settlements using Splunk [seo_title] => Automating Trade Reconciliation for trade settlements using Splunk [excerpt] => Leading banking and financial service company use Splunk to monitor Trade Processing Systems, enabling efficient trade reconciliation & driving business growth. [body] =>

Background:

A leading banking and financial service company that provides Trade Processing outsourcing services wants to use Splunk to monitor Trade Processing Systems for efficient trade reconciliation. In addition, it helps customers optimize their internal processes through transparency of its OMS capabilities — a fact that can drive significant growth in the business.

Challenges: 

• Trade conversions/Trade flow tracked across several distributed Hubs/Sub-systems
• Manual reconciliation efforts – unable to quickly aggregate, correlate, analyze data from multiple systems and sources in a timely manner.
• No single unified view of failed transactions and trade transaction flows
• Multiple paths/trade flows across distributed sub-systems based on the trade transactions.

Solutions: 

• Exclusive Trade tracking/monitoring dashboard that tracks each and every trade to quickly identify failed trades.
• Faster resolution time (MTTR): Troubleshooting made easy by pin-pointing failed trade, and failed sub-systems for quicker resolutions
• Metrics benchmarking for performance improvements: Trade travel duration between subsystems for each trade

Benefits:

• Reduced cycle time and total cost for reconciliation
• Single pane of view depicting the trade processing flows for thousands of trades across multiple sub-systems/Hubs.
• The operations team can refer to a single UI to analyze trade failures and accelerate the trade reconciliation process.

Monitored Systems/Data Sources: Trade Processing Sub Systems

Users: Operations Team

Product: Splunk Enterprise

[image] => posts/March2023/mGIzNSE44KyvC52zM06E.png [slug] => automating-trade-reconciliation-for-trade-settlements-using-splunk [meta_description] => Leading banking and financial service company use Splunk to monitor Trade Processing Systems, enabling efficient trade reconciliation & driving business growth. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:31:00 [updated_at] => 2023-03-15 11:29:05 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 32 [author_id] => 1 [category_id] => 2 [title] => Automating Trade Reconciliation for trade settlements using Splunk [seo_title] => Automating Trade Reconciliation for trade settlements using Splunk [excerpt] => Leading banking and financial service company use Splunk to monitor Trade Processing Systems, enabling efficient trade reconciliation & driving business growth. [body] =>

Background:

A leading banking and financial service company that provides Trade Processing outsourcing services wants to use Splunk to monitor Trade Processing Systems for efficient trade reconciliation. In addition, it helps customers optimize their internal processes through transparency of its OMS capabilities — a fact that can drive significant growth in the business.

Challenges: 

• Trade conversions/Trade flow tracked across several distributed Hubs/Sub-systems
• Manual reconciliation efforts – unable to quickly aggregate, correlate, analyze data from multiple systems and sources in a timely manner.
• No single unified view of failed transactions and trade transaction flows
• Multiple paths/trade flows across distributed sub-systems based on the trade transactions.

Solutions: 

• Exclusive Trade tracking/monitoring dashboard that tracks each and every trade to quickly identify failed trades.
• Faster resolution time (MTTR): Troubleshooting made easy by pin-pointing failed trade, and failed sub-systems for quicker resolutions
• Metrics benchmarking for performance improvements: Trade travel duration between subsystems for each trade

Benefits:

• Reduced cycle time and total cost for reconciliation
• Single pane of view depicting the trade processing flows for thousands of trades across multiple sub-systems/Hubs.
• The operations team can refer to a single UI to analyze trade failures and accelerate the trade reconciliation process.

Monitored Systems/Data Sources: Trade Processing Sub Systems

Users: Operations Team

Product: Splunk Enterprise

[image] => posts/March2023/mGIzNSE44KyvC52zM06E.png [slug] => automating-trade-reconciliation-for-trade-settlements-using-splunk [meta_description] => Leading banking and financial service company use Splunk to monitor Trade Processing Systems, enabling efficient trade reconciliation & driving business growth. [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:31:00 [updated_at] => 2023-03-15 11:29:05 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [7] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 33 [author_id] => 1 [category_id] => 2 [title] => Intelligent Compliance dashboard and reporting for financial major [seo_title] => Intelligent Compliance dashboard and reporting for financial major [excerpt] => Global financial services firm creates Intelligent Compliance Dashboard & Reporting system for successful compliance & tracking of security compliance rules [body] =>

Background:

A single view of Non-Compliances across an organization’s IT systems

A global financial services major who wants to successfully meet their compliance requirements and to keep track of all the rules they must follow for their security compliance process. So they create an "Intelligent Compliance Dashboard & Reporting" system that gives them a single view of all the organization's Non-Compliances.

Challenges:

• Inefficient Manual Remediation efforts: Fix non-compliances from 50,000+ scan reports from different platforms (Windows/Databases/ Networks etc); More than 80 man-hours spent on a monthly basis
• Data quality issues due to manual tracking and reconciliation across multiple data sources lead to a lack of confidence in reporting
• Need for risk-based prioritization for thousands of non-compliances to be remediated
• Redundant effort where non-compliance has been previously reviewed and a decision made to not remediate but accept the risk instead

Solutions:

• Splunk-based compliance dashboard with multiple-level access controls for need-based views (country view, domain view, etc)
• User Interactive experience – raw scan data into the visually appealing customized useful presentation: such as Choropleth Map, Tagcloud, Sunburst Chart, and Cluster Map
• Single source of information for remediation effort with an end-to-end view across multiple data sources that enable quick resolution of Non-compliance risk items.

Benefits:

• End-to-end platform presenting single view across entire IT estate of the organization; supports a common understanding of the issues and drives alignment in decisions
• Reduced cycle time and total cost for remediation
• Reporting to support compliance and regulatory audit requirements

Monitored Systems/Data Sources: Symantec Scan Data, 000’s of servers, databases, and other network devices.

Users: Remediation Team, Security & Compliance Team, Senior Management Executives

Product: Splunk Enterprise, Custom Visualizations

[image] => posts/March2023/AfenVBFO8TCI05T354XI.png [slug] => intelligent-compliance-dashboard-and-reporting-for-financial-major [meta_description] => Global financial services firm creates Intelligent Compliance Dashboard & Reporting system for successful compliance & tracking of security compliance rules [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:45:26 [updated_at] => 2023-03-15 11:30:16 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 33 [author_id] => 1 [category_id] => 2 [title] => Intelligent Compliance dashboard and reporting for financial major [seo_title] => Intelligent Compliance dashboard and reporting for financial major [excerpt] => Global financial services firm creates Intelligent Compliance Dashboard & Reporting system for successful compliance & tracking of security compliance rules [body] =>

Background:

A single view of Non-Compliances across an organization’s IT systems

A global financial services major who wants to successfully meet their compliance requirements and to keep track of all the rules they must follow for their security compliance process. So they create an "Intelligent Compliance Dashboard & Reporting" system that gives them a single view of all the organization's Non-Compliances.

Challenges:

• Inefficient Manual Remediation efforts: Fix non-compliances from 50,000+ scan reports from different platforms (Windows/Databases/ Networks etc); More than 80 man-hours spent on a monthly basis
• Data quality issues due to manual tracking and reconciliation across multiple data sources lead to a lack of confidence in reporting
• Need for risk-based prioritization for thousands of non-compliances to be remediated
• Redundant effort where non-compliance has been previously reviewed and a decision made to not remediate but accept the risk instead

Solutions:

• Splunk-based compliance dashboard with multiple-level access controls for need-based views (country view, domain view, etc)
• User Interactive experience – raw scan data into the visually appealing customized useful presentation: such as Choropleth Map, Tagcloud, Sunburst Chart, and Cluster Map
• Single source of information for remediation effort with an end-to-end view across multiple data sources that enable quick resolution of Non-compliance risk items.

Benefits:

• End-to-end platform presenting single view across entire IT estate of the organization; supports a common understanding of the issues and drives alignment in decisions
• Reduced cycle time and total cost for remediation
• Reporting to support compliance and regulatory audit requirements

Monitored Systems/Data Sources: Symantec Scan Data, 000’s of servers, databases, and other network devices.

Users: Remediation Team, Security & Compliance Team, Senior Management Executives

Product: Splunk Enterprise, Custom Visualizations

[image] => posts/March2023/AfenVBFO8TCI05T354XI.png [slug] => intelligent-compliance-dashboard-and-reporting-for-financial-major [meta_description] => Global financial services firm creates Intelligent Compliance Dashboard & Reporting system for successful compliance & tracking of security compliance rules [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 14:45:26 [updated_at] => 2023-03-15 11:30:16 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) [8] => App\Models\Post Object ( [connection:protected] => mysql [table:protected] => posts [primaryKey:protected] => id [keyType:protected] => int [incrementing] => 1 [with:protected] => Array ( ) [withCount:protected] => Array ( ) [preventsLazyLoading] => [perPage:protected] => 15 [exists] => 1 [wasRecentlyCreated] => [escapeWhenCastingToString:protected] => [attributes:protected] => Array ( [id] => 34 [author_id] => 1 [category_id] => 2 [title] => Splunk use case to track and spot suspicious user entries [seo_title] => Splunk use case to track and spot suspicious user entries [excerpt] => Global bank use Splunk to monitor unauthorized user ID creations for fraud prevention. Splunk's alert management effectively tracks & identifies these activities [body] =>

Background:

Unauthorized User ID Creation Monitoring in Windows/Unix systems

One of the largest Multinational banks with a global presence wants to monitor unauthorized User ID creations in case of fraudulent activities. Splunk's alert management capabilities provide the bank with an effective method of tracking and identifying these types of activities.

Challenges:

• Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
• Lack of a single security platform that could quickly detect ID creation events, aggregate, correlate, analyze data from multiple systems and sources
• Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
• Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.

Solutions:

• ID creation events correlated/mapped against matching sources to validate the authenticity of the request
• Any mapping discrepancy triggers a near real-time alert to flag the security monitoring team for further investigation
• Splunk-based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms

Benefits:

• Improved security posture – reduced financial/data losses
• A single unified platform for near real-time log search, analysis, and reporting
• Reduced manual efforts/labor costs
• Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts

Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)

Users: Information Security Team

Product: Splunk Enterprise

[image] => posts/March2023/gYNJD2PCSwlS6IMOf0vk.png [slug] => splunk-use-case-to-track-and-spot-suspicious-user-entries [meta_description] => Global bank use Splunk to monitor unauthorized user ID creations for fraud prevention. Splunk's alert management effectively tracks & identifies these activities [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 15:04:30 [updated_at] => 2023-03-15 11:30:47 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [original:protected] => Array ( [id] => 34 [author_id] => 1 [category_id] => 2 [title] => Splunk use case to track and spot suspicious user entries [seo_title] => Splunk use case to track and spot suspicious user entries [excerpt] => Global bank use Splunk to monitor unauthorized user ID creations for fraud prevention. Splunk's alert management effectively tracks & identifies these activities [body] =>

Background:

Unauthorized User ID Creation Monitoring in Windows/Unix systems

One of the largest Multinational banks with a global presence wants to monitor unauthorized User ID creations in case of fraudulent activities. Splunk's alert management capabilities provide the bank with an effective method of tracking and identifying these types of activities.

Challenges:

• Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
• Lack of a single security platform that could quickly detect ID creation events, aggregate, correlate, analyze data from multiple systems and sources
• Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
• Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.

Solutions:

• ID creation events correlated/mapped against matching sources to validate the authenticity of the request
• Any mapping discrepancy triggers a near real-time alert to flag the security monitoring team for further investigation
• Splunk-based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms

Benefits:

• Improved security posture – reduced financial/data losses
• A single unified platform for near real-time log search, analysis, and reporting
• Reduced manual efforts/labor costs
• Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts

Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)

Users: Information Security Team

Product: Splunk Enterprise

[image] => posts/March2023/gYNJD2PCSwlS6IMOf0vk.png [slug] => splunk-use-case-to-track-and-spot-suspicious-user-entries [meta_description] => Global bank use Splunk to monitor unauthorized user ID creations for fraud prevention. Splunk's alert management effectively tracks & identifies these activities [meta_keywords] => [status] => PUBLISHED [featured] => 0 [created_at] => 2023-03-06 15:04:30 [updated_at] => 2023-03-15 11:30:47 [tags] => Splunk, Use-case [youtube_video] => [speaker_1_name] => [speaker_1_photo] => [speaker_1_designation] => [speaker_2_name] => [speaker_2_photo] => [speaker_2_designation] => [speaker_3_name] => [speaker_3_photo] => [speaker_3_designation] => [summary_data] => ) [changes:protected] => Array ( ) [casts:protected] => Array ( ) [classCastCache:protected] => Array ( ) [attributeCastCache:protected] => Array ( ) [dates:protected] => Array ( ) [dateFormat:protected] => [appends:protected] => Array ( ) [dispatchesEvents:protected] => Array ( ) [observables:protected] => Array ( ) [relations:protected] => Array ( ) [touches:protected] => Array ( ) [timestamps] => 1 [hidden:protected] => Array ( ) [visible:protected] => Array ( ) [fillable:protected] => Array ( ) [guarded:protected] => Array ( [0] => * ) ) ) [escapeWhenCastingToString:protected] => ) 1