The SURGe team at Splunk is always exploring new methods and tools to make our lives easier. Today we’d like to share some of that work with you. Before we dive into the what and how, I’d like to briefly explain the why.

The Splunk Threat Research Team is monitoring open channel intelligence and government alerts indicating the possibility of malicious campaigns using destructive software in relation to ongoing geopolitical events. Based on historical data of named geopolitical actors, the use of destructive payloads has been observed in past campaigns.

White House memo directs the Defense Department and Intelligence Community to implement its May 2021 Executive Order on improving national cybersecurity.

This weekend I spent some time with Okta’s Identity Engine product, learning about various ways to integrate it with Splunk and other external systems. When I got to Okta’s Event Hooks feature, I exclaimed “Aw, HECk!” (actually I said something a little stronger) and banged my head against my old copy of "Log4J 4 Me and U - A Complete Guide" for a few hours trying to get Event Hooks sending data properly into Splunk’s HTTP Event Collector, or HEC.

With the recent release of Sysmon (System Monitor) for Linux by Microsoft, new opportunities for monitoring, detection development, and defense are now possible. Sysmon for Windows is a very popular tool among detection developers and blue teamers as it provides extensive details from system activity and windows logs. Due to the extensive information this service/driver provides in Microsoft Windows, it is very useful when researching attacks and replicating malicious payloads on lab machines.

It would be hard to overstate the critical importance of security orchestration, automation and response (SOAR) capabilities for the effective mission success of security operations centers (SOC). Without a solid SOAR capability in place, an SOC will be easily overwhelmed with routine and repetitive tasks that in and of themselves could become a vulnerability.

Nowadays, malware used to have several stages before it fully compromised the targeted host or machine. The very well-known initial stager is the “phishing email” that contains a malicious macro code or malicious URL link that will download either the actual loader or the next stager to download the actual payload.

DevOps and Security. One encourages speed, agility, iterative learning, enabling technology to keep up with the pace of business. The other wants to keep you safe, slows things down, crosses all the T's and dots all the I's. They seem to be at odds with one another — but do they need to be? DevSecOps says no, that’s not the way it has to be.

The Splunk SURGe team loves to automate and simplify mundane tasks. Through rapid response blogs, we provide context and analysis on late breaking security events that affect everyone, not just Splunk customers. We are firm believers that through shared knowledge and experience we can help the masses better understand the threat landscape and how they can improve their security posture.