Splunk and Mandiant: Formidable Defense Against Attackers

The security landscape is ever-changing, intensified by more sophisticated threats, and an increasing number of employees working from home leading to an expanding attack surface. Security professionals are tasked with maintaining a secure environment against a plethora of threats, manifested in thousands of alerts and events that are generated by security controls every day.


No Regrets Using Autoregress

If you’re like me, you’ve occasionally found yourself staring at the Splunk search bar trying to decide how best to analyze a series of data, iterating against one or more fields. If your brain gravitates towards traditional programming syntax, the first thing that pops into your mind may be application of a for or while loop (neither of which follow Turing convention in SPL). With commands like stats, streamstats, eventstats, or foreach at your disposal, which one should a hunter use?


Sysmon, The B-sides: Event Codes That Might Not Get As Much Attention...Just In Time For BOTS!

For those who have played our Boss of the SOC competition or attended our security workshops, you are undoubtedly aware of Frothly, but in case you are not, here is a quick primer. Frothly is a fictional brewing supply company based in San Francisco who has successes and challenges, just like any other organization.


Active Directory Discovery Detection: Threat Research Release, September 2021

The Splunk threat research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing discovery and reconnaissance tasks within Active Directory environments. In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.


Investigating GSuite Phishing Attacks with Splunk

Malicious actors are constantly finding new ways to deliver their malicious payloads. With the recent migration of businesses moving to web application-based services, file storage, email, calendar, and other channels have become valuable means for delivering malicious code and payloads. In some instances, these services are abused as Command and Control infrastructure since many enterprises trust these services by default.


Process Hunting with a Process

Quite often you are in the middle of a security incident or just combing through your data looking for signs of malicious activity, and you will want to trace the activity or relationships of a particular process. This can be a very time-consuming and frustrating task if you try to brute force things (copying/pasting parent and child process IDs over and over again). And in the heat of battle, you may miss one item that could have led you to something interesting.


Splunk and DTEX Systems Leverage Human Telemetry and Zero Trust to Mitigate Insider Risks and Account Compromise

What was once the thing of spy movies and industrial espionage news headlines is now, sadly, a common occurrence for public organizations and private enterprises around the globe. Insiders… employees, consultants, partners… have emerged as one of the most immediate and serious threats facing IT and cyber security teams and practitioners today. It is not however because every insider has turned malicious.

Splunk SOAR Feature Video: Case Management

Case management functionality is built into Splunk SOAR. Using workbooks, you can codify your standard operating procedures into reusable templates. Splunk SOAR supports custom and industry standard workbooks such as the NIST-800 template for incident response. You can divide tasks into phases, assign tasks to team members, and document your work.