My Blog Posts

Configure Jupyter Notebook to Interact with Splunk Enterprise & the Splunk Machine Learning Toolkit

Ever wanted to manage and integrate your Splunk Enterprise deployment using your favorite data science tool? Then this blog’s for you. But there are a couple things to keep in mind—this is for development and single instance deployments only, and it also requires sudo/root access to the server in order to properly map user PIDs and ownership of ...

Read more

Using Docker and Splunk to Operationalize the Splunk Machine Learning Toolkit

Configuring and maintaining a Splunk Dev environment can be challenging as new releases of apps and the software are made available. Leveraging the official Docker image, the newest versions of Splunk Enterprise and various apps can be made available without a time commitment or worries about future updates. The requirements for this tutorial a...

Read more

SuriCon 2018 - Beyond Operational Intelligence: Splunk Advanced Analytics

Prescriptive analytics is often referred to as the “final frontier of analytic capabilities”, many organizations strive to get there and fail. Evolving from reactive to prescriptive is key for organizations maintain their competitive advantage. So what does this journey look like when organizations embrace an analytics nerve center for security ...

Read more

Dark Reading - How to Use Artificial Intelligence and Machine Learning to Improve Enterprise Security

Many cybersecurity vendors today use terms such as “AI” and “machine learning” to describe the capabilities of their products. But what exactly do these technologies do, and how can you implement them to improve your everyday IT security processes? In this Dark Reading webinar, a top expert will offer some useful definitions of terms, and will ...

Read more

SuriCon 2017 - Malware Analysis: Suricata & Splunk for Better Rule Writing

Using malware pcaps from: http://www.malware-traffic-analysis.net/ I can leverage Suricata to see which emerging threats rules fire, and analyze the results in Splunk. With Splunk, I can determine if Suricata alerted for a specific indicator of compromise by looking not just at the alert signature but everything in eve.json to iteratively develo...

Read more

SuriCon 2017 - Hunting BotNets: Suricata Advanced Security Analytics

Splunk has enabled big data on the security practitioner’s desktop, but the security knowledge worker is not a data scientist by training. SOC engineers need easy-to-implement machine learning tools. Learn about existing machine learning toolkits available in the Splunk platform and how they can be applied to data exfiltration, port/traffic anal...

Read more

Enhancing Splunk Visualizations with Mapbox

Enhance the out-of-the-box visualizations provided by Splunk for cluster map visualizations by integrating with the MapBox API. t has been possible to add custom tiles to cluster map visualizations in Splunk, but the options for adding tiles were limited because it was unclear whether external APIs integrated with Splunk. This blog shows you ho...

Read more

Analyzing Shadowbrokers Implants

Who are the Shadowbrokers? In 2017 the shadowbrokers attempted to auction off zero day tools allegedly developed by the NSA. These tools used undisclosed vulns to target other adversarial nation states and surveil targets with the goal of improving national security. The tools were leaked and subsequently came into possesion of the shadowbrok...

Read more

Proactively Responding to #CloudBleed with Splunk

What is CloudBleed? Cloudbleed is a serious flaw in the Cloudflare content delivery network (CDN) discovered by Google Project Zero security researcher Tavis Ormany. This vulnerability means that Cloudflare leaked data stored in memory in response to specifically-formed requests. The vulnerability behavior is similar to Heartbleed, but Cloudblee...

Read more

Enhancing Enterprise Security for Ransomware

Ransomware isn’t going away Ransomware is a profitable business model for cyber criminals with 2016 payments closed at the billon dollar mark. According to a recent survey by IBM, nearly 70% of executives hit by ransomware have paid to get their data back. Those survey results do not include smaller organizations and consumers who are also payin...

Read more

SSL Proxy: Splunk & NGINX

Who is this guide for? It is a best practice to install Splunk as a non-root user or service account as part of a defense in depth strategy. This installation choice comes with the consequences of preventing the Splunk user from using privileged ports (Anything below 1024). Some of the solutions to this problem, found on Splunk Answers require i...

Read more