splunk
Date: 2023-02-08Last modified: 2023-03-07
Table of contents
- Introduction
- Manual security incident Management
- SIEM — Security Information and Event Management
- SOAR — Security Orchestration, Automation, and Response
- Splunk Use Cases
- Splunk Licenses
- Splunk Enterprise
- Splunk Cloud Platform
- Splunk Components
- Splunk Forwarders
- Search head
- Splunk Enterprise Installation
- Splunk Forwarders Installation
- Splunk Data Sources
- Forwarders and Indexing
- Splunk Enterprise vs. Splunk Cloud
- SSL
- References
Introduction
Manual security incident Management
- Review IT help desk tickets
- Review logs and network activity
- Determine if anomalies exist
- Adhere to standard procedures
SIEM — Security Information and Event Management
SIEM Capabilities
- Centralized security monitoring
- Data analytic
- Data correlation
- Threat detection
- Dashboards, alerts, reports
SIEM: Detect Malicious Activity
- Centralized data ingestion from a variety of sources
- Data analysis and correlation for threat detection
- User behavior analytic (UBA) to detect anomalies
- Free up security analyst time for other relevant, fulfilling tasks
SOAR — Security Orchestration, Automation, and Response
SOAR Capabilities
- Automated incident response
- Playbook workflows
- Add-on integration
SOAR: Stop Malicious Activity
- Get plugins, applications, and workflow templates from Splunkbase
- Easy procedural consistency through automation
- Dashboard visualizations and reports
Automate Detection and Containment
- Malware incidents (ransomware, crypto mining)
- Analysis of phishing emails and social media messages
- Vulnerability detection and remediation
- Automated generation of IT service tickets
- Automated actions based on external security advisories
Playbook workflow
Splunk Use Cases
- Monitor system and application performance
- Monitor application-specific details such as the number of widgets sold
- Detect potential security problems
- Mitigate verified security threats
- Real-time searching
Splunk Licenses
- Enterprise
- Dev/Test
- Developer
- Enterprise trial
- Sales Trial
- Free
- Forwarder
Splunk Enterprise
- Windows 10 and later, Windows Server 2012 and later (.msi)
- Linux (.deb, .tgz, .rpm)
- macOS (.tgz, .dmg)
Splunk Cloud Platform
- Based on Splunk Enterprise, but platform is hosted in the cloud as a managed service
- Splunk Cloud Platform service level agreement (SLA)
- NoCLI as opposed to Splunk Enterprise on-premises
- On-premises forwarders collect data and send it for indexing to Splunk Cloud Platform
- A welcome email message includes a URL, username, and temporary password
Splunk Components
- Splunk Enterprise (Windows, Linux, macOS)
- Splunk Cloud Platform
- Splunk Enterprise console (port 8000)
- Splunk Cloud console (DNS Fully Qualified Domain Name)
Splunk Forwarders
- Agent that gets deployed on hosts
- On the forwarder:
- Data collection (
inputs.conf) - Forward to indexer (
outputs.conf)
- Data collection (
- Universal — raw, unfiltered data
- Heavy — data can be filtered at source and sent to various destinations
Search head
Splunk Enterprise Installation
Download
wget -O splunk-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb \
"https://download.splunk.com/products/splunk/releases/9.0.3/linux/splunk-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb"
Install
dpkg -i splunk-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb
dpkg --status splunk
Start
/opt/splunk/bin/splunk start --accept-license
Accept the EULA, and Configure Splunk to start at boot time
/opt/splunk/bin/splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
Splunk Forwarders Installation
Download
wget -O splunkforwarder-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb \
"https://download.splunk.com/products/universalforwarder/releases/9.0.3/linux/splunkforwarder-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb"
Install
dpkg -i splunkforwarder-9.0.3-dd0128b1f8cd-linux-2.6-amd64.deb
Start
/opt/splunkforwarder/bin/splunk start --accept-license
Add
/opt/splunkforwarder/bin/splunk add forward-server 134.209.212.195:9997
/opt/splunkforwarder/bin/splunk add monitor /var/log/
Configure
vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log]
disabled = false
index = linux_universal_forwarder
host = linux_golf
Restart
/opt/splunkforwarder/bin/splunk restart
Splunk Data Sources
- OS, apps, cloud logs
- Microsoft Active Directory
- File system and databases
- Imported files
- TCP/UDP port data
- Script input
Forwarders and Indexing
- Forwarders are installed on hosts where data is to be collected and forwarded to a Splunk Indexer listening on port 9997
- Universal forwarder - separate download and installation
- Heavy forwarder - Splunk Enterprise instance
- Forwarder targets are defined in
outputs.confin the[tcpout]stanza
Splunk Enterprise vs. Splunk Cloud
Enterprise
- Manual installation on physical or virtual machines
- Amazon Machine Image (AMI) deployment
- Full configuration flexibility
- CLI support
Cloud
- Managed cloud service where installation is already done
- Limited configuration flexibility compared to Enterprise
- No CLI support
SSL
Edit /opt/splunk/etc/system/local/web.conf and add the following lines:
[settings]
enableSplunkWebSSL = 1
privKeyPath=/etc/letsencrypt/live/your-domain/privkey.pem
serverCert=/etc/letsencrypt/live/your-domain/fullchain.pem