This document provides an overview of a hands-on demo of Splunk Enterprise Security (ES) using a free sandbox environment. It discusses creating a sandbox, exploring common ES features like the risk analysis dashboard, threat intelligence, and incident response workflow. The demo shows how to investigate a malware detected event, view asset details, and add context with lookups. It encourages exploring more advanced threat capabilities and additional reports in ES to gain experience with the platform.

1. Copyright © 2015 Splunk Inc.
Dan Christiansen, CISSP, ECSA
Sr. Sales Engineer & Security SME
Splunk for Security -
Your Very Own Splunk
ES Sandbox!

2. 2
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.

3. 3
What’s a sandbox?
3

4. 4
What’s a sandbox?
4
• A 100% free, fully featured 15 day trial of
Splunk products: Cloud, Light, or ES
• Hosted in AWS
• Authenticates off of your Splunk account
• Has sample data for you to play with
• Supports onboarding of your own data
Today’s session: A hands-on activity with your very own
Enterprise Security sandbox!

5. 5 5

6. Let’s create a sandbox

7. 7 7
https://www.splunk.com/getsplunk/es_sandbox

8. 8 8

9. 9 9

10. 10 1

11. 11 1

12. 12 1

13. 13
Let’s fix a few things!
• Saved Search Enablement
• Choose a Timezone (Eastern Time)
• Correlation Search Enablement
1

14. 14 1
Click HereWe want to fix
this

15. 15 1
Click Here

16. 16 1
Click Here
Type “30m” and
click green
magnifying glass
1
3
Click Here
2

17. 17 1
Click Here

18. 18 1
Click Here

19. 19 1
Pick “Eastern
Time”, and save

20. 20 2

21. 21 2
Click Here

22. 22 2
Click Here

23. 23 2
Click Here

24. 24 2
Type “High” to
filter

25. 25 2
Click “Enable” for
“High or Critical
Priority Host with
Malware
Detected”

26. 26 2
Click Here

27. What’s ES anyway?

28. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

29. 29
Mainframe
Data
VMware
Platform for Machine Data
Exchange PCISecurity
Relational
Databases
MobileForwarders
Syslog /
TCP / Other
Sensors &
Control Systems
Wire
Data
Mobile Intel
Splunk Premium Apps Rich Ecosystem of Apps
MINT
Splunk Solutions > Easy to Adopt
Across Data Sources, Use Cases & Consumption Models

30. 30
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

31. 31
App
Servers
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center

32. 32
ES Fast Facts
● Current version: 3.3 in the sandbox, 4.0 was released at the end of
October!
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast, and
customizable
● ES has its own development team, dedicated support, services practice,
and training courses
4.0 not in
sandbox…yet

33. Security Posture

34. 34
Security Posture
34
How do you start and end your day?

35. 35
Key Security Indicators
Sparklines
Editable

36. How do we get data in?

37. 37
Data comes from…
You can actually do this in the
sandbox, if you want.

38. 38
Data Ingest + Common Information Model
You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization

39. Copyright © 2015 Splunk Inc.
NORMALIZATION?!?

40. Copyright © 2015 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.

41. 41
Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries

42. 42

43. 43
Free.
Supported.
Fully
documented.

44. 44
CIM Compliant!

45. Risk Analysis

46. 46
What To Do First?
● Risk provides context
● Risk helps direct analysts
“Risk Analysis is my favorite
dashboard for my SOC analysts!”

47. 47 4
Under Advanced Threat
click “Risk Analysis”

48. 48 4
KSIs specific to risk
System, User, or
Other
SCROLL

49. 49 4
The source of risk
score
The score per object
The details

50. 50 5
Risk comes from
correlation searches
or from ad-hoc

51. Threat Intelligence

52. 5252 Attack Map
The Challenge:
• Industry says Threat Intel is
key to APT Protection
• Management wants all
threat intel checked against
every system, constantly
• Don’t forget to keep your
15+ threat feeds updated
The Solution:

53. 53
Verizon 2015 DBIR
“”…the percentage of indicators
unique to only one (outbound
destination) feed…is north of 97%
for the feeds we have sampled…”
Threat list aggregation =
more complete intelligence

54. 54 5
Under Advanced Threat
click “Threat Activity”

55. 55 5
SCROLL
KSIs specific to threat

56. 56 5
Threat categories
Threat specifics

57. 57 5
We know about this.
Let me tell you the fix.

58. 58 5
Checkbox any line in the
“Threat Activity Details”

59. 59 5
Click “Advanced Filter”

60. 60 6
Click “Save”
Done on each dashboard
with a yellow triangle,
this will fix ANY dash
with “ppf” error.

61. 61 6
Click Configure, “Data
Enrichment” and then
“Threat Intelligence
Downloads”

62. 62 6
Various community
threat lists
Local ones too
TAXII support

63. 63 6
Click “Malware
Domains”

64. 64 6
Various community
threat lists
Local ones too
TAXII support
Weight used for risk
scoring
Interval
SCROLL for additional
config

65. 65 6
Various community
threat lists
Local ones too
TAXII support
Hit “back” button twice

66. 66 6
Click “Threat Intelligence
Audit” under Audit

67. 67 6
Status of downloads
Details including
errors

68. 68 6
Click “Threat Artifacts”
under Advanced Threat

69. 69 6
STIX/TAXII feed
Browse through the
tabs…

70. More Advanced
Threat

71. 71 7
STIX/TAXII feed
Browse through the
tabs…
Investigate on your own
time: Advanced Threat
capabilities worth your
while…and all areas
under Security Domains

72. Additional Reports

73. 73
Auditors / Management / Compliance Says…
● Can you show me <Typical Report>?
● Reporting is easy in Splunk
● But we have more than
300 standard reports too

74. 74
Click “Reports” under
Search

75. 75
Almost 330 reports to
use/customize

76. Incident Response
Workflow

77. 77
Click “High or Critical
Priority Host with
Malware Detected”

78. 78
Checkbox Select the first
event
Highly filterable and
tag-able

79. 79
Click “Edit All Selected”

80. 80
Fill out
Status/Owner/Comment,
Click Save
Would contain all of
your users

81. 81
Confirm that event
updates
Click “>” under Actions to
see what you can do with
the event

82. 82
Click “>” to view more
details on the event

83. 83
Last comment and link
to review all activity
Every field “pivot-able”

84. 84
Automatic attribution
for asset data

85. 85
Pivot internally within ES,
or externally. Customizable.
Drill to Asset Investigator

86. 86
Asset data
Customizable Swimlanes
Selectable Time

87. 87
Hold down CTRL or CMD
and click multiple bars
aligned vertically

88. 88
Summarized info from
“candlesticks” selected
Drill to search, make a
notable event, share a link

89. 89
Select one or two red
“Malware Attacks” bars

90. 90
Drill to search

91. 91
Raw log data in the Search
interface is only a click
away.

92. 92
“Browser Tab” back to
Incident Review

93. 93
Edit the event again and
add some more
comments…

94. 94
Feel free to add whatever
you wish here…click save

95. 95
View the review activity
for the event

96. 96

97. 97
Click on “Incident Review
Audit” under AuditMany aspects of ES are
audited within the product

98. 98
More users will make
this more interesting…

99. 99
Click on Identity
Investigator

100. 10
0
Type “htrapper” in search
and click search
Set to “Last 24 hours”
2
1

101. 10
1
Information about this
identity

102. Lookups

103. 10
3
Select “Data Enrichment”,
“Lists and Lookups” under
Configure

104. 10
4
Many lookups to provide
additional context to your
data

105. 10
5
Click on “Demonstration
Identities”

106. 10
6
We want to add
“naughtyuser” to this list
because it is showing up in
our data.
SCROLL

107. 10
7
Select last row, right click,
and choose “Insert row
below.”
Add whatever you want, but
make sure the first column says
“naughtyuser”
When done click save
Extra credit: Check your work in
Identity Center
2
1

108. 10
8
Attack & Investigation Timeline – New to 4.0
Methods to add contents into timeline :
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator

109. 10
9
Next Steps…
Play in your ES Sandbox for 15 days
Explore some of the areas we didn’t
get to cover today
Ask questions of your account team
An ES 4.0 sandbox should be
available soon, help yourself to
another sandbox to see the new
features
A two hour version of this talk is
available at conf.splunk.com
1