Hunting with Splunk: The Basics

At Splunk, you may hear us pontificating on our ponies about how awesome and easy it is to use Splunk to hunt.

Why, all you need to do is use X and Y with Splunk to find a Z score (no zombies were injured in the creation of this .conf presentation) and boom!, baddie in your network is detected. Steve Brant and I have tried to assist with two .conf presentations where we give deep dives specifically for hunting: "Hunting the Known Unknowns (with DNS)" and "Hunting the Known Unknowns (With PowerShell)". However, this isn’t good enough. It’s like telling someone how easy it is draw an owl. (Hint, it isn’t.)

We can do better. Starting with this blog post, we will publish a weekly series of blog posts that take a single Splunk search command or hunting concept and break it down to its basic parts. We will help you create a solid base of knowledge regarding Splunk that you can then use in your own environment to hunt for evil. We will cover everything from hypothesis generation to IDS. Splunk commands like stats, eval and lookups will be examined. This series will serve as your foundation for hunting with Splunk. If however, you would like to learn a little more about hunting before diving in, I suggest you check out "Incident Response is Dead... Long Live Incident Response" by one of our good friends, Scott Roberts.

If you have any requests, feel free to send them to security-specialists@splunk.com. For those of you who are impatient to start, or want to have a test bed to try out your awesome newfound knowledge, try the Security Investigation Online Experience that my esteemed colleague Erin Sweeney outlined in her blog post, "Introducing the Security Investigation Guided Online Experience."

With each "Hunting with Splunk" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:

• Lookup Before You Go-Go...Hunting
  ^{Using the Lookup command in Splunk to compare IOCs or other items of interest against your Splunk dataset}
• Finding Islands in the Stream (of Data)...
  ^{Using Splunk Stream to find malicious activity in your network}
  
• Work(flow)ing Your OSINT
  ^{Using Workflow actions and Open Source Intelligence sources}
• MetaData > MetaLore
  ^{Using metadata and tstats to quickly establish situational awareness}
• Peeping Through Windows (Logs)
  ^{Tips for some of the most valuable places to start hunting in your Windows logs}
• I Need to Do Some Hunting. Stat!
  ^{Using the three different stats commands for hunting adversaries in Splunk}
• This is NOT the Data You Are Looking For (OR is it)
  ^{Introducing a set of foundational Splunk threat-hunting techniques that will help you filter data}
• Rex Groks Gibberish
  ^{Using the rex and regex commands in SPL to rip apart data when you're hunting}
• UT_parsing Domains Like House Slytherin
  ^{Using the URL Toolbox to break apart URLs and DNS queries into domains, subdomains, TLDs, and more}
• You Can’t 'Hyde' from Dr. Levenshtein When You Use URL Toolbox
  ^{Using the URL Toolbox to analyze Splunk fields for Shannon entropy and Levenshtein distance}
• Do We Calculate, Appraise, Classify, Estimate? Yes, But We Do It All with Evaluate (eval)
  ^{Using the eval command in Splunk to help modify data (on the fly) and enrich fields}
• Tall Tales of Hunting with TLS/SSL Certificates
  ^{Using TLS and SSL certificates to hunt advanced adversaries}
• Finding NEW Evil: Detecting New Domains with Splunk
  ^{Using Splunk (and Splunk Enterprise Security) to find domains that are "new" to your organization}
• Being Your Own Detective with SA-Investigator
  ^{Using the new SA-Investigator add-on for Splunk Enterprise Security to dig deep into your data models and find the evil lurking within}
• Hunting Your DNS Dragons
  ^{Using Splunk to "hunt" for malicious DNS behaviour in your network}
• A Salacious Soliloquy on Sysmon
  ^{Using Sysmon data for hunting in Splunk}

Happy Hunting!