Hunting with Splunk: The Basics

At Splunk, you may hear us pontificating on our ponies about how awesome and easy it is to use Splunk to hunt for threats.

Why, all you need to do is use X and Y with Splunk to find a Z score (no zombies were injured in the creation of this .conf presentation) and boom!, baddie in your network is detected. Steve Brant and I have tried to assist with two .conf presentations where we give deep dives specifically for hunting: "Hunting the Known Unknowns (with DNS)" and "Hunting the Known Unknowns (With PowerShell)". However, this isn’t good enough. It’s like telling someone how easy it is draw an owl. (Hint, it isn’t.)

We can do better. Starting with this blog post, we will publish a weekly series of blog posts that take a single Splunk search command or hunting concept and break it down to its basic parts. We will help you create a solid base of knowledge regarding Splunk that you can then use in your own environment to hunt for evil. We will cover everything from hypothesis generation to IDS. Splunk commands like stats, eval and lookups will be examined. This series will serve as your foundation for hunting with Splunk. If however, you would like to learn a little more about hunting before diving in, I suggest you check out "Incident Response is Dead... Long Live Incident Response" by one of our good friends, Scott Roberts.

For those of you who are impatient to start, or want to have a test bed to try out your awesome newfound knowledge, try the Security Investigation Online Experience that my esteemed colleague Erin Sweeney outlined in her blog post, "Introducing the Security Investigation Guided Online Experience."

With each "Hunting with Splunk" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:



Happy Hunting!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags