Hunting with Splunk: The Basics

At Splunk, you may hear us pontificating on our ponies about how awesome and easy it is to use Splunk to hunt for threats.

Why, all you need to do is use X and Y with Splunk to find a Z score (no zombies were injured in the creation of this .conf presentation) and boom!, baddie in your network is detected. Steve Brant and I have tried to assist with two .conf presentations where we give deep dives specifically for hunting: "Hunting the Known Unknowns (with DNS)" and "Hunting the Known Unknowns (With PowerShell)". However, this isn’t good enough. It’s like telling someone how easy it is draw an owl. (Hint, it isn’t.)

We can do better. Starting with this blog post, we will publish a weekly series of blog posts that take a single Splunk search command or hunting concept and break it down to its basic parts. We will help you create a solid base of knowledge regarding Splunk that you can then use in your own environment to hunt for evil. We will cover everything from hypothesis generation to IDS. Splunk commands like stats, eval and lookups will be examined. This series will serve as your foundation for hunting with Splunk. If however, you would like to learn a little more about hunting before diving in, I suggest you check out "Incident Response is Dead... Long Live Incident Response" by one of our good friends, Scott Roberts.

For those of you who are impatient to start, or want to have a test bed to try out your awesome newfound knowledge, try the Security Investigation Online Experience that my esteemed colleague Erin Sweeney outlined in her blog post, "Introducing the Security Investigation Guided Online Experience."

With each "Hunting with Splunk" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:

• Lookup Before You Go-Go...Hunting
  ^{Using the Lookup command in Splunk to compare IOCs or other items of interest against your Splunk dataset}
• Finding Islands in the Stream (of Data)...
  ^{Using Splunk Stream to find malicious activity in your network}
  
• Using Workflow Actions & OSINT for Threat Hunting in Splunk
  ^{Using Workflow actions and Open Source Intelligence sources}
• MetaData > MetaLore
  ^{Using metadata and tstats to quickly establish situational awareness}
• Peeping Through Windows (Logs)
  ^{Tips for some of the most valuable places to start hunting in your Windows logs}
• I Need to Do Some Hunting. Stat!
  ^{Using the three different stats commands for hunting adversaries in Splunk}
• This is NOT the Data You Are Looking For (OR is it)
  ^{Introducing a set of foundational Splunk threat-hunting techniques that will help you filter data}
• Rex Groks Gibberish
  ^{Using the rex and regex commands in SPL to rip apart data when you're hunting}
• UT_parsing Domains Like House Slytherin
  ^{Using the URL Toolbox to break apart URLs and DNS queries into domains, subdomains, TLDs, and more}
• You Can’t 'Hyde' from Dr. Levenshtein When You Use URL Toolbox
  ^{Using the URL Toolbox to analyze Splunk fields for Shannon entropy and Levenshtein distance}
• Do We Calculate, Appraise, Classify, Estimate? Yes, But We Do It All with Evaluate (eval)
  ^{Using the eval command in Splunk to help modify data (on the fly) and enrich fields}
• Tall Tales of Hunting with TLS/SSL Certificates
  ^{Using TLS and SSL certificates to hunt advanced adversaries}
• Finding NEW Evil: Detecting New Domains with Splunk
  ^{Using Splunk (and Splunk Enterprise Security) to find domains that are "new" to your organization}
• Being Your Own Detective with SA-Investigator
  ^{Using the new SA-Investigator add-on for Splunk Enterprise Security to dig deep into your data models and find the evil lurking within}
• Hunting Your DNS Dragons
  ^{Using Splunk to "hunt" for malicious DNS behaviour in your network}
• A Salacious Soliloquy on Sysmon
  ^{Using Sysmon data for hunting in Splunk}
• I Have a Fever, and the Only Cure for It Is More Feedback
  ^{Providing feedback from hunting into security operations}
• Hunting in a New Savanna
  ^{Hunting in a new environment, including BOSS of the SOC at .conf18}
• The Future is Cloudy with a Chance of Microsoft Office 365
  ^{Using Microsoft Office 365 data to hunt in Splunk}
• I Azure You, This Will Be Useful
  ^{Using Azure Active Directory for basic hunting and discovery}
• November Spawned an Osquery
  ^{Hunting through osquery logs}
• Spotting the Signs of Lateral Movement
  ^{Using Splunk core to identify lateral movement in an organization}
• CloudTrail - Digital Breadcrumbs for AWS
  ^{Using AWS CloudTrail as a security logging source and how to hunt in it}
• Go with the Flow - Network Telemetry (VPC Data) in AWS
  ^{Using VPC data from AWS in Splunk to hunt, hunt, hunt}
• Hunting COVID Themed Attacks With IOCs
  ^{Leveraging crowdsourced IOCs and implementing them in Splunk}
• Process Hunting with a Process
  ^{To make hunting in Splunk better and faster by tracing activities and relationships of a particular process}
  
• No Regrets Using Autoregress
  ^{Using the autoregression command, which is a centralized streaming command, to calculate a moving average and gather information.}
  
• Sysmon, The B-sides: Event Codes That Might Not Get As Much Attention...
  ^{Using Sysmon events – besides Event Code 1 – to gain fidelity into programs starting on systems.}
• Listen To Those Pipes: Part 1
  ^{Hunting pipes, the complete guide.}
• Listen To Those Pipes: Part 2
  ^{Don't skip the first half! This is pipe hunting, part 2.}

Happy Hunting!