Splunk ES Admin4
Advantages of Risk-Based Alerting?
- Address alert fatigue - Improve detection of sophisticated threats like low-and-slow attacks that traditional SIEMs miss - Align with cybersecurity frameworks like MITRE, Kill Chain, CIS, and NIST - Scale analyst resources to optimize SOC productivity and efficiency
CLI to test integrity of data?
./splunk check-integrity -index <indexname>
What are the steps of the installation checklist?
1. Confirm the environment meets the min system requirements for Splunk Enterprise and ES 2. Increase the Splunk Web upload size limit in web.conf 3. Install ES app on search head 4. Install any required TA's 5. Create Splunk_TA_ForIndexers and deploy to indexers 6. Deploy input-time technical add-ons to forwarders
Steps for ES Data Flow
1. Data is input from it source, indexed into events and sourcetype is applied 2. TA's apply normalization configurations based on the source types that assign the events to data model 3. The DM events are accelerated and placed into accelerated storage, with retention periods up to 1 year 4. Most ES correlation searches and dashboard searches are based on accelerated DM events
Steps for Initial Data Verification
1. Make a list of all sourcetypes required by ES 2. Map the sourcetype to the TA that normalizes it 3. Confirm that the correct sourcetype name is being used (TA docs) 4. Install additional TA's if needed 5. Verify that normalization is happening (i.e. make sure the sourcetype is appearing in the correct DM)
Steps to install ES on Deployer?
1. On the Splunk toolbar, select Apps > Manage Apps and click install app from file 2. Click Choose File and select the ES file 3. Click Upload 4. Click Continue to app setup page 5. Click Start Configuration Process 6. Use the Deployer to deploy ES to the search head cluster members > From Deployer run 'splunk apply shcluster-bundle'
What are the 2 out-of-the-box Risk Incident Rules?
ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days - creates a notable when the # of MITRE attacks exceeds 3 over timeframe Risk Threshold Exceeded for Object Over 24 Hour Period - created notable when the risk score for an object exceeds 100 over the timeframe
______ are a list of actions to take, including possibly creating a notable event of setting risk... - ______ determine severity, default owner, default status, etc... - ______ assigning, increasing, or decreasing the risk score for a given type of threat or incident...
Adaptive Responses Notable event settings Risk
___ and ____ can be given the Edit Intelligence Downloads permission to manage threat intelligence downloads...
Analysts and users
Use _____ to enrich correlation search results with the context from industry-standard mappings
Annotations
_______ are used as field labels in the Risk Analysis dashboard
Annotations
The ______ table lists all configured asset lookups...
Asset lookups
What is the calc for Urgency?
Asset/Identity Priority + Event Sev = Urgency
ES uses ___ data models...
CIM
____ operations maintain the attributes defined in the lookups...
CRUD (create, read, update, and delete)
_____ leverages MLTK functions. (such as mltk_apply_upper macro)...
Conceptual Thresholds
________ Searches run continually in the background looking for known types of threats and vuls
Correlation
How to increase the upload size in web.conf?
Create the $SPLUNK_HOME/etc/system/local/web.conf file and add the below stanza [settings] max_upload_size = 1024
_____ determines which data models are using the most storage or processor time...
Data Model Audit
__________ displays status for sensitive data if the _________ correlation search is enabled...
Data Protection Audit, Personally Identifiable Information Detected
By default, _____ are tasked with managing ES threat intelligence...
ES Admin
By default, only _________ have the ability to suppress notable events
ES Admins
By default, which role can enable, disable, clone, modify, or add new correlation searches?
ES Admins
______ is any search or view that can be shared and used between multiple ES sites...
ES Managed Content
Standard Splunk Roles vs ES Roles (required for ES login) User --> ____________ Power --> ____________ Admin --> _____________
ES User (ess_user) - Run real-time searches and views all ES dashboards/ SHOULD NOT BE ADDED TO ES ADMIN ROLE ES Analyst (ess_analyst) - Owns notable events and performs notable event status changes ES Admin (ess_admin) - Configures ES system-wide, including adding ES users, managing correlation searches and adding new data sources
How ES verifies the following in SA-IdentityManagement each time the identity manager run (every 5 mins) _____ automatic lookups that are defined in props.conf... _____ macros that read from the CSV files into the KV Store collections... _____ transform.conf defines the .csv filenames and settings like case sensitive matching... _____ collection replication settings defined in collections.conf... _____ IdentityLookup conventions...
Enforce props Enforce macros Enforce transforms Enforce replicate Enforce identityLookup
| tstats searches with summariesonly = f search accelerated data? [t/f]
False - summariesonly = t will restrict searches to accelerated data
_____ ensures hosts are properly forwarding data to Splunk, detects forwarders that have failed, and can be set to monitor all hosts or only host as configured in is_expected in the ES Assets lookup table...
Forwarder Audit
The ____ tab has the same features as the Asset Lookups configuration tab...
Identity Lookups
Which dashboard is used to inspect and manage incidents?
Incident Review
___ gives you a summary of event indexes per day (EPD)...
Indexing Audit
Which dashboard gives insight into investigations?
Investigation Overview Dashboard
Asset and Identity lookups are stored as ____
KV Store collections
After download, threat intel data is stored where?
KV store collections with the "_intel" suffix
The ________ at the top of the Security Posture dashboard, provide an at-a-glance view of notable event status over the last 24 hours
Key Indicators (KI)
What are the parts of this MLTK macro? | `mltk_apply_upper("app:failures_by_src_count_1h", "high", "failure")`
Macro Args - model Name of the model for applying data and comparing against standards to find outliers (app:failures_by_src_count_1h) -Qualitative_id Default IDs that correspond to % of deviation, representing where on the distribution curve to look for outliers. ("high" (or "medium" or "low")) -field Where to search for, or count outliers ("failure")
What are the ES Required Add-ons (distributed with ES installer and only required to be on search heads)?
Main ES App - SplunkEnterpriseSecuritySuite Domain add-ons - DA-ESS-AccessProtection - DA-ESS-EndpointProtection - DA-ESS-IdentityManagement - DA-ESS-NetworkProtection - DA-ESS-ThreatIntelligence Supporting add-ons - SA-AccessProtection - SA-AuditAndDataProtection - SA-EndpointProtection - SA-IdentityManagement - SA-NetworkProtection - SA-ThreatIntelligence - SA-UEBA - SA-Utils - Splunk_SA_CIM - Splunk_ML_Toolkit
____ converts non-standard field names and vals into a uniform set of standardized fields within a DM...
Normalization
By default, what will ES users see on the Investigations Overview Dashboard? What will ES analysts see?
Nothing for users, analysts will only see investigations they created
____ are simple numeric comparisons (uses where command)...
Numeric Thresholds
How is data processed by ES?
Raw Events are Indexed [data is generated and forwarded to Splunk]> Data Model Summary Searches Run [CIM DM normalization is applied]> Data is available for ES [| tstats queries and dashboards can use data]> ES Background Searches (content) Process Data [Correlation searches, trackers, and threat intel search data models]> ES Searches for Threats and Anomalies [ES created notable events]
Risk Rules are any correlation search that has the _______ adaptive response action configured
Risk Analysis
Use ____________ to specify conditions to dynamically adjust risk scores for specific objects
Risk Factors
_________ help the risk score to be more precise based on threat
Risk Factors
____________ are correlation searches that run against the risk index
Risk Incident Rules
Risk Incident Rules create ___________
Risk Notables
The default _________ are system, user, and other
Risk Objects
_________ feed results (risk attributions) in the risk index
Risk Rules
The ______ data model is the data source for the panels on the Risk Analysis dashboard
Risk data model
__________ simplify the threat investigation process by helping prioritize suspicious behavior
Risk scores
_____ is the supporting add-on that maintains macros, lookup, knowledge objects, etc...
SA-IdentityManagement
____ and ____ determine how often to run the search and how often to generate notable events for the same type of incidents...
Scheduling and Throttling
Where should the ES app get installed?
Search head
Where should the TA's get installed?
Search heads and on forwarders if they do input phase actions
Which dashboard provides a cross-domain SOC overview?
Security Posture
____ is a fast way to build out an initial TA, and can be used to create sourcetypes, extractions, and data model mapping(s)...
Splunk Add-on Builder
_________ is a separate solution that extends your ability to detect insider threats...
Splunk User Behavior Analytics (UBA)
What should be installed on indexers and heavy forwarders?
Splunk_TA_ForIndexers
What 3 components is ES comprised of?
Tech Add-ons (TA) (input, normalization) Domain Add-ons (DA) (views, UI components) Supporting Add-ons (SA) (searches, macros, data models, utilities)
Where is security-related data acquired from in the enterprise?
Tech add-ons
The data model is scanned by the ____ correlation search and new notables for threat activity are created...
Threat Activity Detected
Use the ____ dashboard to examine the overall contents of the entire threat intelligence framework...
Threat Artifacts
Threat intel is downloaded regularly from external and internal sources by the _____ modular input...
Threat Download Manager
What comprises the Threat Intelligence Framework?
Threat Download Manager Threat Gen Threat Activity Detected
____ searches run by default every 5 mins and scan for threat activity related to any of the threat collections...
Threat Gen
____ is the criteria that causes a correlation search to trigger...
Threshold
The ________ correlation search prepares a list of all notable events in new status or unassigned owner in the last 48 hours...
Untriaged Notable Events
Every notable event has an ___________ field, ranging from Unknown to Critical. What two factors comprise this field?
Urgency : 1. Severity - based on the sev added to the notable event by the correlation search & 2. Priority - assigned to the associated assets or identities (if more than 1 asset/identity is involved in a single notable event, the one with higher priority determine urgancy)
How to examine Data Model Contents?
Use datamodel cmd to examine sourcetypes contained in the DM Example: | datamodel Network_Traffic All_Traffic search | stats count by sourcetype
How to retrieve information from the incident_review KV store collection?
Use the `incident_review` macro |`incident_review` | search comment = "*...text...*"
Data models are _____ not containers...
conceptual maps
Use the _____ to determine the data model(s) and field names the dashboard requires...
dashboard requirements matrix docs.splunk.com/Documentation/ES/latest/User/DashboardMatrix
An ES Admin can enable _________ to ensure that the data ES relies on in the indexes in not tampered with...
data integrity control
By default, only the ______ role can edit ES navigation...
ess_admin
______ can manage all investigations
ess_admin
By default, only ____ and ____ roles have permission to start investigations
ess_admin and ess_analyst
By default, the __________ and __________ roles have the capability to create notable events. Other roles can be given the ____________________ permission.
ess_admin, ess_analyst, Create New Notable Events
_____ can only manage investigations they have created
ess_analyst
All add-ons and apps require you to restart Splunk [t/f]?
f
ess_user can view investigations by default [t/f]?
f
Notable events are created with _________, __________, and _______ that provide info necessary for incident investigation and link to original source events
fields, event types, tags
What is the Splunkbase URL?
https://splunkbase.splunk.com
When a notable event is assigned to an analyst, it is referred to as an ______
incident
All incident review status changes and comments are stored in the _____ collection...
incident_review KV Store collection
When a correlation search detects any IoC's, ES creates an alert called a _________
notable event
Correlation searches create __________ in the _________ index
notable events, notable
An investigation has an _____ and any number of ______
owner, collaborators
By default, all correlation searches run in _____ mode...
real-time
Correlation Searches can be run in either _______ or ________
real-time, on a schedule
ES runs ________ and with ________ searches on accelerated Data Model data...
real-time, scheduled searches
A ____________ is a single metric that shows the relative risk of an object (system, user, or other) in the network over time
risk score
Where is the Risk Factor configuration stored?
risk_factors.conf file in SA-ThreatIntelligence app
Where are annotations stored?
savedsearches.conf under action.correlationsearch.annotations
Normalization is a _____ process based on event source types...
search-time
How can you clear data from the incident review KV store?
| inputlookup incident_review_lookup | eval age = (now() - time)/86400 | search age < 30 | fields - age | outputlookup incident_review_lookup append = f Use splunk clean cmd to completely clear out the incident review collection (splunk must be running): 'splunk clean kvstore -app SA-ThreatIntelligence -collection incident_review
