Splunk Security Cheat Sheet


Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day. 

You can use Splunk to build dashboards which are typically better than the ones that come with the product (full size
I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context. 

Cheat Sheet


I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll try to keep this as accessible as possible and base it around real world examples and use cases.

Splunk is a great way to convert reams of log data into views which mean something (full size)

Of course, there is a wealth of documentation over at http://docs.splunk.com and I'd highly recommend that if you start using Splunk you start there or at least turn to that as your primary reference. I'd also strongly recommend that you check to see if there is an existing Splunk App if you have a very specific requirement. Why re-invent the wheel if the vendor (or the community) has already built an app for that appliance / application you've just installed?


Like maps? No problem (full size

I intend to write a separate piece about some of the very clever things you can do with Splunk, especially some of the instances where we currently use it as the center for an automation piece. It's not just reports and dashboards that Splunk can power - with a bit of thinking and tinkering you can get it to interact and respond to your environment, making it a very powerful tool to add to your security arsenal. I'll still add any searches and code for these solutions to the cheat sheet but I want to expand on them sufficiently so people can follow the recipe to bake their own.

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Developing Leeds Scene