Honeypot Diaries: Dota Malware

A honeypot is a form of deception technology used to observe threat actor tactics, techniques, and procedures (TTP). I have deployed a customized version of the Cowrie honeypot in several regions, and I have one at home to capture residential IP space activity. The Honeypot Diaries will be a recurring series that I will use to share … Read more

Blue Team Tactics: Honey Tokens Pt. III

This is the final part of a multipart blog post, read part one and two then continue here. In part 2, we simulated adversary interaction with our deployed tokens and then leveraged Windows Event Viewer to assess the generated artifacts. What follows will be several options for getting the audit logs from the endpoints to … Read more

Load Balancing a Splunk Search Head Cluster

A Splunk Search Head (SH) enables an analyst to query a Splunk Indexer for data in a distributed configuration. A Search Heads group that shares knowledge objects and settings is known collectively as a Search Head Cluster (SHC). Deploying a SHC provides high availability (HA) and many other benefits to your users. However, as you scale out … Read more

FreeIPA integration with Splunk

Splunk has built-in user authentication; however, if you have multiple deployments or a clustered environment, it makes sense to utilize centralized user management. FreeIPA provides a solution similar to a Domain Controller in an Active Directory (AD) environment. Setting up FreeIPA is outside the scope of this document, and we will instead focus on how to integrate Splunk … Read more

DIY IP Threat Feed

A threat feed is a collection of actionable information about threats that allows for mitigating harmful events. This blog post is concerned with developing an IP based threat feed or blacklist. We will look at how to gather, aggregate, enrich, and extract threat data for consumption. Gathering the threat data I have several servers in … Read more

Deploying Splunk Universal Forwarders via GPO

When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs … Read more

Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA. Step 1: Create the directory for the certificates splunk@siem:~$ mkdir /opt/splunk/etc/auth/certs Step 2: Generate the private key and temporary password splunk@siem:~$ cd /opt/splunk/etc/auth/certs splunk@siem:~$ splunk cmd openssl genrsa … Read more

Tracking SSH Brute-force Logins with Splunk

If you manage servers with OpenSSH access, you have no doubt been subject to the barrage of ssh brute-force attempts that occurs across the internet. Some administrators deal with this by either changing the default port (security by obscurity), utilizing public keys, threshold blocking, or white-listing source IP addresses among other things. AWS has security … Read more