Splunk
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Migrating Splunk Storage to S3 SmartStore
A short guide on how I transitioned an existing Splunk deployment to S3 SmartStore to decouple and scale storage.
Detecting Default Meterpreter HTTPS Listeners
Detecting default Meterpreter HTTPS listeners by fingerprinting TLS certificate metadata, cipher suites, and HTTP response bodies using Nmap, Zeek, Splunk, and Elastic.
Honeypot Diaries: Masscan
A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.
Ingesting PCAP Files with Zeek and Splunk
How to safely ingest and analyze pcap files at scale using Zeek and Splunk.
Honeypot Diaries: Dota Malware
A deep dive into detecting and analyzing the Dota malware campaign.
Blue Team Tactics: Honey Tokens Pt. III
The final installment of the honey tokens series, covering multiple methods to centralize Windows Event ID 4663 audit logs including PowerShell, WEF, Splunk Universal Forwarders, and Splunk search queries.
Load Balancing a Splunk Search Head Cluster
A guide to using an Ansible playbook to deploy and configure Nginx as a TLS-terminating load balancer in front of a Splunk Search Head Cluster for high availability and a single user entry point.
FreeIPA integration with Splunk
This post walks through integrating Splunk authentication with FreeIPA LDAP by creating a bindDN system account and configuring LDAP settings in both the Splunk web UI and an authentication.conf app.
DIY IP Threat Feed
This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.
Deploying Splunk Universal Forwarders via GPO
A guide to deploying the Splunk Universal Forwarder across Windows endpoints using a Group Policy Object and an Orca-generated MST transform file containing the deployment server and credentials.
Replacing the Default Splunk Web SSL Certificate
A step-by-step guide to generating an OpenSSL CSR, signing it with a pfSense Root CA, and configuring Splunk Web to use the resulting certificate chain via web.conf.
Tracking SSH Brute-force Logins with Splunk
This post demonstrates using Splunk field extraction and search queries to track SSH brute-force login attempts, identifying the top attacking usernames and source IP addresses via dashboards.
Running an Authoritative DNS Server
This post covers running a self-hosted BIND9 authoritative DNS server on FreeBSD, with examples of reconnaissance attempts seen in query logs and Splunk-based analytics.