What insights you can get into IT operations with Splunk?
We can forward different kinds of logs to splunk to get insights into your business to
Gain a deeper understanding using all relevant information, especially from machine data .Which can reveal important patterns and analytics by correlating events from many sources n Reduce the time to detect important events n Leverage live feeds and historical data to understand what is happening, identify anomalies, and make effective decisions n Quickly deploy a solution and deliver the flexibility needed now and in the future.Below we have listed few common types of logs commonly forwarded to splunk to get operational intelligence out of your data
Security Data Sources
<Back |Home| Next >
Gain a deeper understanding using all relevant information, especially from machine data .Which can reveal important patterns and analytics by correlating events from many sources n Reduce the time to detect important events n Leverage live feeds and historical data to understand what is happening, identify anomalies, and make effective decisions n Quickly deploy a solution and deliver the flexibility needed now and in the future.Below we have listed few common types of logs commonly forwarded to splunk to get operational intelligence out of your data
Security Data Sources
- Proxy logs = these logs are good for C2 analysis of files, domains, downloads of DLL/EXE files
- Anti‐virus logs = these logs are good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths
- Server Operating System logs = these logs are good for analysis of server activities such as users, runaway services, security logs,
- Firewall logs = logs for network traffic of source/destination ip addresses, ports, protocols
- Mail logs = logs for inbound/outbound mail for malicious links, targeted recipients, unauthorized file out bound, data loss, bad attachments
- Custom apps logs = logs could be analyze for possible buffer overflow, code injection, SQL injection analyses
- Intrusion Prevention System logs = capture these logs to alert on signatures firing off, COTS signatures, threat analysis of bad network packets
- Intrusion Detection System logs = capture logs to alert on signatures firing off, custom signatures, bad network packets,
- Database logs = capture these logs for authorized access to critical data tables, authorized logons, op ports, admin accounts
- Virtual Private Network(VPN) logs = capture logs to analyze users coming into network for situational awareness, monitored foreign ip subnets, compliance monitoring of browsers/apps of connected hosts
- Authentication logs = authentication logs to monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis,
- Vulnerability Scan Data = import data about assets, vulnerabilities, patch data, etc
- Web Application logs = external facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser
- DNS logs = to correlate ip's going to what domain at a client level
- DHCP logs = monitor what systems are being assign what ip address and how long, how often
- Active Directory/Domain Controller logs = monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID's
- Badge Access logs = logs to capture to correlate insider threat, situational awareness, correlate data with authentication logs
- Router/Switch data (net-‐flow) = capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis, this is a very important data source
- Packet Capture logs(PCAP) = capture this very critical data source for APT, data exfiltration awareness, packet analysis, deep packet inspection, malware analysis, etc
- FW + AV = will help detect and respond to viruses, worm propagation
- IPS + AV + FW = detect/alert on network based attacks such as buffer overflow, reconnaissance scans, code injection
- PROXY = monitor majority of web based/application layer attacks such as: cross-site scripting, session hacking, browse redirects
- AV + PROXY = monitor/detect/respond to download of bad files, remote code execution…web-based attacks
- FW + PROXY = detect outbound data exfiltration, detect potentially misconfig fw rules,
- IPS + FW = monitor all network packet signature threats
- AD Server = monitor all user/group modifications, deletes, updates for administrators
- AD + PROXY = monitor/detect/alert on post compromise analysis, lateral movement
<Back |Home| Next >
Comment Box is loading comments...
