Detect insiders and advanced attackers in your environment with the free Splunk Security Essentials app. This app uses Splunk Enterprise and the power of our Search Processing Language (SPL) to showcase 55+ working examples of anomaly detection related to entity behavior analysis (UEBA). Each use case includes sample data and actionable searches that can immediately be put to use in your environment.
The use cases leverage analytics to give analysts the ability to detect unusual activities like users who print more pages than usual (spike detection) or logon to new servers (first seen behavior), the ability to see when adversaries change file names to evade detection, and more. Each use case includes the expected alert volume, an explanation of how the search works, description of the security impact, and you can save searches directly from the app to leverage any alert actions you have installed such as creating a Notable Event or Risk Indicator in ES, an External Alarm in UBA, or sending email for review.
Search Activity helps Splunk champions monitor users, grow usage, and understand personas. It provides metrics on use, organizational information, and adoption. Install it and answer all manner of Splunk questions, such as:
To provide answers, this app features an accelerated data store, 75+ reports, dashboards, alerting capabilities and more. It is run in hundreds of Splunk installations both massive (tens of terabytes) and small (gigabytes).
This app is built to help people learn new search techniques, with real data and fun examples. So far in the app, there are examples for:
Newsletters are a great technique for motivating your users, informing them about the latest and greatest, and more! This app helps you automate the process of creating a Newsletter for the latest and greatest in Splunk.
The app contains scripts that will pull from the official Splunk events, blogs, and answers sites and allow you to highlight items that are interesting to their users. Finally, you can either send it via Splunk, or just copy-paste into your email client to send out manually.
This is the companion app to the Security Ninjutsu (Ninjitsu) presentation, at .conf 2015, containing all of the searches from the presentation (currently: most.. soon: all).
This search add-on contains adds workflow actions to the ES Notable Event and the ES Threat Activity events so that an analyst looking at either can drill down from a threat activity indicator to look at the underlying raw events.
For comparing indexer performance, understanding operators, or log levels (INFO .. CRIT), you have to leverage search.log. Indexing it isn't scalable though. This app will, every five minutes, launch a scripted input that will review the local dispatch directory for any search.log files, and the parse out the details into a JSON blob that will be put in index=_internal.
Details so far:
Overall, this should allow some trending information, and specifically to be able to detect an indexer that is slower than the rest.