Episode 13 - I Didn’t Know Splunk Could Do That
This statement follows us wherever we go, whether it’s during an assessment or an implementation. Seasoned security professionals and Splunk users are surprised at some of the features available in Splunk ES. In this episode we are sharing some of these elusive capabilities with you so that you can get the most out of this best in class SIEM.
Notes:
Rest API use Splunk to search Splunk for viewing saved searches
Finding misconfigurations quickly
| rest splunk_server=local count=0 /services/saved/searches
| rename eai:acl.app as app, title as csearch_name
| search csearch_name="*" disabled=0 cron_schedule!=""
| table csearch_name, app, cron_schedule, schedule_window, dispatch.earliest_time, dispatch.latest_time, actions, disabled, author, description
Using Assets as a cmdb - multi-source/merge framework - not "perfect" but pushing the probability of being "incorrect" to 3-4 standard deviations
Workflow actions - customize your one-clicks