Importing NetSuite data in Splunk
Splunk provides tools to create custom dashboards and visualizations. By visualizing NetSuite data in Splunk, stakeholders can get a clearer understanding of their operations and make data-driven decisions. Organizations maintain compliance by tracking and analyzing changes and activities within NetSuite so it makes sense to have the data available in Splunk in order to perform analysis and detection on it.
Filtering prometheus metrics based on a label combination in open-telemetry
Some applications charge per ingested metric time series so you may need to filter metrics you're not actively using. For example in case of metrics ingested into Splunk using otel-collector from Prometheus endpoints you can exclude metrics having a particular label combination.
The solution involves using to drop the metrics. Metric relabeling is applied to samples as the last step before ingestion.
Drop DEBUG entries when indexing a log file in Splunk
Sometimes due to licensing constrains and large volumes of events you may need to resort to indexing only the relevant entries from a logfile. For example cases when the DEBUG mode has been enabled and it cannot be turned off or you'd like to discard a repeated log entry from indexing.
Filtering can be achieved through an app on the indexer. Filtering works based on the sourcetype defined in inputs.conf on the universal forwarder.
Converting a nested JSON to table in Splunk using successive spath commands
A json document consists of key value pairs which can be in any order, nested or arranged in arrays. Splunk provides commands for extracting information from structured documents but when dealing with a nested JSON document you’ll have to employ some additional tricks to bring it to a tabular format.
Loading log4j callback urls from a threat intelligence url feed in Splunk Enterprise Security
At a high level the following steps need to be followed for threat intelligence uploaded from a url to generate threat activity or create notables from matches in Splunk Enterprise Security:
Run Discourse with other sites on Apache web server
Discourse is a discussion forum that runs in a docker container. It's default installation uses a setup script which takes care of all the important settings such as capturing SMTP configuration, used to reach out to your users using transactional e-mails and even generates a certificate for you using Let's Encrypt. The values entered during the setup are saved in containers/app.yml.
Writeup for Hackthebox: Popcorn
Popcorn is a box that mimics a real world scenario. Attackers will establish the initial foothold by exploiting a vulnerability in a web app.
nmap scan shows ports 80 and 22 are open
Writeup for Hackthebox: October
October is a slightly difficult box. An attacker needs to apply some advanced techniques to gain root access. The complexity sits in identifying a buffer overflow and exploiting it with the tools available on a Linux system.
Perform a nmap scan of the system
Writeup for Hackthebox: Craft
Initial foothold is established through a very common developer mistake: code repository contains a set of credentials inadvertently included in one of the commits.
Perform a port scan using nmap:
Writeup for Hackthebox: Postman
For box Postman, the initial foothold is established by exploiting a security misconfiguration in REDIS. Through this vector an attacker can establish a SSH connection as an unprivileged user.
Enumerate using nmap and notice REDIS port is open
Writeup for Hackthebox: Traverxec
Traverxec is a box labeled Easy where the initial foothold is established by exploiting of improper security settings, followed by leveraging of a UNIX binary to bypass local security restrictions. Enumeration reveals two open ports: SSH and HTTP.
Writeup for Hackthebox: Heist
Heist is a box labeled easy that contains practical enumeration techniques and attack vectors. Initial foothold is achieved by leveraging an improper security configuration. Start by checking what ports are open.
Send Slack alerts when large AWS EC2 instances are launched
Once you begin collecting AWS data in Splunk using AWS Addon for AWS, there are a lot of detection capabilities that open up. We will cover the use case of detecting when large EC2 instances are launched, such as instance types 2xlarge, 4xlarge or 8xlarge with or without GPU.
Due to their high CPU and memory specs they are prime targets for bitcoin miners and capturing the launch of such instances can indicate a compromised AWS Access Key.
Generate configuration files for Splunk Add-on for AWS using Ansible
The Splunk Add-on for AWS is an addon supporting data collection from AWS services. At the time of writing, it can seamlessly collect AWS config, AWS config rules, AWS Cloudtrail, CloudWatch, Cloudwatch logs and AWS inspector, Kinesis, S3 via SQS and billing data.
Monitor mySQL DB performance with Nagios
Nagios can be easily set up to handle graphing of mySQL database performance metrics. The set of indicators will be graphed by pnp4nagios, a performance data analyzer and grapher for Nagios.