This document contains an agenda for a Splunk Enterprise for Information Security Hands-On presentation taking place on December 1, 2016 in Long Beach. The presentation will cover topics like web attacks, lateral movement, and DNS exfiltration. It includes a safe harbor statement noting that any forward-looking statements are based on estimates and actual results could differ. It also provides login information for a hands-on environment containing over 5.5 million sanitized events.
2. 2
Safe Harbor Statement
During the course of this presentation, we may make forward-looking statements regarding
future events or the expected performance of the company. We caution you that such
statements reflect our current expectations and estimates based on factors currently known
to us and that actual events or results could differ materially. For important factors that may
cause actual results to differ from those contained in our forward-looking statements, please
review our filings with the SEC. The forward-looking statements made in this presentation
are being made as of the time and date of its live presentation. If reviewed after its live
presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward-looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be
incorporated into any contract or other commitment. Splunk undertakes no obligation either
to develop the features or functionality described or to include any such feature or
functionality in a future release.
47. 47
https://splunkbase.splunk.com/app/2734/
DNS exfil detection – tricks of the trade
ü parse URLs & complicated TLDs (Top Level Domain)
ü calculate Shannon Entropy
List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)
48. 48
Examples
• The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low)
• The domain google.com has a Shannon Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon
Entropy score of 3 (rather high)
Layman’s definition: a score reflecting the randomness or measure of
uncertainty of a string
Shannon Entropy
57. • 5,000+ IT and Business Professionals
• 175+ Sessions
• 80+ Customer Speakers
PLUS Splunk University
• Three days: Sept 23-25, 2017
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
CONF.SPLUNK.COM
The 8th Annual Splunk Worldwide Users’ Conference