![Page 1: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/1.jpg)
stoQ’ing your SplunkRyan Kovar, Splunk
Marcus LaFerrera, PUNCH
SANS DFIR 2016
![Page 2: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/2.jpg)
Ryan Kovar
• Staff Security
Strategist @Splunk
• Does Security things
and then talks about
them
• 17+ years defending
networks private
sector
Marcus LaFerrera
• Director of
Development
@PUNCH
• Lead stoQ Developer
• 18+ years supporting
the government
![Page 3: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/3.jpg)
Agenda
• Overview of stoQ
• Overview of Splunk
• A DFIR use case walk
through
• Questions
![Page 4: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/4.jpg)
TOOL * N == :(
NOTHING COMMUNICATES
AND MOST TOOLS
REQUIRE MANUAL INTERACTION
![Page 5: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/5.jpg)
HOW’S THE WEATHER OUT THERE
OLLIE?
IT’S
CYBER
![Page 6: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/6.jpg)
stoQ
![Page 7: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/7.jpg)
STOQ IS A FRAMEWORK
THAT ENABLES
EVERYONE TO AUTOMATE
PROCESSES, ANALYTICS,
AND JUST ABOUT ANYTHING
ELSE
![Page 8: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/8.jpg)
AUTOMATE AND REDUCE
THE MAJORITY
OF YOUR MOST
MUNDANE ANALYTIC TASKS
![Page 9: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/9.jpg)
LEVERAGE ALL OF YOUR
TOOLS SIMULTANEOUSLY,
AND SAVE THOSE RESULTS
FOR LATER
![Page 10: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/10.jpg)
IT’S A FORCE MULTIPLIER
![Page 11: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/11.jpg)
LOOK AT YOUR DATA, RATHER THAN
SEEKING WAYS TO CAPTURE OR
PRODUCE IT
![Page 12: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/12.jpg)
COMMAND LINE,
INTERACTIVE SHELL,
OR FULLY AUTOMATED
![Page 13: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/13.jpg)
EVERYTHING IS A PLUGIN, FROM INPUT
TO OUTPUT AND EVERYTHING IN
BETWEEN
![Page 14: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/14.jpg)
Tell me more about Plugins…
• Very simple and easy to write
• Lots of documentation and examples
• stoQ does most of the heavy lifting
![Page 15: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/15.jpg)
Over 40 stoQ Plugins Available• E-mail Parser• VTMIS• TotalHash• Yara• Censys• Fireeye• IOC Extract• Pastebin• PassiveTotal• ClamAV
• Opswat• TRiD• RabbitMQ• Suricata• Tika• PEinfo• Excel• XOR• Base64• Bit Rotation
• Bro Intel• Fluentd• Google Cloud Storage• Amazon S3• Slack• ThreatCrowd• MongoDB• ElasticSearch• Exif• And many more…
![Page 16: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/16.jpg)
IT’S OPENSOURCED
![Page 17: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/17.jpg)
![Page 18: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/18.jpg)
![Page 19: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/19.jpg)
![Page 20: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/20.jpg)
![Page 21: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/21.jpg)
Monitor & Alert
Search & Investigate
Custom Dashboards &
Reports
Analytics &Visualization
Meets Key Needs of SOC Personnel
Splunk Can Ingest ALL THE DATA
Real-timeMachine Data
Cloud Apps
Servers
Web
NetworkFlows
DHCP/ DNS
Custom Apps
Badges
Intrusion Detection
Firewall
Data Loss Prevention
Anti-Malware
VulnerabilityScans
Authentication
Storage
Industrial Control
Mobile Security Intelligence Platform
ThreatFeeds
Asset Info
EmployeeInfo
DataStores
NetworkSegments
External Lookups / Enrichment
![Page 22: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/22.jpg)
Then Build Security Dashboards
Incident Investigations & ManagementDashboards and Reports
Statistical Outliers Asset and Identity Aware
22
![Page 23: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/23.jpg)
![Page 24: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/24.jpg)
The Splunk App for stoQ
![Page 25: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/25.jpg)
THE STOQ DFIR APP FOR
SPLUNK!
• ALLOWS YOU TO VISUALIZE
STOQ RESULTS
• MAKE CONNECTIONS THAT
WERE DIFFICULT TO SEE
BEFORE
• QUICKLY PIVOT TO NEW
DATA SOURCES
• APPLY THREAT
INTELLIGENCE TO STOQ
DATA
![Page 26: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/26.jpg)
A DFIR Scenario
![Page 27: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/27.jpg)
You are an analyst at a Fortune
100 company
![Page 28: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/28.jpg)
A user reports an email
with a suspicious
attachment
![Page 29: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/29.jpg)
We need to quickly
identify if the file is good
or bad
![Page 30: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/30.jpg)
SPLUNK PLACEHOLDER
![Page 31: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/31.jpg)
SPLUNK PLACEHOLDER
![Page 32: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/32.jpg)
SPLUNK PLACEHOLDER
![Page 33: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/33.jpg)
SPLUNK PLACEHOLDER
![Page 34: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/34.jpg)
SPLUNK PLACEHOLDER
![Page 35: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/35.jpg)
SPLUNK PLACEHOLDER
![Page 36: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/36.jpg)
SPLUNK PLACEHOLDER
![Page 37: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/37.jpg)
WHERE DO I GET ALL OF THIS
INCREDIBLENESS???
https://splunkbase.splunk.com/app/3196/ http://stoq.punchcyber.com
![Page 38: stoQ’ing your Splunk · Ryan Kovar •Staff Security Strategist @Splunk •Does Security things and then talks about them •17+ years defending networks private sector](https://reader034.vdocuments.net/reader034/viewer/2022042123/5e9f1c9904e46c05ab04c9af/html5/thumbnails/38.jpg)
Questions? Try it out instead
Ryan Kovar
@meansec
Marcus LaFerrera
@mlaferrera
https://demo.stoq.io
Username: dfir2016
Password: stoqingyoursplunk