I passed my Splunk Enterprise Certified Admin SPLK 1003 cert on September 11th, 2020. While I have been actively working with Splunk as part of my job, clearing the exam however requires a consistent and well planned effort. All these points are taken from the exam blueprint: https://www.splunk.com/pdfs/training/Splunk-Test-Blueprint-Admin-v.1.1.pdf updated with either with Splunk documentation link I studied to prepare for that specific part or youtube video I found useful. Along with these I also bought Udemy Course The Complete Splunk Enterprise Certified Admin Course 2020...

No matter how tightly you restrict outbound access from your network, you probably allow DNS protocol to at least one server. Adversaries can abuse this access in your firewall to establish stealthy Command and Control (C2) channels or to exfiltrate data that is difficult to block. To understand the use of DNS for C2 tunneling, let’s take a look at Ron Bowes’s tool dnscat2, which makes it relatively easy to experiment with such attack techniques....

In today’s post, we will learn how to detect a public S3 bucket using Splunk. Later, we will see how we can respond to such incidents and even prevent it from happening in the first place. As you will see in the following examples, there are multiple ways to create a S3 bucket and make it public. Also, for this blog, I created some subdomains of logsec.cloud in Route53. Scenario 1: Using the AWS Web Console Create a S3 bucket and Go to “Permissions” - “Access Control List” - “Public Access” - “Everyone” - Access to the objects -...

During the past week, we detected some suspicious activities across multiple AWS accounts in one of our client’s environment. These activites seems related to scanning activities from a bad actor on S3 buckets. One of the sample logs from S3 Access logs: 84fd7086179626a759fb59a0252a26d26dc1685e30f0ab922266b5abace8f998 <AWS-ACCOUNT-ID>-config-org-bucket [01/Jun/2020:13:27:34 +0000] 10.247.13.187 arn:aws:iam::799199334739:user/starling-ladyblackhawk-iad-prod 9WDX6MBZFQ6Z6RDR REST.HEAD.BUCKET - "HEAD / HTTP/1.1" 403 AccessDenied 243 - 9 - "-" "AWSConfig" - wFvPfIaSbdpcnNMdcTj+BNWn00r3OfqHV8sTt8gUXMzLA7O/MiWg+NPckix2TThK15V/p1JigVc= SigV4 ECDHE-RSA-AES128-SHA AuthHeader <AWS-ACCOUNT-ID>-config-org-bucket.s3.amazonaws.com TLSv1.2 First thing that got our attention to this specific log is the username starling-ladyblack-iad-prod, question to ask at this stage is this a rouge IAM user?...

Git is a version control system. Basically, if someone changes a file (like opens a document and writes stuff in it, changes a line of code, or so on) it records the differences between the new version and the old version, and maintains a history. This allows people to preserve differing versions, go back in time to earlier ones, review changes as they have occurred over time, and so on....

In this blog post, we will learn how to ingest VPC flow logs with additional meta-data to Splunk. We will start by creating a VPC flow logs using terraform and pushing the logs to S3. From S3 ingesting these logs to Splunk using Amazon Kinesis. At last, we will make some changes to Splunk’s profs.conf file for correct field extraction for the additional VPC flow log fields. All Terraform files are available to download at my GitHub Repo....