>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

Splunk

by Cisco

Security information and event management (SIEM) platform for log analysis and monitoring

Official Docs

Under Construction: This guidance is being actively developed and verified. Content may change.

Authoritative Sources

Key guidance documents from authoritative organizations. Click to view the original source.

NIST
NIST SP 800-92: Guide to Computer Security Log Management

NIST SP 800-92 Executive Summary: "Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems." §2.2: "Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred." §3.4: "Security information and event management (SIEM) software is a type of centralized logging software that can perform log collection, log analysis, log aggregation and event correlation, log data storage, event monitoring, and reporting capabilities." §4.2: "Organizations should require logging and analyzing the data that is of greatest importance."

Configuration Examples(3)

·
View source
CIS
CIS Controls - Audit Log Management(Control 8)

CIS Control 8 requires centralized log collection, standardized time sources, and log retention. Splunk provides enterprise log management capabilities.

Configuration Examples(1)

·
View source
Vendor
Splunk Security Essentials

Use case library with pre-built security detections mapped to MITRE ATT&CK. Covers threat hunting, compliance monitoring, and incident response.

Configuration Examples(4)

·
View source
NIST
NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide

NIST SP 800-61r2 §3.2.4: "Organizations should profile networks and systems to measure the characteristics of expected activity so that changes to it can be more easily identified." §3.2.5: "Log correlation is important because a single log entry may not contain enough information to draw a conclusion about the nature of the incident." §3.4.2: "Evidence should be collected according to procedures that meet all applicable laws and regulations."

Configuration Examples(2)

·
View source

Verification Commands

Commands and queries for testing and verifying security configurations.

Search for failed authentication events Query 
index=main sourcetype=*auth* (failed OR failure OR denied) | stats count by user, src_ip
Find brute force attempts Query 
index=main sourcetype=*auth* action=failure | stats count by src_ip | where count > 10
Monitor privileged account usage Query 
index=main (sourcetype=WinEventLog:Security EventCode=4672) OR (sourcetype=linux_audit type=USER_AUTH) | stats count by user
Check data ingestion status Query 
| tstats count WHERE index=* by index, sourcetype | sort -count
List all saved searches/alerts Query 
| rest /services/saved/searches | table title, cron_schedule, is_scheduled, alert_type

Related Controls

Security controls from various frameworks that relate to Splunk.

NIST SP 800-53 9 controls
AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-9 AU-12 SI-4
CIS Controls 7 controls
8.1 8.2 8.3 8.5 8.9 8.11 8.12
PCI DSS 6 controls
10.2 10.3 10.4 10.5 10.6 10.7

Related Technologies

AWS Microsoft Azure Google Cloud Platform