In this project, we delve into the development and enhancement of an operational intelligence dashboard within a Security Information and Event Management (SIEM) system using Splunk. The primary focus is on investigating suspicious activities and integrating new panels into the dashboard for more efficient monitoring and analysis.
- Splunk Enterprise
- Suricata and Fortigate logs
- Linux Environment
Counter for real-time traffic analysis and packet logging. Command: => index=* sourcetype=suricata event_type=alert alert.category!="" | stats count as Total
Display Alert category table in real-time. Command => index=* sourcetype=suricata event_type=alert category!="" | stats count by category | sort count desc
Clicking on any of the below events will provide us quick access to Suricata actions and signatures
Counter for Firewall policy violations and network anomalies based on the firewall rules and configurations:
Command => index=* sourcetype=fortigate_utm level=alert | stats count as Total
Display Attack vector table in real-time:
Command => index=* sourcetype=fortigate_utm level=alert | stats count by attack | sort count desc
Clicking on any of the events we can identify the possible exploitation, i.e: "Apache.Roller.OGLN.Injection.Remote.Code.Execution"
Conduct OSINT to investigate vulnerability
Apache Software Foundation Apache Roller prior to 5.0.2, CVE ID: CVE-2013-4212
A Severity Pie Chart in Splunk provides security analysts with a comprehensive visual tool for immediate assessment of alert distributions, enabling prioritization of critical threats and efficient resource allocation. It facilitates trend spotting, accelerates incident response, simplifies compliance reporting, and enhances monitoring efficiency. This visual aid also serves as an effective communication bridge with stakeholders and supports historical analysis to gauge the effectiveness of security measures.
Command Suricata Pie Chart => index=* sourcetype="suricata" event_type=alert| stats count by severity
Command Fortigate Pie Chart => index=* sourcetype="fortigate_utm" level=alert | stats count by severity
Hovering the mouse on the pie chart will provide statistics