SIEM, Splunk & Log Management
SIEM & Log Management in Brief
Situational picture is one of the biggest “hype words” at the moment. Most simply, situational picture is an overview into your cyber security posture, generated from several log sources. At its best, a situational picture includes application logs, data communication logs, customer feedback systems, ticketing systems, as well as public news sources, threat intel and possibly much more. Building all this is challenging; mapping and defining needs, and deciding what’s “good enough” is a cumbersome process.
What Mint Security delivers
We help identify the initial needs. We design the log management architecture from the point of view of performance, redundancy, log protection, as well as security. With regard to the protection of logs, it is essential who has access to which log.
In audit logs, our expertise is based on the demanding environments in the financial sector – our expertise is scalable both upwards and downwards.
Customer Needs and Challenges to Be Solved
Every customer environment is different and each customer has individual needs. However, the challenges we face can be roughly categorized as follows:
- Situational picture of security devices
- Situational picture of the infrastructure
- Situational picture of the SecDevOps environment
- Run-time logs for systems software
- Compliance and audit logs
- Visibility inbto SDLC, CI/CD pipelines and application development
- Visibility into the cloud infrastructure
- Integrating log observations in JIRA or Slack
Splunk
We have excellent expertise in Splunk. We prefer to do our SIEM deliveries with Splunk, because we can guarantee excellent results, we can support our customers all the way – planning, sizing, implementing, operating the system, managing content and creating alerts or SOC integrations.
Already using Splunk!
Mint Splunk Consulting Services
Mint Security tarjoaa Splunkia käyttäville erilaisia lisäarvollisia Splunk konsultointipalveluita jolla saadaan omasta ympäristöstä kaikki irti – turvallisesti.
We are looking to implement Splunk
Splunk delivery models
Mint Security has a set of predefined delivery models to choose from. These are based on best practices and experience.
Our Excellent Splunk Blogs
There is a lot to write about Splunk and the endless opportunities therein – so we have decided to share both expertise as well as opinions as separate blogs.
Splunk vulnerability analysis – CVE-2024-29946 & CVE-2024-29945
Splunk vulnerability analysis – CVE-2024-29946 & CVE-2024-29945 in relation to a common threat model. DISCLAIMER – The author of this blog shall not be held responsible for any negative outcomes that may occur as a result of following advice given in this blog. Caveat emptor – use advice and ideas presented in this blog at your own risk.
Trust boundaries and threat actors within the Splunk Enterprise ecosystem
Splunk Enterprise (on-premises) can be setup in a vast number of ways, including hardening through network segregation. Splunk components chosen in the diagram are there to highlight where and why trust boundaries may or should be implemented.
Splunk and TA-linux_auditd – Optimizing the Florian Roth rules
This is a follow-up to my previous blog on Auditd and Splunk. That one was about Defender ATP and Proxmox and license consumption. I did not really touch the subject of a good Auditd baseline configuration.
Splunk & Auditd with Defender ATP and Vulnerability Scanning
This blog post offers a few simple tricks and tips that will ensure that your security controls do not interfere with each other. The tricks are not really tricks, just plain old configurations which offers food for thought. As we know, Splunk is the most complex beast of a software out there.
Installing Splunk with Ansible
Managing a Splunk installation can be a complex task, but with proper tools and processes, it will become a lot more approachable. Recently, a customer wanted to have a Splunk environment that they could install and manage with Ansible. So that is what we created.
Scaling and managing Splunk Enterprise Installation
Clustered Splunk Enterprise installations are mainly managed by the related management nodes. Indexer Cluster with the Cluster Master and Search Head Cluster with the Search Head Cluster Deployer. Without an additional process of change management, there is no way to easily track down what has been changed, by who and when.
Third place in Splunk BOTS 13.3.2019
Team Mint Security participated in the BOTS or BOSS of the SOC event which took place in Helsinki on the 13th of March. BOSS of the SOC is a Capture-the-flag (CTF) event using Splunk technology.
Splunk Enterprise Architectural Decisions
So, you’ve got your Splunk Enterprise up and running and collecting data from some of your systems. A few dashboards have been created too and life is good. But perhaps, there could be more .
More details about our methods and tools
We are hard-core Splunk experts. However, our expertise is not product-specific, but relying on our experience, we can conjure up views in big log data in any environment.
Below are some screenshots of actual (and anonymized) log analysis.
We do Splunk implementations worldwide. We prefer to do preparations offsite, initial planning as a workshop onsite, then installations and configurations over remote connections and finalization, training and handover again onsite. We have a clear concept, the final implementation is always up to the customer.
Splunk is one of the most popular and largest log management vendors today. Spunk is widely used, there are lots of extensions and addons even for the most exotic use cases. Splunk can go beyond huge amounts of data and does not limit the source types or log formats in any way. Whatever you throw at it, we will work it out without expensive and time consuming efforts.
As part of our commitment to delivering an end to end solution, we also provide licenses for Splunk.
