Notes

very important https://www.gartner.com/en/research/magic-quadrant ,https://www.capterra.com/siem-software/
https://github.com/sindresorhus/awesome , https://github.com/topics/awesome , https://awesome-indexed.mathew-davies.co.uk/ , https://awesomelists.top/ , https://www.trackawesomelist.com/
Very importanat https://research.splunk.com/ lantren.splunk.com
Very Important ensure each L1 or any Sec Analyst must know all detials for each cases before triage it or send it to client
send weekly newsletter for new CVE, so the client can update/upgrade to pach system ./ collect all cve in index and share it with client based on clinets system
https://www.gartner.com/reviews/market/security-information-event-management




best heat map for jobs
https://www.cyberseek.org/heatmap.html

Best SIEM'
https://www.peerspot.com/articles/how-to-select-the-right-siem-solution
https://www.peerspot.com/articles/the-math-of-siem-comparison
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8309804/table/sensors-21-04759-t003/?report=objectonly
https://www.peerspot.com/categories/security-information-and-event-management-siem
https://www.channelinsider.com/security/managed-security-service-providers-mssps/
https://www.trustradius.com/security-information-event-management-siem
https://www.guru99.com/best-siem-tools-software-solutions.html
https://codingcompiler.com/siem-tools-list
https://www.comparitech.com/net-admin/siem-tools/
https://www.peerspot.com/categories/security-information-and-event-management-siem
https://zcybersecurity.com/top-siem-tools-list/
https://www.itcentralstation.com/
https://itcs-data.s3.us-west-2.amazonaws.com/pc_docs/1911/docs/Security_Information_and_Event_Management_%28SIEM%29_Report_from_PeerSpot_2022-05-21_18rj.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJ3WCTZ6BJMFFX6EQ%2F20220531%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20220531T211418Z&X-Amz-Expires=7200&X-Amz-SignedHeaders=host&X-Amz-Signature=ce5ec457a4224ccb9285ce8da1e698402166139d5fbf389853ddeff151b4f39f
https://www.peerspot.com/landing/report-security-information-and-event-management-siem
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8309804/
https://stackshare.io/search/q=splunk
https://www.trustradius.com/products/alienvault/competitors
https://www.gartner.com/reviews/market/security-information-event-management
https://www.gartner.com/doc/reprints?id=1-26OPJUO9&ct=210630&st=sb



SIEM Design & Architecture
https://github.com/TonyPhipps/SIEM
C:UserskoDownloadskocompliance and docSIEM architectures
https://www.sans.org/media/vendor/evaluator-039-s-guide-nextgen-siem-38720.pdf
https://zcybersecurity.com/top-siem-tools-list/
https://www.itcentralstation.com/articles/how-to-select-the-right-siem-solution
https://www.peerspot.com/landing/report-security-information-and-event-management-siem
https://www.youtube.com/c/ExabeamSIEM/playlists
https://www.trustradius.com/products/alienvault/competitors
https://www.exabeam.com/siem-guide/siem-analytics/

****************************************************************************************
Very Important to start with
******************************************************************************************
Baldrige Cybersecurity Excellence Builder (BCEB), Version 1.1
https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative
https://csrc.nist.gov/Projects/measurements-for-information-security/tools
NIST Risk Management Framework RMF https://csrc.nist.gov/Projects/risk-management/about-rmf


SigmaHQ
https://www.youtube.com/watch?v=ULT4Eb1_Wes
https://www.youtube.com/watch?v=jIpujayFX1E

open source
https://github.com/elastic/elasticsearch
https://github.com/Cyb3rWard0g/HELK


best webiner
https://www.sans.org/webcasts/?per-page=100
https://www.coursera.org/lecture/real-time-cyber-threat-detection/design-of-siem-bbOIa
https://www.elastic.co/videos/?language=english&usecase=SIEM&region=All&industry=All


training
Kibana for Splunk SPL Usershttps://www.elastic.co/training/kibana-for-splunk-spl-users
https://www.elastic.co/training/
https://www.elastic.co/training/elastic-security-fundamentals-siem%20
https://www.elastic.co/videos/?language=english&usecase=SIEM&region=All&industry=All
https://learn.sumologic.com/path/sumo-security



Technology Review Platforms
https://www.capterra.com/review-management-software
https://www.g2.com/products/g2/competitors/alternatives https://www.statista.com/company/22586448/tesla-inc
https://www.g2.com/products/splunk-enterprise-security/reviews#survey-response-4151675
https://www.trustradius.com/products/splunk-enterprise-security/reviews#comparisons
https://www.trustradius.com/products/elastic-security/reviews#overview
https://stackshare.io/search/q=splunk



Important Artical
https://www.issa.org/wp-content/uploads/2021/07/ESG-ISSA-Research-Report-Life-of-Cybersecurity-Professionals-Jul-2021.pdf
https://www.csoonline.com/article/3395865/the-most-stressful-aspects-of-being-a-cybersecurity-professional.html
https://securityintelligence.com/articles/9-reasons-why-cybersecurity-stress-is-an-industry-epidemic/
https://www.csoonline.com/article/3395865/the-most-stressful-aspects-of-being-a-cybersecurity-professional.html
https://securityintelligence.com/articles/9-reasons-why-cybersecurity-stress-is-an-industry-epidemic/
https://www.cnbc.com/2019/10/11/65percent-of-stressed-out-cybersecurity-it-workers-think-about-quitting.html
https://money.usnews.com/careers/articles/why-information-security-analyst-is-the-no-1-job-of-2022
https://startacybercareer.com/5-most-stressful-jobs-in-cybersecurity/
https://learning.shine.com/talenteconomy/career-help/reasons-become-information-security-analyst/
https://www.softwaretestinghelp.com/big-data-tools/
https://theiabm.org/top-5-cybersecurity-mistakes-companies-make-avoid/

Chart Your Course to Become an MSP Client Solutions Expert


https://connect.comptia.org/blog/chart-your-course-to-become-an-msp-client-solutions-expert?utm_source=Informz&utm_medium
https://comptia.informz.net/COMPTIA/pages/client_solutions_mastery_path?utm_source=resources&utm_medium=blog&utm_campaign=CSMP
CompTIA has launched the Client Solutions Mastery Path course to help MSPs learn to create a growth strategy and plan, map clients’ business models, drive profitable engagements, develop long-term relationships, and grow the business.
C:UserskoDownloadskonoteimportant plan and course



keep traking of splunk features changes
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Service/SplunkCloudservicechangelog
https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/MeetSplunk

elastic
https://www.elastic.co/events/videos
Important : title is "From zero to hero: Developing a cybersecurity program from scratch with Elastic"

https://conf.splunk.com/watch/conf-online.html?search=incident%20response%20&search.products=1518807815929003Te8q#/

From zero to hero: Developing a cybersecurity program from scratch with Elastic

Splunk Conf 2021
https://conf.splunk.com/learn/session-catalog.html#/

Data set to test att@ck at splunk
https://github.com/splunk/attack_data/

Splunk SOAR
https://education.splunk.com/category/phantom-courses




****************************************************************************************
Very Important to
******************************************************************************************
Baldrige Cybersecurity Excellence Builder (BCEB), Version 1.1
https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative
https://csrc.nist.gov/Projects/measurements-for-information-security/tools
NIST Risk Management Framework RMF https://csrc.nist.gov/Projects/risk-management/about-rmf


Compliance
List of all NIST Information Technology Laboratory Computer Security Resource Center
https://csrc.nist.gov/Projects/measurements-for-information-security/standards-guidelines
https://csrc.nist.gov/publications/search
https://github.com/usnistgov
https://csrc.nist.gov/projects/cprt/catalog#/cprt/home

Splunk Security and Compliance Services https://www.splunk.com/en_us/support-and-services/splunk-services/offerings/security-and-compliance-services.html
https://github.com/usnistgov/macos_security
Best User guide for splunk https://docs.splunk.com/Documentation/SSE/3.4.0/User/DataAvailability
cisecurity
https://learn.cisecurity.org/cis-ram-2-download


Very Important https://www.splunk.com/en_us/blog/security/investigating-gsuite-phishing-attacks-with-splunk.html
A knowledge graph of cybersecurity countermeasures
https://duckduckgo.com/?q=+mitre.org%2F&t=ffab&ia=web
https://d3fend.mitre.org/
https://attack.mitre.org/techniques/T1566/
https://attack.mitre.org/mitigations/M1017/
https://engage.mitre.org/
https://car.mitre.org/
http://capec.mitre.org/
http://capec.mitre.org/data/downloads.html
https://atlas.mitre.org/
https://nvd.nist.gov/products/cpe
https://github.com/mitre
https://oval.mitre.org
https://cwe.mitre.org/data/definitions/699.html
https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
https://atlas.mitre.org/
https://github.com/atc-project/atc-react
https://attack.mitre.org/mitigations/M1052/
mointor splunk users activities https://kobalt.splunkcloud.com/en-US/app/search/user_audit_dashboard?form.field2.earliest=-7d%40h&form.field2.latest=now


IR
https://raw.githubusercontent.com/atc-project/atc-react/323c3274a9c801e72ef6a88e101e83be236028c2/docs/images/react_navigator_export_v5.svg
https://github.com/atc-project/atc-react
https://atc-project.github.io/atc-react/Response_Actions/RA_2319_analyse_jar/
https://car.mitre.org/coverage/
https://github.com/meirwah/awesome-incident-response#playbooks
https://github.com/phantomcyber/playbooks
https://github.com/OTRF/ThreatHunter-Playbook/tree/master/playbooks
https://github.com/atc-project/atc-react/tree/master/response_playbooks
https://github.com/SigmaHQ/sigma/wiki/Tags
https://docs.microsoft.com/en-us/security/compass/incident-response-process

Compliance
Splunk Security and Compliance Services https://www.splunk.com/en_us/support-and-services/splunk-services/offerings/security-and-compliance-services.html
https://github.com/usnistgov/macos_security
https://www.cisecurity.org/controls/cis-controls-navigator/#collapse-a104
https://github.com/JArmandoG/CIS_Security
https://github.com/JArmandoG/CIS_Security/tree/main/CIS%20Security%2084650ef57d534c9baa6696370fc35608
Microsoft Security Best Practices https://docs.microsoft.com/en-us/security/compass/compass

open source threat intelligence
spamhouse, Internet storme center SANS, Cybersoecuryty and infrastructure agency CISA, Comminoty/Crowd-based input

payrol
m3i0@
hguJamsR
?i%

the payment for "one day during public holiday 23/05/2022 " was not apperae at PayStatement-Jun_15__2022

mygroup health
MABUSE*********H
Mk****t1*0
358350182C
outofcountry
Industrial Alliance
18552343545
Andro case 00003530
90days


review
C:UserskoDownloadsthis_laptopbitlooker



New apps
TA For SplunkStart Basic Security Essentials for Splunk https://splunkbase.splunk.com/app/3771/
IT Essentials Work
https://splunkbase.splunk.com/app/5403/
IT Essentials Learn
https://splunkbase.splunk.com/app/5390/

Important blogs
Make prolonged, expensive service outages a thing of the past https://www.splunk.com/en_us/observability/on-call.html

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


keycloak
******************************************************************************************
that user made several logins at volantecloud.com, from different geolocations, where some IP like 0.0...0 address belong to VPN
company called https://surfshark.com/



where the IP does not have malicious activities, read more about IP https://otx.alienvault.com/indicator/ip/


Recommendation:
Contact the user and help them to understand the risk of the behaviour we have observed. Ensure activities is expected and if not then reset their password as soon as possible.
Review keycloak 18.3.1. Password Policies guide. Also ensure to configure keycloak 18.2. Admin Endpoints and Console 18.2.1. IP Restriction .

******************************************************************************************
AWS
*********************************************

IT Essentials Work
https://splunkbase.splunk.com/app/5403/
IT Essentials Learn
https://splunkbase.splunk.com/app/5390/
************************************

Not authorized to perform iam:PassRole error
AWS
Recommendation:
Contact user and help them to understand the risk of the behaviour we have observed. In general the error as result of the policy configuration, so ensure the user is authorized to access cloudformation.amazonaws.com, then assign required policy.

Review Granting a user permissions to pass a role to an AWS service, and Not authorized to perform iam:PassRole error – How to resolve.
https://bobcares.com/blog/not-authorized-to-perform-iampassrole-error/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

















Windows
====================================
windows event which we should care about

Logon events Description
4624 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
4625 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
4634 The logoff process was completed for a user.
4647 A user initiated the logoff process.
4648 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
4779 A user disconnected a terminal server session without logging off.
++++++++++++++++++++++++++++++++++++++++++
Splunk Alert: Nicola AD Account Locked Out Alert
+++++++++++++++++++++++++++++++++++++++++++
index="kobalt_nicola_windows" user="cnicola"
| table ltime,dest_nt_domain,user,host EventCode status Error_Code name Error_Code_message
| rename ltime as "Lockout Time",dest_nt_domain as "Domain",user as "Account Locked Out", host as "Workstation"

https://kobalthelp.zendesk.com/agent/tickets/55957
share more info. Prashant Rana​ , Ensure to review the reason of lockout and failure error code

| mispgetioc misp_instance=MISP last=1d to_ids=t geteventtag=t pipesplit=t type="domain,ip-dst,ip-src,domain|ip" limit=0
| eval description = "e"+ misp_event_id+ "_UUID_" + misp_event_uuid
| rename misp_domain AS domain
| eval ip = mvappend(misp_ip_dst,misp_ip_src)
| eval ip = coalesce(ip,"preserve_single_value_ip")
| mvexpand ip
| eval ip = if(ip="preserve_single_value_ip", null(), ip)
| eval weight=case(match(misp_tag,"tlp:white"),20,match(misp_tag,"tlp:green"),40,match(misp_tag,"tlp:amber"),80,match(misp_tag,"tlp:red"),100,true(),50)
| where isnotnull(ip) or isnotnull(domain) | fields description,domain,ip,weight
| outputlookup append=true misp_ip_intel.csv






Important links
Misp
https://github.com/splunk/TA-misp_es/blob/master/default/savedsearches.conf


GCP logs ingestion
https://kobaltsecurity.atlassian.net/browse/SO-4009 review https://conf.splunk.com/files/2019/slides/FN1263.pdf important shows push and pull method

https://docs.splunk.com/Documentation/AddOns/released/GoogleCloud/Configureinputsv1modular
https://cloud.google.com/blog/products/data-analytics/connect-to-splunk-with-a-dataflow-template
https://cloud.google.com/architecture/exporting-stackdriver-logging-for-splunk
https://console.cloud.google.com/logs/router?orgonly=true&project=splunk-logs-ingestion&supportedpurview=organizationId
https://github.com/splunk/splunk-gcp-functions
https://github.com/splunk/splunk-gcp-functions/blob/master/Examples/Example-1-PubSub.md
https://www.splunk.com/en_us/blog/platform/google-cloud-platform-serverless-ingestion-into-splunk.html
https://www.splunk.com/en_us/blog/platform/google-cloud-platform-serverless-ingestion-into-splunk.html





combine two search query

https://community.splunk.com/t5/Splunk-Search/Results-of-two-searches-displayed-on-one-chart/m-p/59177

index=kobalt_*_sophos*
| dedup dest
| lookup misp_ip_intel.csv ip As dest
| eval known_bad=if(known_bad==1,"true","false")
| where known_bad="true"
| append [ search index=kobalt_*_sophos*| dedup src
| lookup misp_ip_intel.csv ip As src
| eval known_bad=if(known_bad==1,"true","false")
| where known_bad="true" | table index user src dest ip action known_bad misp_attribute_uuid app]

| table index user src dest ip action known_bad misp_attribute_uuid app








How To Find The Missing Values Of A Field By Comparing A Lookup File
https://splunkonbigdata.com/how-to-find-the-missing-values-of-a-field-by-comparing-a-lookup-file/