Self-hosting applications and services is more popular than ever, but it comes with a big challenge: how do you safely expose those services to the Internet without compromising your network?

Traditionally, exposing a service involved opening ports on your firewall or router. While simple, this method can create major security risks if not configured perfectly. Exposing open ports directly to the Internet increases the attack surface for bad actors to find and exploit vulnerabilities.

Welcome to the fascinating world of Splunk, a robust tool that converts machine data into insights that can help guide operational intelligence and business decisions. This post is designed for beginners eager to expand their Splunk knowledge.

Getting Started with Splunk

Splunk is a software platform used for searching, monitoring, and analyzing machine-generated data via a web-style interface. Setting up Splunk is straightforward:

• Download and install the free version from their official website.
• Launch the program and navigate through the setup, including creating an admin account.

Fundamental Splunk Commands

Splunk’s power is in its search capabilities, powered by the Splunk Processing Language (SPL). Here’s a basic command example:

To search for threats in firewall logs using Splunk, you need to craft a search query that looks for common indicators of malicious activity. Here’s a basic example to get you started:

1. Open Splunk and navigate to the Search & Reporting app.
2. Enter the search query.

A typical search query for firewall logs might look like this:

index=firewall_logs sourcetype="firewall"
| search action=blocked OR action=denied OR action=dropped
| table _time src_ip dest_ip action signature
| dedup src_ip, dest_ip, signature
| sort _time

This query does the following:

In today’s digitally interconnected world, the landscape of security risks is constantly evolving. With new technologies come new vulnerabilities, and cybercriminals are perpetually seeking ways to exploit these weaknesses. This blog post aims to provide an overview of some of the most pressing security risks facing individuals, businesses, and governments today.

1. Phishing Attacks

Phishing remains one of the most prevalent and dangerous security threats. Cybercriminals use deceptive emails, messages, or websites to trick individuals into providing sensitive information such as usernames, passwords, and credit card details. Despite increased awareness, phishing attacks continue to be successful due to their sophistication and ability to mimic legitimate communications.

The digital age has brought us unprecedented convenience, efficiency, and innovation. From online banking and social media to IoT devices and cloud computing, our lives are deeply intertwined with technology. However, this digital revolution has also given rise to an array of cyber threats that jeopardize our personal information, financial security, and even national security. As part of this threat landscape, I have created the following presentation (that I used to share with my students) on the state of Cyber Security Today…the good, the bad, and the ugly.

Here is a simple Microsoft Sentinel search to show how much phishing/spam email is received vs good email for a specified user in a given time frame.

let UserToAnalyze="[email protected]";
EmailEvents
| where RecipientEmailAddress==UserToAnalyze
| project RecipientEmailAddress, ThreatTypes
| evaluate pivot(ThreatTypes)
| sort by RecipientEmailAddress asc

Thank you to Microsoft for publishing this query on GitHub.

Microsoft Sentinel is a great way to get a handle on your security infrastructure. One of the items that Microsoft Security does an excellent job of is scouring the web for evidence of reused credentials being leaked through a third-party service. While you can manually go through all of the alerts located in the portal.cloudappsecurity.com, an easier way to bring this data forward is with the search below:

SecurityAlert\
| summarize arg_max(TimeGenerated, \*) by SystemAlertId\
| where AlertType == "LeakedCredentials"\
| project TimeGenerated, AlertType, Compromised Entity

The results can be tweaked by time and date. You can also build on this search to automate playbook actions within the Microsoft Sentinel environment.