Splunk Integrations

1 Launch
Solution Overview
Understanding what is happening on a network is a very challenging task. Just understanding what is on your network often proves to be a daunting challenge. To address these challenges, system owners will need to employ a wide variety of data collection and orchestration tools. Examples include tools as simple as operating system and network auditing. Data streams like windows event logs and syslog provide invaluable data. Other tools like Tanium and Expanse provide detailed data on a network from both inside a network and outside looking in. 

All this instrumentation is great but brings its own challenges. How does a system owner look at all these different data streams and worse, integrate it into a comprehensive view? This is where Splunk comes in. Splunk has a wide variety of data ingestion paths, data formatting capabilities, and finally, data integration and display features to help build comprehensive view that can be tuned for administrators, security professionals, and managers.

Goals & Objectives

This lab leverages a complex virtual environment allowing for the collection of a wide variety of network and endpoint operational data. Also included is a full implementation of Tanium supporting discovery, Threat response, software and hardware inventory, compliance, and much more. Additionally, this lab will show how data from other tools like expanse can be integrated and displayed.
This Lab demonstrates how Splunk:
  • Collects data from different sources
  • Works with various data forwarding protocols
  • Leverages queries to drill down into specific data feeds
  • Supports data integration across data feeds
  • Uses dashboards to make data accessible
  • Can be integrated into an organization’s automation and reporting processes

Hardware & Software

This lab consists of the following hardware and software:

  • Tanium Core Platform
  • Splunk log collector
  • Nessus vulnerability scanner
  • Palo Alto VM-series firewall

Server Devices
  • 1x Windows Jumphost (Windows Server 2016)
  • 4x Tanium Servers (Windows Server 2016)
  • 1x Splunk Server (CentOS 7)
  • 1x Syslog Server (CentOS 7)
  • 1x Nessus Server (CentOS 7)
  • 1x Utility Server (CentOS 7)

Client Devices
  • 4x Windows 10 Clients (Windows 10 Enterprise)
  • 3x Windows 7 Clients (Windows 7 Enterprise)
  • 3x Red Hat Clients (Red Hat Enterprise Linux 7)
  • 1x Attack Host (Kali Linux