SecMon Guy

JSON (JavaScript Object Notation) formatted data is pretty much everywhere. As a a lightweight data-interchange format, it has become very popular. I can see it used for all kinds of configuration files (such as AWS policies, for instance), API response data and log data.   json.org states that "It is easy for humans to read and write" . Well, anyone who at least once has to debug a long, nested JSON could disagree! JSON is human-friendly only if it is nicely formatted. Fortunately, there are some tools that can help. One of my favorite is underscore-cli, a Node.js tool that can be used as a simple pretty printer.  In this example I am going to provide steps for installation on Ubuntu.  Installing Node Version Manager and Node.js Install curl: sudo apt-get install curl Install latest nvm: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash Install LTS version of Node.js: nvm install --lts Installing and using underscore-cli npm install ...

In my previous blog post we have configured Auth0 as Identity Provider for Splunk using SAML protocol. Now it is time to configure Splunk.  As Splunk admin user, go to Settings / Authentication Methods. SAML is available as one of the external authentication methods. Select it. Click SAML Settings and the green button SAML configuration. Import IdP meta file. It is going to populate most of the fields for you. Still, there are a few settings that require manual adjustment. General Settings Entity ID : https://<your-splunk.com> - just enter your Splunk instance URL Advanced Settings Fully qualified domain name or IP of the load balancer : https://<your-splunk.com> - make sure this is correct; for instance you would like to have your FQDN here instead of container name Redirect port - load balancer port : 8000 - Splunk Web UI port       You need to also set up aliases for SAML attributes containing realName, mail and role. Alias Role alias : http://schem...

In order to remediate password fatigue problem, companies are implementing SSO solutions. This approach is not only beneficial for the user who can benefit by using single credentials for multiple applications but also significantly reduces administrative overhead (for instance, all the user privileges can be revoked just with a single click!).  In this short guide we are going to see how to integrate Splunk with and an Identity Provider (IdP) using SAML protocol. There are several big IAM companies which can act as an IdP, such as Okta , Ping Identity or Auth0 . I am going to use Auth0. As of today, this integration is not in the official Splunk documentation. I was able to find one blog post that discusses this scenario, however it is dated 06/2019 and seems incomplete/truncated.  This post focuses on IAM part, while the next one examines Splunk configurations. Glossary ACS URL      An Assertion Consumer Service URL is an endpoint that is going to process I...

table is one of the most basic Splunk commands. In general, adjusting tabular output to your needs is simple and most of the time you can get desired output by using table together with fields and rename . Things are a little bit more complicated when your table has dozens of columns (for instance when working with the output from Splunk's REST API produced by rest command).  The key to be a successful Splunk Power User is to recognize that all three mentioned commands (table, fields, rename) accept wildcards. As per documentation, they take <wc-field> as arguments. This means that you can get the set of fields you need quite easily. For example: | rest /services/saved/searches splunk_server=local | table title, alert* Even a standalone * is considered as a valid argument. This can be used to get your one selected column as the first one but keep everything else as it is.  | rest /services/saved/searches splunk_server=local | table title, search, * BONUS One mor...

  Troubleshooting certificate issues is not an easy task. They can be caused by various root causes: Common Name (CN) mismatch, usage of self-signed certificate, expired certificate, invalid cert chain and many other. Fortunately, here we have some commands to help!   Testing client connection echo | openssl s_client -connect host:443 -state In this example echo command is used to send a new line and terminate connection and -state prints out the SSL session states. echo | openssl s_client -connect host:443 -status -status switch sends an Online Certificate Status Protocol (OCSP) request to the server to check revocation status of the certificate "With OSCP, a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status." - Entrust More on OCSP: https://www.entrust.com/knowledgebase/ssl/online-certificate-stat...

Creating a certificate using openssl is a task that most IT Admins will face sooner or later. SSL/TLS is often used to secure communications between browser and web server - but that's not the only use case. Certificates can be used by Log Management/SIEM Engineers to protect data in transit by establishing secure links between system components ( note: TLS mutual authentication is also desired in this scenario to ensure data integrity ).  Example: Secure communication with Logstash .   Eventually, understanding openssl is an important topic for LPIC-303 exam (and the primary reason that encouraged me to write this post, to be honest).  Creating a private key openssl genrsa -des3 -out priv.key 2048 genrsa      generate an RSA private key -des3      use 3DES cipher to encrypt the key; passphrase is required -out <filename>      output the key to the specified file [numbits] 2048      the size of the pr...