top of page
Geeking out on Splunk and IT Security
Search
Shrink your windows event logs license costs with ingest actions!
Windows events are a large part of the volume of logs ingested in a lot of splunk deployments. Wouldn't be cool if we could shrink them so they don't eat up so much precious precious license? In this post I'll walk through how I rebuilt Windows Event Logs (WELs) into a compact, Splunk-friendly format, cuting size by up to 60% without breaking field extractions. Key takeaways With a few targeted ingest actions and props/transforms tweaks, you can shrink Windows logs dramatical
Gabriel Vasseur
Oct 2710 min read
ES8 findings, intermediate findings, etc confusion!
The key thing I did not appreciate when I wrote the previous version of this post is that the Risk data model is now fed from...
Gabriel Vasseur
Sep 56 min read
RBA: Aggregate user & system risks!
Since RBA is all about aggregating security events that are related to the same entity, Assets & Identities normalisation is crucial to...
Gabriel Vasseur
Jan 612 min read
Untable, xyseries, transpose clarified!
These 3 table-manipulating commands are occasionally very useful but they are also quite confusing. For years, I've relied on the...
Gabriel Vasseur
Dec 2, 20241 min read
RBA: a better way to dedup risk events
In this post we’re discussing an advanced way to dedup risk events in your risk alerts (RIRs) and at the same time have the RIR results...
Gabriel Vasseur
May 22, 20234 min read
Linux tips
This for the most part isn't splunk-specific, but if you do any amount of administration on the linux command line, you might find it...
Gabriel Vasseur
Apr 30, 20225 min read
Splunk workload optimisation
Assess your search workload with this simple dashboard. Here's a very quick dashboard to identify what uses your splunk platform...
Gabriel Vasseur
Apr 26, 20221 min read
Dashboarding Best Practices, Tips & Tricks
Splunk’s “simple XML” dashboards are reasonably simple and straightforward to create, yet they are incredibly versatile and powerful. You...
Gabriel Vasseur
Oct 19, 20219 min read
Audit your correlation searches against your own Best Practices automatically
I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is Correlation Searches Best...
Gabriel Vasseur
Oct 19, 202111 min read
Test your correlation searches end-to-end with Morning Checks
I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is morning checks. Basically you...
Gabriel Vasseur
Oct 19, 20211 min read
Add an in-splunk after-the-fact Peer Review system for your correlations
I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is having a simple peer review...
Gabriel Vasseur
Oct 19, 20212 min read
Add a simple TODO management system for your correlations
I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is having a simple task...
Gabriel Vasseur
Oct 19, 20211 min read
Easy yet powerful submit buttons in your simple XML dashboards
There are a number of issues with Splunk’s simple XML forms submit button: you can't have more than one you can't move it you can't hide...
Gabriel Vasseur
Oct 18, 20213 min read
bottom of page