Category Archives: Monitoring

Alert v.s. Monitoring

Posted on by
Reply

Regarding Alert and Monitoring, in fact it has quite different meaning between them literally. Alert is a warning or alarm of something wrong or suspicious what you want to be aware. Monitoring is to watch closely for specific purposes.

security_activity

Security Activity Relationship

digraph {
  rankdir=LR
  L [label="Logging"]
  M [label="Monitoring"]
  A [label="Alert"]
  I [label="Investigation" style=filled fillcolor=turquoise]
    L -> M
    M -> A
    M -> I
    A -> I
    I -> L [style=dotted fillcolor=lightgray]
    I -> A [style=dotted fillcolor=lightgray]
    I -> M [style=dotted fillcolor=lightgray]
  {rank=same A M}
}

However it is not difficult to see mixing those signification between them in terms of computer security. For instance, someone made an alert which was issued by email for just looking login history. It’s not bad, but we most likely ignore this kind of email if there are too much them in your inbox. It’s a problem.

In my opinion, Alert has an threshold and Monitoring has an ability to aware of out-of-data by using visibility.

In terms of security, alert is occurred when over a specific threshold. For example, if login requests in a IP address over 100 in a second, an alert will be happened to notice there were suspicious logins. It might be an login brute force attack. With this alert, we are going to investigate if it is an attack or not. In this respect, we need to know variant attacks in order to decide the exact threshold.

On the other hands, monitoring is looking at suspicious one like out-of-data. For example, we usually adopt binary-entropy in order to come up with out-of-data among lots of normal PE(Portable Executable)

Add Google Map on Splunk Dashboard

Posted on by
Reply

Once you create a Splunk dashboard by using GoogleMap, you may meet some problem if you are beginner about the GoogleMap like me.

1. Create Dashboard

It may be easy to create a dashboard on Splunk web normally.

2. Convert the simpleXML to advancedXML

To add a Google map on the new dashboard, you need to convert from simpleXML to advancedXML. First, you can get the advancedXML from a URL

http://localhost:8000/en-US/app/search/{dashboard_name}?showsource=advanced

Once you connect the URL above, you can see a page like this below. If so, copy the advancedXML to notepad in order to add a GoogleMap.

Splunk_AdvancedXML

3. Add Google Map

Here is a sample GoogleMap module. After change the red and Italic style font to adjust on your site, add it on the advancedXML.

<module name=”HiddenSearch” group=”Map View” layoutPanel=”panel_row3_col1” autoRun=”true”>
<param name=”search”>{query_string}</param>
<param name=”earliest”>-8h@h</param>
<module name=”GoogleMaps”>
<param name=”height”>500px</param>
<param name=”drilldown_field”>addr</param>
<param name=”mapType”>terrain</param>
<param name=”scrollwheel”>off</param>
<param name=”zoomLevel”>2</param>
<param name=”center”>30.580607, 6.111675</param>
</module>
</module>

4. Save

Go to [Splunk> Manager >> User interface >> Views] on your Splunk web. After open a dashboard made at #1, replace it all to the modified advancedXML. Finally, click the save button. Now browse the board, you can see the GoogleMap.