Alerts in cloud environments require your team to quickly and precisely gather evidence and isolate affected environments. The GE Digital Predix Incident Response (IR) team found an abundance of content for analyzing forensic evidence from Windows environments, but they noticed a gap in content built for performing investigations on Linux-based hosts. The Predix IR team will discuss the tools they have built to contain a compromised Linux-based hosts, gather evidence, and analyze that evidence in Splunk. Utilizing splunk searches, lookups, and visualization components to look both narrowly into the data set as well as broadly across the rest of the environmental data in splunk to identify known bad or potentially suspicious activities that may warrant further investigation by an analyst. 

Speaker(s)
David Rutstein, Principal Analyst, GE
Alina Dejeu, Incident Responder, GE

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1479.pdf?podcast=1577146214

Product: Splunk Enterprise

Track: Security, Compliance and Fraud

Level: Intermediate