Introducing Splunk Attack Range v3.1

The Splunk Threat Research Team is happy to release v3.1 of Splunk Attack Range.

Splunk Attack Range is an open source project that allows security teams to spin up a detection development environment to emulate adversary behavior and use the generated telemetry data to build detections in Splunk. This blog highlights the new features introduced in version 3.1 to provide a better user experience.

What is Splunk Attack Range?

What's New?

Snort Integration

We integrated Snort, an open-source network intrusion detection system (NIDS) maintained by Cisco Talos, into Splunk Attack Range. Snort, the industry standard in NIDS, is a free and lightweight solution that runs on both Linux and Windows platforms, designed to detect and prevent emerging threats by analyzing network traffic in real time.

By incorporating Snort into Splunk Attack Range, we are expanding the platform's threat detection capabilities. Splunk Attack Range users can now leverage Snort's powerful intrusion detection features to monitor network traffic, identify potential threats, and analyze security events. By default, the Snort3 community rules are deployed. Additionally, all triggered alerts from Snort are seamlessly forwarded to Splunk, allowing for centralized monitoring, comprehensive analysis, and rapid response to network-based threats.

Snort offers a variety of data types for logging that are completely configurable by the end user. In total, the latest Snort release has roughly 52 different informational fields available from the logger. This allows you the ability to choose exactly what data you want in your environment with a simple configuration change.

Some fields of interest include:

• Packet data of the event encoded in base64
• Source and destination address/port
• Alerting Snort rule
• Packet length
• Service and/or connection protocol

For the purpose of day-to-day operations, we highly recommend the Snort JSON logger. This will provide you with a standard data format that can easily be imported into Splunk in addition to other devices.

Cisco Secure Endpoint Integration

We integrated Cisco Secure Endpoint into Splunk Attack Range. Cisco Secure Endpoint is a comprehensive cybersecurity solution designed to protect endpoints from advanced threats. It integrates endpoint detection and response (EDR) capabilities with malware protection and threat intelligence to provide robust, real-time defense against cyber attacks. By enabling Cisco Secure Endpoint in Splunk Attack Range, the Cisco Secure Endpoint agent is installed on the Windows server and the logs are forwarded to the Splunk Attack Range server.

Auditd Logging on Linux Servers

One of the most ingested Linux log sources of Splunk customers is Auditd. Therefore, we have added Auditd logging to our Linux server setup. Auditd, or the Linux Audit Daemon, provides a powerful framework for monitoring and logging system-level events on Linux servers. By incorporating Auditd, we expand the range of log sources available within Splunk Attack Range, giving users deeper visibility into their Linux environments. With Auditd logging, users can now capture and analyze a broader spectrum of system activities, including file access, user authentication attempts, process execution, and network connections. This additional data source helps detection engineers build better detections for threats that target the Linux operating system.

Version-Tagged Docker Containers

The recommended way to use Splunk Attack Range is through a Docker container, as it includes all the necessary packages and libraries to run the environment smoothly. Previously, only the latest tagged version was available on Dockerhub. With this release, we are introducing version-tagged Docker containers on Dockerhub, addressing a popular request from the community.

Starting with Splunk Attack Range version 3.1, each Docker container will now be tagged with its corresponding release version, in addition to the "latest" tag. This change makes it easier for users to manage their deployments and ensures compatibility with specific versions of Splunk Attack Range. Version tagging allows users to quickly identify and pull the exact version of the Docker container they need, providing greater control over their testing and development environments.

Removing Packer for a Better User Experience

In the 3.0 release of Splunk Attack Range, we introduced Packer to accelerate the build process. While this addition brought notable improvements in build time and efficiency, we received feedback from our user community that it added complexity and increased the learning curve of Splunk Attack Range. Many users found Packer challenging to implement, which hindered their overall experience with Splunk Attack Range.

In response to this feedback, we have decided to remove Packer from Splunk Attack Range. By removing this layer of complexity, we hope to create a more intuitive and straightforward environment for users to deploy and manage Splunk Attack Range without unnecessary hurdles of running Packer alongside terraform.

Get Started with Splunk Attack Range

Ready to get started with Attack Range? Visit our GitHub repository to explore the project and set up your environment today. The repository contains detailed documentation, step-by-step installation guides, and examples to help you quickly deploy Attack Range and start developing splunk detections. Join our community of cybersecurity professionals and contribute to the project by sharing your feedback, reporting issues, or submitting pull requests.

Public link

Please use the above public link if you want to share this noodl on another website.