SecMon Guy

JSON (JavaScript Object Notation) formatted data is pretty much everywhere. As a a lightweight data-interchange format, it has become very popular. I can see it used for all kinds of configuration files (such as AWS policies, for instance), API response data and log data.   json.org states that "It is easy for humans to read and write" . Well, anyone who at least once has to debug a long, nested JSON could disagree! JSON is human-friendly only if it is nicely formatted. Fortunately, there are some tools that can help. One of my favorite is underscore-cli, a Node.js tool that can be used as a simple pretty printer.  In this example I am going to provide steps for installation on Ubuntu.  Installing Node Version Manager and Node.js Install curl: sudo apt-get install curl Install latest nvm: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash Install LTS version of Node.js: nvm install --lts Installing and using underscore-cli npm install -g unders

In my previous blog post we have configured Auth0 as Identity Provider for Splunk using SAML protocol. Now it is time to configure Splunk.  As Splunk admin user, go to Settings / Authentication Methods. SAML is available as one of the external authentication methods. Select it. Click SAML Settings and the green button SAML configuration. Import IdP meta file. It is going to populate most of the fields for you. Still, there are a few settings that require manual adjustment. General Settings Entity ID : https://<your-splunk.com> - just enter your Splunk instance URL Advanced Settings Fully qualified domain name or IP of the load balancer : https://<your-splunk.com> - make sure this is correct; for instance you would like to have your FQDN here instead of container name Redirect port - load balancer port : 8000 - Splunk Web UI port       You need to also set up aliases for SAML attributes containing realName, mail and role. Alias Role alias : http://schemas.auth0.com/rolez

In order to remediate password fatigue problem, companies are implementing SSO solutions. This approach is not only beneficial for the user who can benefit by using single credentials for multiple applications but also significantly reduces administrative overhead (for instance, all the user privileges can be revoked just with a single click!).  In this short guide we are going to see how to integrate Splunk with and an Identity Provider (IdP) using SAML protocol. There are several big IAM companies which can act as an IdP, such as Okta , Ping Identity or Auth0 . I am going to use Auth0. As of today, this integration is not in the official Splunk documentation. I was able to find one blog post that discusses this scenario, however it is dated 06/2019 and seems incomplete/truncated.  This post focuses on IAM part, while the next one examines Splunk configurations. Glossary ACS URL      An Assertion Consumer Service URL is an endpoint that is going to process IdP response (SAML assert

table is one of the most basic Splunk commands. In general, adjusting tabular output to your needs is simple and most of the time you can get desired output by using table together with fields and rename . Things are a little bit more complicated when your table has dozens of columns (for instance when working with the output from Splunk's REST API produced by rest command).  The key to be a successful Splunk Power User is to recognize that all three mentioned commands (table, fields, rename) accept wildcards. As per documentation, they take <wc-field> as arguments. This means that you can get the set of fields you need quite easily. For example: | rest /services/saved/searches splunk_server=local | table title, alert* Even a standalone * is considered as a valid argument. This can be used to get your one selected column as the first one but keep everything else as it is.  | rest /services/saved/searches splunk_server=local | table title, search, * BONUS One more int