Event Sequencing in Splunk: How to Use It To Avoid Alert Fatigue

Working in the security space in Splunk, we’re all accustomed to the pressure of security alert management, and security analysts are on the front line of security alert responding. Repeated exposure to alerts can result in “alert fatigue” — monitoring an abundance of alerts ad nauseam.

When your security alerts are too frequent, not descriptive enough, or redundant, this kind of fatigue can leave teams even more exposed to legitimate threats. Put simply, your Splunk environment can start to take on characteristics of the fable, The Boy Who Cried Wolf, and we know how that story ends.

New call-to-action

And we don’t want that for your team. In this post, we’ll show you how to avoid alert fatigue with Splunk Event Sequencing.

What is Event Sequencing?

As a feature of Splunk Enterprise Security, the Event Sequencing engine is a series of chained (sequenced) correlation searches. These searches are triggered based on search criteria and other modifiers. Once the conditions of all sequenced correlation searches are met, a sequenced event that includes all the alert data is generated. Analysts can use this data to make decisions about how to triage alerts.

The best function of Event Sequencing is that it can identify the actionable threats amidst the sea of alerts you receive each day. Using Event Sequencing leads to quicker remediation of security incidents. 

The How-To’s of Event Sequencing

Let’s take a look into how Splunk Event Sequencing works. Sequenced Events start by creating a Sequence Template. With Event Sequencing, out-of-the-box correlation searches, or custom searches, can be used.

You can create the sequencing template to detect specific behavior that an analyst can take immediate action upon. You can follow these graphics below for further reference to creating your sequence templates.

Figure 1 – Create a new Sequence Template
Figure 1 – Create a new Sequence Template
Figure 2 – New Sequence Template
Figure 2 – New Sequence Template
Figure 3 – Sequence Template Settings
Figure 3 – Sequence Template Settings

After the sequence template is created, you will find the triggered events in the Incident Review.

Figure 4 – Triggered Sequenced Template
Figure 4 – Triggered Sequenced Template

Then, you’ll want to filter your events. Click to filter on your “Sequenced Events” for these specific events.

Figure 5 – Filtering to see only triggered sequenced events
Figure 5 – Filtering to see only triggered sequenced events

Once you run your sequenced events, find them at Security Intelligence > Sequence Analysis. Then, you can review your sequence analysis.

Figure 6 – Sequence Analysis
Figure 6 – Sequence Analysis

Threats Minimized, Efficiency Maximized

When you take these best practice tips to Splunk Enterprise Security, your security alerts should be more manageable and consumable. Splunk Event Sequencing is here to help and ensure your Splunk teams are efficient and successful in the security space. With a team of security experts, Kinney Group has years of experience working in Splunk to ensure threats do not slip through the cracks. If you’re interested in our work with Splunk Enterprise Security, let us know below!

New call-to-action

Three Fundamental, Actionable Steps to Improve Cybersecurity

The tragic events unfolding in Ukraine are a stark reminder there are entities in the world that wish to do harm to our country’s business and public institutions.

Cyber warfare has been a fact of life for some time now, and the war in Ukraine has returned this fact of life to the headlines. Combatting cyber warfare with cybersecurity best practices is, perhaps, now back to being top-of-mind for leaders of all organizations.

Addressing cybersecurity issues in a manner which measurably enables protection can be a daunting task. As the ancient proverb says, “the journey of a thousand miles begins with a single step.”

Organizations can immediately (and dramatically) improve their overall cybersecurity posture by pursuing these three fundamentals:

Prioritize Protecting Your Most Important Assets

Cyber attackers today are using sophisticated strategies and tactics that employ artificial intelligence, optimized attack algorithms, and automation techniques that enable attacks at scale. Given this reality, it is mathematically impossible to effectively defend all points of entry vulnerable to cyber attacks.

A simple step organizations can take immediately is to identify critical applications and data stores to quickly get an understanding of the adjacent points of entry an attacker can exploit. The majority of all security-related activities should be targeted at protecting the most valuable assets. Simply put, organizations should prioritize vigilant protection of their “crown jewels.”

While this sounds obvious, most organizations we work with cannot quickly identify those digital assets that should be defended as a priority. Leaders that pursue this simple step will quickly improve their overall security posture.

Security Harden Your Critical Applications and Systems

Hardening critical software and systems is a fundamental the U.S. defense and intelligence ecosystem has practiced for years. Security hardening software application stacks and associated systems and infrastructure provide basic hygiene for effective cyber defense.

At first blush, this might seem daunting for organizations that are not familiar with security hardening practices. This is a reasonable concern given that most organizations have no visibility into the steps that U.S. security, defense and intelligence agencies take to secure their most prized digital assets.

The Defense Information Systems Agency (DISA) System Technical Implementation Guides (STIGs) are a great place to start. DISA STIGs provide a fundamentally sound framework for executing system security hardening immediately. They are the foundational guidelines that the US defense agencies use today, the current STIG guidelines are available to the public online.

Consistently executing basic hygiene for security is something all organizations should pursue immediately. Just as we all do when protecting our own personal health, pursuit of basic hygiene for security is a fundamental that all organizations should pursue every day.

New call-to-action

Remove Human Error Risk Through Automation

Human error remains the #1 cause of security vulnerabilities. Today’s systems and application stacks are simply too complex for continued use of manual processes for deployment, patching, and change management coupled with expectation to mitigate human error.

Organizations that identify their critical digital assets and systems, and then employ security hardening basic hygiene, must absolutely do so in an automated fashion. Automating the deployment of secured software dramatically reduces human error as a cause for creating security vulnerabilities.

Software deployment automation should be a fundamental starting point for all organizations. Automation of change management, threat response, and vulnerability remediation should also be pursued. As with most things, the “first step” is always the best place to start, and automating software deployment is a fundamentally sound first step.


Pursuit of a comprehensive and contemporary cybersecurity strategy may incorporate many elements such as zero trust, secure access service edge (SASE), frameworks such as MITRE ATT&CK, security orchestration and automated response (SOAR), encryption, and network microsegmentation, among numerous other technologies and techniques. While building a modern cybersecurity capability may appear as a daunting prospect for many organizations, a sound cybersecurity protection foundation can be quickly achieved by any organization pursuing the three fundamental strategies discussed above.

Don’t wait to start the cybersecurity journey — it begins with the first steps of prioritization, security hardening, and automation. We believe all organizations can and should begin their cybersecurity journey by addressing these fundamentals as a priority. From a risk mitigation perspective, pursuit of these three fundamental strategies will yield measurable positive impacts on risk reduction. With a foundation of fundamental protections in place, organizations can then continue their journey to weave more advanced technologies and techniques into their cybersecurity strategy.

The people that depend on your organization being secure are relying on leaders to act. Pursuit of security basic hygiene fundamentals is a great place to start.

New call-to-action

Lean on Splunk for your Remote Work Insights

In Security Tips for Work From Home (WFH) Life, we explored guidelines on how to efficiently and safely set up your work from home environments. The individual colleague has the responsibility to ensure they’re maintaining a secure remote-work environment. Looking past the individual worker, companies are now tasked with ensuring a good remote work environment for their colleagues to stay productive and secure. How can organizations get these critical insights? Let’s jump into Splunk and see your company can monitor the safety and performance of your remote workforce.

Splunk Remote Work Insights (RWI)

In light of COVID-19, Splunk has released the Remote Work Insights (RWI) Application. This free-to-download application contains reports and dashboards that provide insight into the critical applications your organization is using to keep the business running. Along with application management, the RWI solution gives immediate insight into business performance and network security. As we get through this pandemic and beyond, the Splunk Remote Work Insights solution will help your business monitor the success and safety of its remote workforce.

This Splunk application can be added to Splunk to increase your security posture and provide critical insight into how your applications are being used, who is using them, and from what locations.

Figure 1 - Splunk Remote Work Executive Dashboard
Figure 1 – RWI Executive Dashboard

When you open up the RWI application, you’ll be dropped into the Executive dashboard view. This dashboard is an aggregate summary view of all dashboards within the application. The major purpose of this dashboard is to provide the CTO/CIO or a data center of critical insights into remote business operations. RWI gives visibility into your company’s critical applications and how they are performing and being used.


New call-to-action


Be the VPN Champion

VPN Login Activities dashboard shows where your colleagues are logging in from, the success/failure rate for these logins, and the top login failure reasons. This dashboard is a one-stop shop to audit your VPN activities. The data shown here is from GlobalProtect, but any VPN logs can be integrated into these dashboards.

The Global Protect VPN Login Activities dashboard is key for insights into VPN activities of your remote colleagues. In this example, you have a workforce that’s fully based in the U.S. Now, check out that top panel… there are some workers accessing the VPN client from China, if this is unexpected, you may have a breach on your hands!

Figure 2 - Global Protect VPN Login Activities
Figure 2 – Global Protect VPN Login Activities

Zip-Up Zoom Operations

The Zoom Ops dashboards show an aggregate view of your organization’s Zoom metrics. Looking at this dashboard, you’ll gain visibility into historical metrics and real-time information on active Zoom meetings. You can even see what devices the meetings are being accessed from, the types of meetings being conducted, and metrics surrounding the length of the meetings.

Figure 3 - Zoom Ops Dashboard
Figure 3 – Zoom Ops Dashboard

The following data sources were used to populate these dashboards:

  • GlobalProtect VPN
  • Office 365
  • Zoom Video
  • Okta Authentication
  • Google Drive
  • Webex
  • Slack

The external threats facing organizations are greater than ever. With the shift to a remote workforce, it is crucial for businesses to have these insights into their day-to-day operations to protect the safety of their organization its colleagues. Paired with all applications your organization uses today, the Splunk Remote Work Insights Application can dramatically increase your organization’s visibility into application performance. Interested in learning more about the Splunk Remote Work Insights solution or looking to implement the application? Contact our Kinney Group team of experts below.

New call-to-action

Security Tips for Work From Home (WFH) Life

It’s been a few weeks since a large portion of America’s workforce has shifted to the work from home life with the mission of fighting off Coronavirus. Whether you’re a newbie or tenured in the remote work department, we’re seeing threats like never before targeting our day to day operations (and no, I’m not talking about the threat of running out of hand sanitizer…) The threats of phishing schemes and cyber-attacks are at an all-time high.

We know that you’re already juggling some new challenges working from home, so we’ve compiled some tips to make your day-to-day a little more secure…

Start with Cybersecurity Basics

Let’s start here – make sure the programs you use are up to date, including any security software you utilize. This is a great time to update your device and account passwords, making them strong and unique. (Pro tip: consider passwords that are at least 12 characters long, use a mix of numbers, symbols, uppercase, and lowercase characters – the more unique, the more secure!).

Lock Down Your Home WiFi

Many times, home networks are left on default settings by the company that does the installation, leaving your network open to attack. Check your router’s settings and change the default login and password to something unique. Then, make sure you’re using the very best encryption available on your device. Refer to WPA2/WPA3 as the current standards.

While you’re taking the time to examine your network and router settings, take a look at the devices and users that are connected. You don’t want any unknown devices using your network.

Utilize a VPN if You’re on an Unsecured Network

If for any reason, you need to use an unsecured network while working remotely, consider utilizing a Virtual Private Network (VPN). A VPN allows you to work on a private network while protecting your data and browsing activity. While we may not recommend specific third-party VPN providers, we do recommend that you utilize your company’s private VPN if and when possible.


New call-to-action


Maintain Workplace Lock-Up Habits

Now, we’re not suggesting that your eight-year-old will be hacking into your computer in between their e-learning courses…but it’s good to maintain the habit of locking up your device as you typically would in the workplace. Like we said earlier, consider your at-home work set up to mimic your office set up. By locking up your laptop, you are maintaining a good security practice and ensuring that the contents of your laptop go untouched when you step away.

Trust, but Verify — Watch Out For Phishing

It seems like some folks are picking up phishing as a new hobby in their quaran-time. We’re talking about Phishing, the attempt to steal personal or company information as a disguised user. We’ve seen an increased number of email phishing attempts sent to work email addresses over the last few weeks. Be cautious before clicking too into questionable emails. Make sure you trust the incoming source of your emails before…

  • Opening any attachments
  • Clicking on a link
  • Replying with confidential company or personal information

Keep Work Data on Work Computers

With more time on screens working out of the workplace, it’s easier to get drop our guardrails on what should and shouldn’t be done on work laptops. Any activity that you would not typically complete in the office, shouldn’t happen on your work computer. Remember all of those security threats I mentioned above? Your IT teams are already fighting enough threats, no need to add your personal browsing to the list.

And if that’s not enough, opening your work laptop for only business-related work will help you keep a better work from home life balance. Yes, you can still keep work at …work!

New call-to-action