Hemant Kantak
Published: 2022-12-12
Total Pages: 42
Get eBook
The focus of this document is to highlight early threat detection by using Splunk Enterprise and proactively start a cyber resilience workflow in response to a cyberattack or malicious user action. The workflow uses IBM® Copy Services Manager (CSM) as orchestration software to invoke the IBM FlashSystem® storage Safeguarded Copy function, which creates an immutable copy of the data in an air-gapped form on the same IBM FlashSystem Storage for isolation and eventual quick recovery. This document explains the steps that are required to enable and forward IBM FlashSystem audit logs and set a Splunk forwarder configuration to forward local event logs to Splunk Enterprise. This document also describes how to create various alerts in Splunk Enterprise to determine a threat, and configure and invoke an appropriate response to the detected threat in Splunk Enterprise. This document explains the lab setup configuration steps that are involved in configuring various components like Splunk Enterprise, Splunk Enterprise config files for custom apps, IBM CSM, and IBM FlashSystem Storage. The last steps in the lab setup section demonstrate the automated Safeguarded Copy creation and validation steps. This document also describes brief steps for configuring various components and integrating them. This document demonstrates a use case for protecting a Microsoft SQL database (DB) volume that is created on IBM FlashSystem Storage. When a threat is detected on the Microsoft SQL DB volume, Safeguarded Copy starts on an IBM FlashSystem Storage volume. The Safeguarded Copy creates an immutable copy of the data, and the same data volume can be recovered or restored by using IBM CSM. This publication does not describe the installation procedures for Splunk Enterprise, Splunk Forwarder for IBM CSM, th Microsoft SQL server, or the IBM FlashSystem Storage setup. It is assumed that the reader of the book has a basic understanding of system, Windows, and DB administration; storage administration; and has access to the required software and documentation that is used in this document.