Splunk Enterprise is a self-hosted version of Splunk — a security information and event management (SIEM) solution that allows organizations to collect, index, report, and present data from multiple sources. Since fdew months there is a new option in Splunk to connect with Jamf Pro, an Apple Device Management, MDM and Inventory solution.
Once desired data is in Splunk, it’s simple to start searching across log, event and other data. This time with Splunk, we’ll look how inventory data is pulled from Jamf Pro into Splunk Enterprise with a dedicated Splunk Add-on.
For this tutorial, we will set up a…
Splunk is a security information and event management (SIEM) solution that allows organizations to collect, index, report, and present data from multiple sources.
Zentral is centralized service that gathers event data from multiple sources and deploy configurations to multiple services. It allows for orchestration and event management with certain macOS security components such as Osquery for endpoint visibility, and the Google’s Santa binary authorization system and will link events with an inventory (Jamf Pro, Munki, PuppetDB, et-al).
Today we begin the technology preview for an exciting addition: Munki powered by SimpleMDM. Using Munki has traditionally required additional administrative effort to configure and maintain Munki clients and a repository. With this release, a tightly integrated, hosted Munki deployment is now available out-of-the-box for SimpleMDM admins.
The full-length announcement can be read here
Now a just a few days later, the technology preview is already live at the customers that have requested to be…
Mid of last week National Institute of Standards and Technology
has a released an exiting open-source Framework on GitHub: macos_security.
macos_security — a macOS Security Compliance Project
The project helps to setup and organize security baselines, and technical security controls in a structured and formulated fashion.
The intention is to provide a unified way to define and set security controls on the macOS platform. The project is scoped mostly towards System Administrators, Security Researchers, and Vendors.
The projects’s FAQ states a great summary on it’s motives here:
Every year, a new version of the macOS is released by Apple. With…
This is a short Step-By-Step instruction how to start a Zentral-all-in-one deployment on Amazon AWS. To make it even easier for you to follow along, we’ve recorded a screencast (4:25) to complement this blogpost.
For a full reference and in-depth version of the AWS / EC2 instructions go and check out the Wiki here.
There are a few requirements to deploy Zentral-all-in-one (ZAIO) on AWS. You need to have:
In this post we’ll look how to enable the SingleSignOn (SSO) authentication for Zentral based on AzureAD/O365. So in case you happen to already use Azure as your SAML 2.0 provider we’ll show how quickly enable the Azure based sign-in for a Zentral instance.
Before we start to activate SSO on the Zentral server side, we’ll need to setup the basics in Azure. For a common Azure based SSO setup you‘ll have to create a new Azure Enterprise App and activate it’s SAML 2.0 setting.
We continuously update the Zentral codebase, recently we’ve merged our latest dev branch into master. Why worth mention with a full blogpost ? — Well we’ve build-in some nice new updates into Zentral and so you’ll probably want to check these out in more detail. Let’s start a quick overview on latest enhancements and dive a bit into our reorganized inventory view and a new introduced “drilldown” functionality.
This is a list of noteworthy additions that we’d like to emphasis for our spring release of Zentral:
Welcome the fourth episode to get up and running Zentral-all-in-one on Google Cloud Platform. In this chapter we are enabling a SSO setup by using Okta as our SAML provider. A similar setup will also work with Google G Suite, many other SAML 2.0 providers should work to SSO into your Zentral server as well.
Note: We have only tested GSuite and Okta here. Let us know of other SAML providers you’ve used.
Log into Okta and create a new custom App. You must select SAML 2.0 protocol here.
Welcome back to our third tutorial in a series on Zentral. In this chapter we peek into internal settings, run few linux systemd commands and go inspect server side processes and workers on command line as well as in the Prometheus 2.0 interface.
When I call Extra-Links->Kibana, I just get a HTTP 502. It looks like the service didn’t start correctly.
From previous chapter we do already know, in case we see a HTTP 502 status code instead of a Kibana 6 interface, a
systemct command below will help restart the service for us:
systemctl restart elasticsearch
systemctl restart kibana
Welcome back to a tutorial series to run and explore Zentral in more detail. In this chapter we launch our “Zentral-all-in-one” instance. We setup our Let’s encrypt TLS certificate, create a admin user to login to Zentral web-interface, and prepare Kibana to show events from the zentral-events index.
The previous chapters and an overview on Zentral can be found for a review here:
Now let’s start!