Slide deck delivered at the April Splunk User Group in Edinburgh: Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics.
Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/
An application that runs on Splunk Enterprise and typically addresses several use cases. An app contains one or more views. An app can include various Splunk Enterprise knowledge objects such as reports, lookups, scripted inputs and modular inputs. An app sometimes depends on one or more add-ons for specific functionality.
Integrate Apps to carry alerting actions based on scheduled searches and reports Give examples of Workflow actions/Ticketing/Running Scripts Simplify the onboarding process by using a vendor specific app which will contain the config to format the data as required i.e. No need to create field extractions etc Create custom visualizations based on non standard templates
Splunkbase has over 1000 different apps including both free and premium apps You will find a selection of different apps for a wide variety of products which may have been developed by the vendor or a member of the community Often the apps developed by vendors will have some sort of integration with the tool itself i.e Cisco ISE, Carbon Black, AWS
In order to develop a Splunk App you dont have to be a developer or have much experience with any sort of complicated programming languages You can simply use the Web Interface to create all of the visualisations and configure the layout using the GUI Although there where always going to be limitations to being able to point and click to create an app You don’t have the degree of granularity as you would using XML
XML provides increased granularity compared to using the GUI Everything becomes customisable now
Never created splunk apps before unitl now Recently created an app for the ECS Splunk Hackthon to guide and teach splunk to novice users The app not only had to provide the instructions for the hackathon but a guide in how to craft searches, reports, dashbaord etc Built in custom visualization Provided a dashboard for marking and submitting solutions
Requirments included: Somewhere to provide an overview of the hackathon A list of teams competing How to use Splunk Examples of how to build a search A page to display the solutions submitted by each team for marking purposes And somewhere to advertise our current vacancies
It can be seen that the app follows ECS colour scheme and uses the logo The menu bar is completely customizable Most of the pages are XML so great for formatting the page At the backend all the config is saved in the app – easy to copy and re-use
Live dashboards running Explanations on how to the search was created and what each command is capabale of
The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.
• Housekeeping: Overview & House Rules
• Presentation & Demo: Building Splunk Apps
• Group Discussion: In-House Developed Apps
• Presentation: Development Paths & Splunk Certification
• Presentation & Demo: Splunk User Behaviour Analytics
Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
Alumnus of Edinburgh Napier university
ECS - Associate Security Consultant
What is an App?
Visualization, Analysis & Action
● Apps deliver a user experience designed to make Splunk immediately
useful and relevant for typical tasks and roles.
● Apps simplify and optimize user tasks, yet allow access to the data and
functions of the full platform.
– Pre-built dashboards, reports, alerts and workflows
– In-depth data analysis for power users
– Point-and-click analytics to empower business users
What can we do with them?
● Most apps are focused on:
– Carrying out Alert Actions
Where do we get them from?
– Splunkbase has a library has 1000+ apps and add-ons from Splunk,
Partners, and the community.
– Splunkbase has a range of Premium Apps or Free Apps for a manner of
● Or Develop them yourself!!!
How can I Develop an App?
Splunk Web From Editor
● You don’t have to be a developer
or familiar with XML Scripting to
create an App.
● Splunk Web makes it easy to
create a UI in a simple point and
How can I Develop an App?
Edit XML Directly
● If you have some familiarity with
Simple XML, but you are not a
developer per say , and you want to
create/customize your dashboards
beyond want you can do in the
Splunk Web editor
● Then you can hack away on the
XML using your favorite text editor
or in browser with Splunk Web.
Make it your own
● You can add your own artefacts to the Apps configurations to improve
the appearance or the functionality
● Add your own images, emblems, logos etc.
● Configure workflow actions to trigger a script to carry out a specific
action taking parameters from the output of the search/report
My approach to Developing Apps
● A combination of using both the Web Form Editor and the writing XML
can go a long way...
● The Web Form Editor is great for creating a simple template with views
● However writing the XML provides a much more granular approach to
configuring the layout and appearance of the Apps
● Using XML allows for creation of much more advanced dashboards and
ECS Splunk Hackathon App
● We needed a central location to outline the instructions, guidelines
and SPL language support etc
● The most elegant solution was to create an ECS branded app to house
all of the information in
Certificates and Badges
Splunk Certified Admin
Jun 14, 2016DATE: 6.3VERSION:
Duration of certification
Splunk Certified Power User = 24.5 hours
Creates and manages knowledge objects that are used across an organization.
● Training: Using Splunk | Searching and Reporting with Splunk |Creating Splunk
Knowledge Objects | Splunk Infrastructure Overview
Splunk Certified Administrator = 21 hours
System administrators who manage a Splunk Enterprise environment.
● Training: Enterprise System Administration | Enterprise Data Administration
Splunk Certified Architect = 20 hours
Design and implement Splunk installations including enterprise-level deployments.
● Training: Advanced Dashboards and Visualizations | Architecting and Deploying Splunk
| Splunk Cluster Administration | Advanced Searching and Reporting
Courses for Splunk Cloud Customers
Splunk Education's learning path for Splunk Cloud customers offers courses for end users as well those
in charge of managing Splunk Cloud users, data inputs, and configurations.
Courses for App Developers
Harness the power of Splunk's Web Framework. Create rich, interactive dashboards and forms, and
package Splunk knowledge objects for distribution across your organization, or share your
masterpiece with the world on the Splunk Apps site.
Courses for Enterprise Security Customers
Learn to install, configure, manage, and use the Splunk App for Enterprise Security. Two learning paths
cover both security analysts and Splunk administrators or architects.
Courses for IT Service Intelligence Customers
Learn to install, configure, manage, and use Splunk for IT Service Intelligence (ITSI). Learn about ITSI
architecture, deployment planning, installation, service design and implementation.
Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
SIEM: Security Information & Event Management
68% of respondentsin
the survey said that
indic ated c hanges
without spec ifying what
the c hange was.
Events of Interest
81% of respondentssaid
that SIEM reportsc ontain
too muc h extraneous
information and were
2016 SIEM Efficiency Survey, conducted by Netwrix
Accelerating Pace of Data
Volume | Velocity | Variety | Variability
ANOMALY DETECTION THREAT
What is Splunk
User Behavioral Analytics?
John connects via VPN
Administrator performs ssh (root) to a file share
- finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates hisprivileges
root copies the document to another file share
- Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and
copy the data outside the enterprise
Coming Splunk Events!
● International Conference on Big Data in Cyber Security in Edinburgh
– by the Cyber Academy @ Wed 10 May 2017, 09:00 – 17:00 BST
– ECS Splunk Hackathon in the Morning!
● SplunkLive! at Intercontinental at the O2, London
– by Splunk @ Thur May 11th, 2017, 09:00 – 17:00 BST
– ECS Key Sponsor!
● Splunk User Group Edinburgh
● Splunk’s Slack Group
– Register via www.splunk402.com/chat
– Channel: #edinburgh
● Present & Share at the User Group?
‣ Harry McLaren | email@example.com | @cyberharibu | harrymclaren.co.uk
‣ ECS | firstname.lastname@example.org | @ECS_IT | ecs.co.uk