SlideShare a Scribd company logo

Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security

Slide deck delivered at the June Splunk User Group in Edinburgh: Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security. Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/

1 of 47
Download to read offline
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk User Group Edinburgh
© 2017 SPLUNK INC.
Introduction - Harry McLaren
● Alumnus of Edinburgh Napier
● Senior Security Consultant at ECS
● Leader of the Splunk User Group Edinburgh
© 2017 SPLUNK INC.
Introduction to ECS
Strategic Splunk Partner - UK
– Type: Security / IT Operations / Managed Services
– Awards: Splunk Revolution Award & Splunk Partner of the Year
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
Agenda
• Housekeeping: Event Overview & House Rules
• Supporting Splunk at Scale with Chris Chalmers
• Splunking at Home with David Prior
• Introduction to Enterprise Security with Adam Thomson
• Latest Features in Splunk 6.6 with Richa Singh
© 2017 SPLUNK INC.
Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
● We Have 140 Members!

Recommended

Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Harry McLaren
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventHarry McLaren
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventHarry McLaren
 
Advanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionAdvanced Use Cases for Analytics Breakout Session
Advanced Use Cases for Analytics Breakout SessionSplunk
 
Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS) Splunk in the Cisco Unified Computing System (UCS)
Splunk in the Cisco Unified Computing System (UCS) Splunk
 
Customer Presentation - Financial Services Organization
Customer Presentation - Financial Services OrganizationCustomer Presentation - Financial Services Organization
Customer Presentation - Financial Services OrganizationSplunk
 
SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco SplunkLive! Warsaw 2016 - Cisco
SplunkLive! Warsaw 2016 - Cisco Splunk
 

More Related Content

What's hot

Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
Cloud monitoring
Cloud monitoringCloud monitoring
Cloud monitoringGang Tao
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer PresentationSplunk
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk AdministrationGreg Hanchin
 
University of Alberta Customer Presentation
University of Alberta Customer PresentationUniversity of Alberta Customer Presentation
University of Alberta Customer PresentationSplunk
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer PresentationSplunk
 
Spark Summit EU talk by Shaun Klopfenstein and Neelesh Shastry
Spark Summit EU talk by Shaun Klopfenstein and Neelesh ShastrySpark Summit EU talk by Shaun Klopfenstein and Neelesh Shastry
Spark Summit EU talk by Shaun Klopfenstein and Neelesh ShastrySpark Summit
 
Splunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout SessionSplunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout SessionSplunk
 
Splunk Implementation and Usage - Garmin
Splunk Implementation and Usage - GarminSplunk Implementation and Usage - Garmin
Splunk Implementation and Usage - GarminSplunk
 
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...Data Con LA
 
O monitoramento da infraestrutura facilitado, da ingestão ao insight
O monitoramento da infraestrutura facilitado, da ingestão ao insightO monitoramento da infraestrutura facilitado, da ingestão ao insight
O monitoramento da infraestrutura facilitado, da ingestão ao insightElasticsearch
 
Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5Splunk
 
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunk
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackElasticsearch
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunk
 
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...Elasticsearch
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...Spark Summit
 
The SnapLogic Integration Cloud for ServiceNow
The SnapLogic Integration Cloud for ServiceNowThe SnapLogic Integration Cloud for ServiceNow
The SnapLogic Integration Cloud for ServiceNowSnapLogic
 

What's hot (20)

Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
Cloud monitoring
Cloud monitoringCloud monitoring
Cloud monitoring
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer Presentation
 
Advanced Splunk Administration
Advanced Splunk AdministrationAdvanced Splunk Administration
Advanced Splunk Administration
 
University of Alberta Customer Presentation
University of Alberta Customer PresentationUniversity of Alberta Customer Presentation
University of Alberta Customer Presentation
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
 
Spark Summit EU talk by Shaun Klopfenstein and Neelesh Shastry
Spark Summit EU talk by Shaun Klopfenstein and Neelesh ShastrySpark Summit EU talk by Shaun Klopfenstein and Neelesh Shastry
Spark Summit EU talk by Shaun Klopfenstein and Neelesh Shastry
 
Splunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout SessionSplunk and Cisco UCS Breakout Session
Splunk and Cisco UCS Breakout Session
 
Splunk Implementation and Usage - Garmin
Splunk Implementation and Usage - GarminSplunk Implementation and Usage - Garmin
Splunk Implementation and Usage - Garmin
 
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...
Big Data Day LA 2016/ Use Case Driven track - From Clusters to Clouds, Hardwa...
 
O monitoramento da infraestrutura facilitado, da ingestão ao insight
O monitoramento da infraestrutura facilitado, da ingestão ao insightO monitoramento da infraestrutura facilitado, da ingestão ao insight
O monitoramento da infraestrutura facilitado, da ingestão ao insight
 
Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5Webinar: Was ist neu in Splunk Enterprise 6.5
Webinar: Was ist neu in Splunk Enterprise 6.5
 
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
 
Reinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic StackReinventing enterprise defense with the Elastic Stack
Reinventing enterprise defense with the Elastic Stack
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - Intuit
 
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...
Elastic APM: amplificação dos seus logs e métricas para proporcionar um panor...
 
SplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojoSplunkLive! London: Splunk ninjas- new features and search dojo
SplunkLive! London: Splunk ninjas- new features and search dojo
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...
Insights Without Tradeoffs Using Structured Streaming keynote by Michael Armb...
 
The SnapLogic Integration Cloud for ServiceNow
The SnapLogic Integration Cloud for ServiceNowThe SnapLogic Integration Cloud for ServiceNow
The SnapLogic Integration Cloud for ServiceNow
 

Similar to Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security

Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
SplunkLive! Stockholm 2017 - EasyPark Customer Presentation
SplunkLive! Stockholm 2017 - EasyPark Customer PresentationSplunkLive! Stockholm 2017 - EasyPark Customer Presentation
SplunkLive! Stockholm 2017 - EasyPark Customer PresentationSplunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 
How security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsHow security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsSplunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
 
The Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceThe Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceSplunk
 
The Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceThe Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceSplunk
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningDigital Transformation EXPO Event Series
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunk
 
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR AnalyticsCedar Consulting
 

Similar to Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security (20)

Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
SplunkLive! Stockholm 2017 - EasyPark Customer Presentation
SplunkLive! Stockholm 2017 - EasyPark Customer PresentationSplunkLive! Stockholm 2017 - EasyPark Customer Presentation
SplunkLive! Stockholm 2017 - EasyPark Customer Presentation
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 
How security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsHow security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applications
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
 
The Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceThe Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service Intelligence
 
The Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service IntelligenceThe Hitchhiker's Guide to Service Intelligence
The Hitchhiker's Guide to Service Intelligence
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learning
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
 
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics
18. Madhur Hemnani - Result Orientated Innovation with Oracle HR Analytics
 

More from Harry McLaren

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsHarry McLaren
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementHarry McLaren
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
 

More from Harry McLaren (20)

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & Skills
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/Cyber
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose Statement
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements
 

Recently uploaded

Operations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensOperations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensKondapi V Siva Rama Brahmam
 
ppt penjualan berbasis online omset.pptx
ppt penjualan berbasis online omset.pptxppt penjualan berbasis online omset.pptx
ppt penjualan berbasis online omset.pptxHizkiaJastis
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for usersStephenEfange3
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxMdRafiqulIslam403212
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfAustraliaChapterIIBA
 
fundamentals of digital imaging - POONAM.pptx
fundamentals of digital imaging - POONAM.pptxfundamentals of digital imaging - POONAM.pptx
fundamentals of digital imaging - POONAM.pptxPoonamRijal
 
Tips to Align with Your Salesforce Data Goals
Tips to Align with Your Salesforce Data GoalsTips to Align with Your Salesforce Data Goals
Tips to Align with Your Salesforce Data GoalsDataArchiva
 
itc limited word file.pdf...............
itc limited word file.pdf...............itc limited word file.pdf...............
itc limited word file.pdf...............mahetamanav24
 
Business Analytics _ Confidence Interval
Business Analytics _ Confidence IntervalBusiness Analytics _ Confidence Interval
Business Analytics _ Confidence IntervalRavindra Nath Shukla
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Unlocking New Insights Into the World of European Soccer Through the European...
Unlocking New Insights Into the World of European Soccer Through the European...Unlocking New Insights Into the World of European Soccer Through the European...
Unlocking New Insights Into the World of European Soccer Through the European...ThinkInnovation
 
A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)UNCResearchHub
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023stephizcoolio
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Thibaud Le Douarin
 

Recently uploaded (15)

Operations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensOperations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample Screens
 
ppt penjualan berbasis online omset.pptx
ppt penjualan berbasis online omset.pptxppt penjualan berbasis online omset.pptx
ppt penjualan berbasis online omset.pptx
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for users
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptx
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
 
fundamentals of digital imaging - POONAM.pptx
fundamentals of digital imaging - POONAM.pptxfundamentals of digital imaging - POONAM.pptx
fundamentals of digital imaging - POONAM.pptx
 
Tips to Align with Your Salesforce Data Goals
Tips to Align with Your Salesforce Data GoalsTips to Align with Your Salesforce Data Goals
Tips to Align with Your Salesforce Data Goals
 
itc limited word file.pdf...............
itc limited word file.pdf...............itc limited word file.pdf...............
itc limited word file.pdf...............
 
Electricity Year 2023_updated_22022024.pptx
Electricity Year 2023_updated_22022024.pptxElectricity Year 2023_updated_22022024.pptx
Electricity Year 2023_updated_22022024.pptx
 
Business Analytics _ Confidence Interval
Business Analytics _ Confidence IntervalBusiness Analytics _ Confidence Interval
Business Analytics _ Confidence Interval
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Unlocking New Insights Into the World of European Soccer Through the European...
Unlocking New Insights Into the World of European Soccer Through the European...Unlocking New Insights Into the World of European Soccer Through the European...
Unlocking New Insights Into the World of European Soccer Through the European...
 
A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
 

Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security

  • 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk User Group Edinburgh
  • 2. © 2017 SPLUNK INC. Introduction - Harry McLaren ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS ● Leader of the Splunk User Group Edinburgh
  • 3. © 2017 SPLUNK INC. Introduction to ECS Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year
  • 5. © 2017 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Supporting Splunk at Scale with Chris Chalmers • Splunking at Home with David Prior • Introduction to Enterprise Security with Adam Thomson • Latest Features in Splunk 6.6 with Richa Singh
  • 6. © 2017 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! ● We Have 140 Members!
  • 7. © 2017 SPLUNK INC. Supporting Splunk at Scale Chris Chalmers
  • 8. © 2017 SPLUNK INC. Christopher Chalmers Alumnus of Edinburgh Napier university ECS - SOC Analyst, Senior SOC Analyst and Associate Security Consultant
  • 9. © 2017 SPLUNK INC. What’s the scope? – Application Upgrades & Patching – Application Health Monitoring – Application Management – First Line Break/Fix – Data Management
  • 10. © 2017 SPLUNK INC. Clustered Environment
  • 11. © 2017 SPLUNK INC. My Challenges? ● Managing customer expectations ● Supporting a developing environment ● Human Error ● Universal Forwarders / logging ● Maintenance
  • 12. © 2017 SPLUNK INC. Where Do I Start? ● Management Console ( AKA DMC) ● Splunk knows what's wrong! ● Btool and grep ● Documentation ● Community Support ● Vendor Support
  • 13. © 2017 SPLUNK INC. Troubleshooting ● Ulimits ● Hardware restrictions ● Duplication of logs (SPL-127095 / SPL127079) ● Warm / Hot Volume full ● Bucket Collision
  • 14. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  • 15. © 2017 SPLUNK INC. Splunking at Home David Prior
  • 16. © 2017 SPLUNK INC. Enterprise Security Adam Thomson
  • 17. © 2017 SPLUNK INC. Adam Thomson Alumnus of Edinburgh Napier university ECS - Associate Security Consultant
  • 18. © 2017 SPLUNK INC. Current Security Problems ● Organizations need scalable central logging, visibility with the ability to efficiently analyze their data ● Large numbers of log sources all of large quantities make it hard for analysts identify anomalies ● Limitations in data integration create a huge set back as no security context can be gathered from data ● Rigid architecture limits the need of flexible analysis and customization
  • 19. © 2017 SPLUNK INC. Enterprise Security
  • 20. © 2017 SPLUNK INC. What is Enterprise Security? • Just another Splunk App with Special Requirements • Needs dedicated search head • Has high Splunk performance requirements • Requires a fair amount of configuration to work properly • Helps find security threats and anomalies • Contains a number of supporting add-ons and technology add-ons to help it do its work
  • 21. © 2017 SPLUNK INC. ES is (mostly) just Splunk • Dashboards and Views (with some fancy |rest) • Data Models • Macros • Saved Searches • Summary Indexed Events • Eventtypes / Tags • Lookup Tables
  • 22. © 2017 SPLUNK INC. Bringing all the Logs together • Ingesting multiple data sources from a variety of vendors sounds like a tricky task • Splunk’s solution to this is the Common Information Model • CIM = Data Normalization • CIM gets applied at Search Time Common Information Model (CIM)
  • 23. © 2017 SPLUNK INC. ES Architecture • Current recommendations stretch core • Core: 12 CPU / 12 GB RAM (Indexer) • Core: 16 CPU / 12 GB RAM (SH) • ES: 16 CPU / 32 GB RAM (Indexers and SH) MINIMUM! • Recommended volume / indexer / day is 100 GB MAXIMUM! • This is primarily to manage search load • Less volume if the environment also has IT SI or other apps. • ES Requires its own dedicated search head – no other apps!
  • 24. © 2017 SPLUNK INC. What data? All Data is Security Data
  • 25. © 2017 SPLUNK INC. How does it all come together? A collection of Frameworks
  • 26. © 2017 SPLUNK INC. Notable Events Where Correlation Searches are Surfaced
  • 27. © 2017 SPLUNK INC. Asset and Identity Know your estate and who’s using it
  • 28. © 2017 SPLUNK INC. Risk Analysis Risk score displayed in Incident Review for each Notable Risk score displayed in Incident Review for each Notable Event Adds context to the event
  • 29. © 2017 SPLUNK INC. Threat Intelligence/Data Indicators Everywhere…
  • 30. © 2017 SPLUNK INC. Adaptive Response Actions Mitigate the Threat
  • 31. © 2017 SPLUNK INC. Adaptive Response Analytics-driven Decisions and Automation
  • 32. © 2017 SPLUNK INC. Supporting Security Operations Alerting, Monitoring, Auditing, Correlations, Incident/Breach Response
  • 33. © 2017 SPLUNK INC. An Analytics-driven SIEM
  • 34. © 2017 SPLUNK INC. Enterprise Security Demo
  • 35. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  • 36. © 2017 SPLUNK INC. Latest Features in Splunk 6.6 Richa Singh
  • 37. © 2017 SPLUNK INC. Agenda Introduction to Splunk 6.6 What's there for end-users? What's there for administrators ? What’s there for SPL Ninja ? Before you upgrade to 6.6! Case Study Questions 37
  • 38. © 2017 SPLUNK INC. Introduction to Splunk 6.6 ● Splunk 6.6.0 minor release was published in May 2017 addresses following arenas : ● Environment performance & enhancement features ● Add a number of new features for end users ● Cluster related features ● New Visualizations 38
  • 39. © 2017 SPLUNK INC. What's there for end-users? Dashboard Drilldown Editor Dashboard Search Controls Table Dataset Exploration Trellis Layout 39
  • 40. © 2017 SPLUNK INC. What’s there for SPL Ninjas ? Enhanced search editing Search optimizer Improvements New union SPL command New SQL-like IN SPL operator Auto-format search syntax 40
  • 41. © 2017 SPLUNK INC. What's there for administrators ? - “How about some productivity enhancements for the almighty admin?” Search Head Clustering enhancements Indexer Clustering user interface Forwarder site high availability in multisite indexer cluster Volume-based data forwarding Packaging toolkit Reassign knowledge objects Data Quality Dashboards 11 new REST API(s) 41
  • 42. © 2017 SPLUNK INC. Before you upgrade to 6.6! Compatibility of apps and add-ons Upgrade path for full Splunk Enterprise & UF Upgrade notes for search head & index clusters Customers who run version 6.4.7 of Splunk Enterprise might reintroduce software defects by upgrading to version 6.6.0 or 6.6.1 A new load-balancing scheme & 'autoLB' universal forwarder setting in outputs.conf Data model acceleration sizes on disk might appear to increase The number of potential data model acceleration searches has increased Protection for the '/server/info' REST endpoint is now on by default 42
  • 43. © 2017 SPLUNK INC. Case Study & Reviews 43
  • 44. © 2017 SPLUNK INC. QUESTIONS ?
  • 45. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  • 46. © 2017 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via www.splunk402.com/chat – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
  • 47. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

Editor's Notes

  1. Application Upgrades & patching Perform analysis on Splunk software and upon release will determine relevance and importance to the customers estate. When required, upgrades are applied to all Splunk software applications via Change control process. Application Health Monitoring Monitoring the performance of the system on a 24/7 basis. This can consist of uptick in events, day to day capacity (disk space, memory, CPU, index size), Log sources, Users Searches. Application Management User case management / rule management , App / TA upgrade. Including changes to ES searches. First Line Break / Fix Responsible for fixing any deficiencies within the deployment of Splunk and where required will laisse with Splunk INC. This is done via an app developed by ECS which can alert on-call engineers out of office hours. License usage To ensure that the customer does not exceed their license for Splunk software and to ensure that projected license use is clearly understood, the engineering function will monitor current utilization. Incident Awareness Where appropriate will raise platform related incidents in the customers service portal and communicate issues with updates to key stakeholders. Data on Boarding Support data on boarding activates to verify that data is successfully coming into Splunk environment via Universal forwarders and Syslog. This also includes input configuration to allow splunk to index data. Data Restoration Subject to enough storage and the provision for data to be frozen, ECS Engineers shall restore from archive any data that has been frozen at the request of the customer.
  2. Automation tools
  3. Splunkd Scheduler Metrics license
  4. Ulimits Traffic being dropped on Splunk ports and Engineers being alerting to outages on indexers despite all appearing to be available by the time the Engineer responded. No evidence to suggest they were caused by resource utilisation so Support team performed a destructive resync. This didn’t work. Further investigation found “Network-Layer error: Mo route to host.” Later discovered Ulimits settings for “Max User Processes” and “Open Files” were too low. These are restrictions put in place to stop users consuming to many resources. Number of files open is obvious in the case of indexers writing data. Max user process needs to accommodate all splunk threads. Threads grow with every concurrent http connection, parallel pipelines and KV store and concurrent searches. Hardware Restrictions In the beginning the biggest bottleneck within our environment was System memory. Running indexers on around 30GB of memory at a time when we were indexing up to 800GB a day, running Enterprise Security with CIM data models. The number of searches hitting the Indexers would quite often trigger a Unix based tool name OMM Killer. It would kill splunkd processes as they were consume dangerous amounts of memory. To overcome this we lightened the load on the system by disabling some of the larger data models and restricting the number of concurrent searches the SHC could perform by 20%. This was a tactical measure until the customer could provision more hardware. Duplication of Logs Noticed multiple copies of every single log. Running a search that counted raw events and distinct raw events and then dividing them by each other showed the duplication. A case was created with Splunk support and after some investigation they discovered this was a bug. The bug effected users who used indexer discovery on multi site clusters effecting 6.4.1 – 6.4.3. Whenever a peer in the cluster goes down the data will start duplicating, and when the peer comes back up, the data still continues to index multiple times and the issue doesn’t complexly go away. This was fixed in Splunk 6.4.4. Warm Index Volume Full Splunk hot buckets were not rolling to warm and support team were made aware via alerting. The volume was at around 91% capacity whilst the Splunk configuration stated the bucket should roll at 88% (4.8TB). Further investigation showed that data from a previous investigation had been moved here and not deleted. This was around 495 GB of data. Once the data was removed from this volume the used capacity shrunk and Splunk begun to function as expected. From what we understand from this investigation Splunk only appears to measure it’s usage. Two settings in our case came into play. MaxVolumeDataSizeMB would never be achieved because technically Splunk could only use 4.5TB of data. Splunkd refuses to start on Indexers Splunkd refused to start following OS patching. Other Indexers patched during this time appeared to restart without an issue. Splunkd and crash logs were observed from the console. First time I’d ever seen a log-Level as fatal. The message read “Detected directory manually copied into its database, cause id conflicts”. A number of duplicate db (primary bucket) and rb (replicated buckets) files existed on the indexer. In order for Splunk to operate it required one of these duplications to be removed. Seen as it coldn’t make the decision itself it just refused to start. Despite having potentially uncovered the root cause, as a matter of diligence we raised a support ticket with Spluk to ensure unecssary data wasn’t being removed. They confirmed our finds and passed instructions on how to proceed. We believe this was caused by the Indexing cluster not being placed in maintenance mode before the indexer was shut down. Maintenance mode essentially halts bucket replication and fix-up activity (Except for primary bucket fix-up)
  5. Splunk have made an attempt at addressing these problems with their SIEM tool – Enterpirse Security ES has been designed to take your through the entire process from monitoring for threats to actually handling the incident which has been discovered To aid in the monitoring and event triage processes ES has been developed with a bunch of features to aid these, for example notable events to highlight and help aid prioritization of what needs investigating, provides a way of correlating across multiple log sources to track down the root cause of the problem, provides a means of enriching your data with and assigning context to who and what assets have been affected. It also allows you to bring it threat data from external sources to provide wider coverage and monitoring, has a risk scoring framework which helps aid prioritization of investigations
  6. Dedicated Splunk SH to handle its excessive load, all background searching, data models building, macros running etc Config mainly relies around data onboarding, data must be aligned to the CIM – otherwise ES wont use it Helps do some of the intial data onboarding and CIM mapping with TA’s
  7. What is a notable event? A correlated event – generated from a correlation search running in the background Urgency is calculated based on the severity of an event and the priority of the asset
  8. Understanding where assets are and who owns them, their criticality and who should be accessing them help priortize security events and investigations. ES has the ability to integrate your asset and identity information through the use of lookup files They then populate the datamodels and are used in a vareity of out of the box searches and help populate dashboards and assign urgency to notable events
  9. The Risk Scoring Framework enables a risk score to be applied to any event asset, behavior or user based on relative importance or value to the business. This helps security teams to prioritize alerts based on predefined thresholds, while also exposing contributing factors of the risk to all relevant teams. Easily track their security status to understand and actively manage overall business risk. Risk scores are applied to notables to determine the impact of an incident quickly Use risk scores to generate actionable alerts to respond on matters that require immediate attention The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table, only the IP address matches from the Risk Analysis data model will be displayed.
  10. ES allows for collection, aggregation and de-duplication of threat feeds Supports STIX/TAXII, OpenIOC feeds Out of the box Activity and Artifacts dashboards Applies the data to correlation searches and alerts on your users behavior compared to your threat data
  11. View Anomaly Detection View data in form of dashboards and reports to quickly identify anomalous behaviors and trends related to assets and identities in the enviroment.
  12. Enhance incident response and investigations by leveraging and correlating data from a broad set of sources, including security and non-security data collected from across the organization, and supplemented with internal and external threat intelligence and other contextual information.
  13. Accelerate Table Dataset - Users can now accelerate Tables from the Datasets Listings page. Time-Range Picker - Earlier users could either select preview rows and view random 50 events or specify a time-range and view the results in the summarize fields view. Now, users can select a view the events in the dataset by selecting a time-range. Edit Table - Users can easily navigate to the Table Editor by selecting the "Edit Table" option. Schedule Report - Users can schedule to run their datasets as a report and view the results on the Reports Listings Page. Export Dataset in various formats Trellis  - Show multiple similar visualizations at once to compare across different segments of a dataset with one single query.
  14. Search Optimizer: built-in optimizations that analyze and process for maximum efficiency.  filter results as early as possible -reduces the amount of data that needs to be processed.  Predicate Splitting: The action of taking a predicate with multiple parts and, when possible, moving the parts to an earlier place in the search making it run faster and more efficient. Projection Elimination:  analyzes your search and determines if any of the generated fields specified in the search will not actually be used to produce the search results. If generated fields are identified that can be eliminated, a optimized version of the search is run. Your search syntax remains unchanged. Event Tagging Control: Added a directive to control how much event-type and tagging occurs improving search performance. SPL "union" Command: - Merges the results from two or more datasets into one dataset.  - One of the datasets can be a result set that is then piped into the union command and merged with a second dataset.  -appends or merges events from the specified datasets, depending on whether the dataset is streaming or non-streaming and where the command is run.  -runs on indexers in parallel where possible, and automatically interleaves results on the _time when processing events.
  15. Key Features for SEARCH HEADS: Ensures continuous replication of knowledge objects across the SHC members Intelligent captain selection - Avoids out-of-sync SHC members from becoming captain Simplified SHC quota management - Provides independent controls for user/role and system-wide quota management Optimized bundle push and replication- Improved bundle push and replication performance Key Features for INDEXERS: Improved scalability - Scale upto 5+ million cluster-wide unique buckets and 15+ million total buckets Indexer node offline without search disruption - Avoids search disruption by automatically ensuring primary copy of all buckets are available, prior to taking a node offline Faster indexer recovery - Performance improvements to lower CM load and enable faster recovery incase of node failures