The document provides an agenda for a Splunk user group meeting on March 9th, 2022. The agenda includes talks on implementing Splunk's Real-Time Business Analytics (RBA), updates on Splunk Enterprise 7.0, and a demo of an insider threat detection tool. There will also be a talk from Intel on their use of Splunk for chip design analytics. The document outlines the speakers and their presentations throughout the meeting.

1. © 2022 SPLUNK INC.
Splunk PNW User Group
09 March, 2022

2. © 2022 SPLUNK INC.
If you did not have an opportunity to
complete the form to receive a lunch
voucher* from DTEX, please PM the
email address associated with your
grubhub account** via zoom chat to
Bryan Duncan
or
Jennifer Phillips
* Voucher is good for today only.
** Email address will NOT be shared.
Thank you
to today’s
sponsor!

3. © 2022 SPLUNK INC.
Agenda
Topic Speaker Organization Start End
Welcome Amanda Richardson Splunk 11:00am 11:05am
News and Updates
Joshua Marsh
Amanda Richardson Splunk 11:05am 11:20am
RBA Implementation Lessons Learned Brad Werner Nordstrom 11:20am 11:45am
ES 7.0 update Dan Hogland Splunk 11:45am 12:00pm
Little Pain, Much Gain - Splunk at Intel Engineering
Yaron Kretchmer
Matthew Bruehl Intel Corporation 12:00pm 12:25pm
UEBA tool for insider threat detection demo Andy London DTEX 12:25pm 12:45pm
Wrap-up Amanda Richardson Splunk 12:45pm 1:00pm

4. © 2022 SPLUNK INC.
“.conf21 gave me the ability to immerse
myself in all things Splunk for two full
days, I learned so much.”
— John Whitefield
Progressive Insurance, IT DevOps Eng. Senior
MGM Grand, Las Vegas, NV | June 13–16
Virtual | June 14–15
Join us for a hybrid experience and learn why
data is key to achieving better outcomes.

5. © 2022 SPLUNK INC.

6. © 2022 SPLUNK INC.
Empowering Business Users with Pre-Structured Data
Tech Talk: Support less technical users in your org!
Splunk includes multiple no-code features that allow users to explore,
analyze, and pivot the data in Splunk.
Learn how to structure your data and configure Splunk to enable these
analytic tools and see an overview of how to use pivot tables and other
no-code features.
Watch the Tech Talk to learn about:
● Indexing and Enriching data with known source types and lookups, so
that all business information is easily searchable for your users
● Building data models to structure your Splunk data, to enable pivot
tables for your business users
● Exploring, analyzing, and pivoting your Splunk data with no-code
features
Watch on demand

7. © 2022 SPLUNK INC.
"Blue-collar for the blue team." And that's SURGe in a nutshell. Practitioners, storytellers, and old UNIX
plumbers who think differently and work on problems that we wish everyone had already solved.
You can sign up for our rapid response alerts here splunk.com/surge

8. © 2022 SPLUNK INC.
Thank You!

9. © 2021 SPLUNK INC.
Accelerate Security Operations with Contextual Human
Intelligence & Endpoint Telemetry
Andy London
Senior Director of Solutions Engineering & Architecture
DTEX Systems

10. © 2021 SPLUNK INC.

11. © 2021 SPLUNK INC.

12. © 2021 SPLUNK INC.

13. © 2021 SPLUNK INC.
Insider
Threat
(UAM+UEBA)
Data Loss
Prevention
(DLP)
Digital
Forensics
Fraud
Risk &
Compliance
D M A P + T E C H N O L O G Y
a patent-pending, real-time correlation of DMAP telemetry
introspection and predictive modeling that leads to accurate
detection of insider threats at scale
ENCRYPTION LAYER: Employee Privacy & GDPR Compliance
Credential
Theft
(ATT&CK)
ES
SOAR
UEBA
D T E X I n T E R C E P T P L A T F O R M
THIRD PARTY
INTEGRATIONS
ZERO-IMPACT à 5MB PER DAY
(PER ENDPOINT)
USER ENDPOINT
SERVER ENDPOINT
VDI
CLOUD
UNIFIED
TELEMETRY
OTHER
W H A T I S N E X T - G E N I N S I D E R T H R E A T ?
I N S I D E R T H R E A T B E H A V I O R S
MALICIOUS
INSIDERS
NEGLIGENT
INSIDERS
COMPROMISED INSIDERS DATA LOSS
BEHAVIORS
BEHAVIORAL
INDICATORS

14. © 2021 SPLUNK INC.
Insider Threat Detection (UAM + UEBA)
Risk, Audit and
Compliance
Data Loss
Prevention
Server Security
Forensic
Investigations
MALICIOUS
BEHAVIOR
COMPROMISED
BEHAVIOR
MITRE ATT&CKTM
NEGLIGENT
BEHAVIOR
Automated Risk
Reporting (Benchmark
& Baseline)
Wireless Transfers
(e.g. Airdrop /
Bluetooth)
Privileged Account
Misuse
Audit trail of all
activities
Bypass of Security
Controls
Unusual Privilege
Escalation
Teachable Moment
Reporting
Inappropriate internet
usage
USB device usage File Integrity Monitoring
(FIM) Contextualization
Leavers Forensic Audit
(365)
Unusual Privilege
Escalation
JSP Backdoor
Detection
Accidental Data Loss Use of personal
webmail
Instant Messaging
Applications
SWIFT Server
Monitoring
Joiners Forensic Audit
(Probation Period)
Obfuscation &
Covering Tracks
Domain Fronting Use of Non-sanctioned
software
System configuration
changes
Upload to Cloud
Storage (Online File
Sharing)
Unusual application
behavior
File lineage
Unauthorized Use of
Administrative / Cyber /
Hacking Tools
Lateral Movement Online File Sharing
Misuse
Unauthorized use of
decommissioned
accounts and/or assets
Personal vs Corporate
Webmail (e.g. Gsuite)
Unusual Database
behavior
Rogue applications
Flight Risk + Data Loss ToR & Proxy Bypass Shadow IT Business continuity
reporting
Printing Unusual Privilege
Escalation
Abnormal internet
activity
On / Off Network
Monitoring
Malicious or Unusual
Application Behavior
Bulk Transfer Utilities Use of Non-sanctioned
software
FTP / sFTP / SCP Bastion / Jump Server
Monitoring
DMAP Contextual
Audits (Data Machine
Application People)
Portable Application
Use
Unusual Data
Aggregation
Instant Messaging
Usage
Unauthorized use of
communication
software
Confidential / Sensitive
File Transfers
Unusual Service
Account Behavior
User to Admin Account
Correlation

15. © 2021 SPLUNK INC.

16. © 2021 SPLUNK INC.
How Organizations Are Utilizing DTEX InTERCEPT with Splunk

17. © 2021 SPLUNK INC.

18. © 2021 SPLUNK INC.
How Organizations Are Utilizing DTEX InTERCEPT with Splunk ES & Phantom

19. © 2021 SPLUNK INC.

20. This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results,
performance or achievements to be materially different from results, performance or achievements
expressed or implied by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and involve
significant risks, uncertainties and other factors that may cause our actual results, performance or
achievements to be materially different from results, performance or achievements expressed or implied
by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the
Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov.
The forward-looking statements made in this presentation are made as of the time and date of this
presentation. If reviewed after the initial presentation, even if made available by us, on our website or
otherwise, it may not contain current or accurate information. We disclaim any obligation to update or
revise any forward-looking statement based on new information, future events or otherwise, except as
required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated into
any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other
countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.

21. © 2021 SPLUNK INC.
Little Pain,
Much Gain:
Splunk at Intel
Engineering
PLA1680A
Yaron Kretchmer
Sr. Director, Design Infrastructure | Intel Corp.
Matthew Bruehl
Analytics Lead | Intel Corp.

22. © 2021 SPLUNK INC.
Sr. Director, Design Infrastructure | Intel Corp.
Yaron Kretchmer
Analytics Lead | Intel Corp.
Matthew Bruehl

23. © 2021 SPLUNK INC.
Notice and Disclaimers
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its
subsidiaries. Other names and brands may be claimed as the property of others.
Intel technologies may require enabled hardware, software or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
Results have been estimated or simulated.
Statements in this document that refer to future plans or expectations are forward-looking statements. These
statements are based on current expectations and involve many risks and uncertainties that could cause actual
results to differ materially from those expressed or implied in such statements. For more information on the factors
that could cause actual results to differ materially, see our most recent earnings release and SEC filings at
www.intc.com.

24. © 2021 SPLUNK INC.
Agenda Why Are We Here?
Chip Design at Intel
How We Leveraged Splunk Ecosystem
Growth of Splunk at Intel Engineering
Wins and Pain Points
1
2
3
4
5

25. © 2021 SPLUNK INC.
Why Are We Here?
Convince
Describe
Talk
Get Your Feedback

26. © 2021 SPLUNK INC.
It Takes a Village to Design a Chip
• Interdisciplinary work
• Chip design depends heavily on
thorough and insightful analytics
• Our analytics team is small
But we can’t afford another village to support the big village
Intel’s Worldwide Manufacturing Network

27. © 2021 SPLUNK INC.
Chip Design: 10,000 Foot View
What is the chip’s performance vs…?
What is the chip’s power vs…?
What is the impact of layout on…?
What is the timing of the sub-designs…?
Are the manufacturing processes…?
The most important attributes and variables in processor chip design

28. © 2021 SPLUNK INC.
How We Leveraged the Splunk Ecosystem
Full stack functional
safety metrics
Monitoring
tools
A small set of
building blocks
Multi-tenant
environment
Multiple, unique use-cases with distinct requirements, supported by:

29. © 2021 SPLUNK INC.
Splunk Ecosystem -
Dashboards and Visualizations
• Splunk’s visualization capabilities are rich
• Provides flexibility with XML dashboards
• Enables freedom to customize almost
anything
• And a variety of add-on custom
visualizations from Splunkbase

30. © 2021 SPLUNK INC.
Splunk Ecosystem - Connectivity
• dbxconnect allows for connectivity into existing solutions
• Splunk Enterprise: one interface to access and query databases and data sources
• Accessing data from different databases provides new opportunities for analytics,
visualization and insights
• Increased connectivity enables more informed decisions on optimal resource
utilization

31. © 2021 SPLUNK INC.
Splunk Ecosystem -
Standardizing Data Ingestion
• Primary reason: difficult for systems to individually "pull"
data, easier to “push”
• Accessing storage is difficult, but HEC makes it easy
• Focus is structured data, versus log files
• HEC supports variable schema structured data
• Variable schema allows us to evolve metrics of interest

32. © 2021 SPLUNK INC.
Splunk Ecosystem -
Access Control Standardization
• Splunk ‘roles’ (RBAC) allow for use-case
customization at the application, index and
individual user level
• Solution: a multi-tenant environment with
LDAP access controls, enables a small team
to manage demands of a large organization
• Advantage: easy to monitor access through
web-based LDAP management interface

33. © 2021 SPLUNK INC.
Splunk Ecosystem -
Massive Data Volumes
• The ‘out-of-the-box’ ingestion with HEC is suitable
for most of our use cases
• Kafka connector designed and built to ingest high
volume batch compute records via HEC endpoint
• Many accelerated data models built to analyze/chart
the performance of batch compute tasks on metrics
across 100s-million of events

34. © 2021 SPLUNK INC.
Splunk Ecosystem -
Machine Learning
• ML models to detect quality outliers for design
submissions based on historical data
• Capabilities for extending commands with custom
scripts to apply ML analysis for internal product
applications like design quality forecasting
• Schedule and design closure trends based on
up-to-minute design metrics and indicators

35. © 2021 SPLUNK INC.

36. © 2021 SPLUNK INC.
Successes
• JSON over HEC is “flexible enough”
• “Fixed” keys in JSON make life easier
• Dbxquery can connect to *SQL databases
• Built-in visualizations are
“good enough”
• Built-in high-availability
cluster architecture

37. © 2021 SPLUNK INC.
More
Successes
• Kafka connects Splunk to high-volume
producers and consumers
• Splunk users learn very quickly
• Custom search commands are
very powerful
• Add-ons and ‘apps’ options
are excellent

38. © 2021 SPLUNK INC.
• Extend Splunk Enterprise reference
documentation beyond log file mining
• Provide drag-drop dashboard components
and default visualizations with real data
• Develop external REST query access as a
built-in feature
• Enable an easy connection to non-SQL (e.g.
Mongo/Redis) databases
• Enhance the documentation on managing
object access with Active Directory hierarchy
• Provide version tracking/revision control of
artifacts or knowledge objects
Recommendations for
a Complete Solution

39. © 2021 SPLUNK INC.
Key Take-Aways
• Although designed for IT, Splunk has
proved productive in a chip-design
environment
• Splunk business value for chip design -
Scale fast without need for big team
• We leveraged the ‘swiss army knife’ aspect
of Splunk to be productive quickly
• Splunk is a broad platform, rather than just
log analytics
If you have insights on solutions to any
of our pain points, contact us :)

40. © 2021 SPLUNK INC.
Thank You
SESSION SURVEY
Please provide feedback via the
SESSION SURVEY
Please provide feedback via the

41. Splunk RBA
Lessons Learned

42. Assets and Identity Tables
• Know how they are created and updated
• DHCP issues
• Removal of retired, lost systems

43. Framework Usage
• Take the time up front to do framework mapping

44. Notable Creation Compliance
Considerations
• Story vs Compliance event presentation

45. Search Considerations
• Increased visibility requires additional searches
• Data model searching
• Data normalization

46. Risk Scores
• Be ready for extensive score tuning
• This includes risk score, risk modifiers, notable creation risk
levels

47. © 2022 SPLUNK INC.
What’s New in
Splunk Enterprise
Security 7.0?
Dan Hogland
Staff Security CSE | Splunk

48. © 2022 SPLUNK INC.
Contents
● Recap of ES 6.6 release
● What’s new in ES 7.0
● Key Resources

49. © 2022 SPLUNK INC.
Recap of
Enterprise
Security 6.6
GA: June 30, 2021
In case you missed it!

50. © 2022 SPLUNK INC.
In case you
missed it...
Enterprise Security 6.6
June 30, 2021
• Incident Review Dashboard
enhancements
○ Saved Filters
○ More Screen Real-Estate
○ RBA Details
○ Dispositions
• RBA Event Timeline visualizations
• Cloud Security Monitoring shared
storage datasets
Tune into the ES 6.6 Tech Talk On-Demand

51. © 2022 SPLUNK INC.
Incident Review
Dashboard
Enhancements
● A fresh way to quickly triage notable
events
● Easily identify threats with filters and
tags
● Save filters to group notable events
● Classify the disposition of a notable
event for false positives
E
S
6
.
6

52. © 2022 SPLUNK INC.
© 2021 SPLUNK INC.
Cloud Security Monitoring
● Data Model and Normalization Support for
shared cloud storage services such as Box,
Google Drive, SharePoint, and OneDrive
● Operationalize data across hybrid and
multicloud environments such as AWS, GCP,
and Microsoft Azure
● Build and strengthen a unified cloud security
posture
E
S
6
.
6

53. © 2022 SPLUNK INC.
© 2021 SPLUNK INC.
Risk-Based Alerting
Event Timeline
● Quickly identify timelines around
contributing Risk Events
● Comprehensive view of overall threat
activity combined into a single
risk-based event.
● Improved visibility between risk objects,
risk attributions, threat objects and the
timeline of detection
● Reduce MTTD and shorten MTTR SOC
metrics
E
S
6
.
6

54. © 2022 SPLUNK INC.
Proactive Risk
Based Alerting
for Insider
Threats
SEC1163A
Matt Snyder - Program Lead -
Advanced Security Analytics,
VMware

55. © 2022 SPLUNK INC.
Accenture’s Journey
to Risk Based Alerting
with Splunk Enterprise
Security and Beyond
SEC1249A
Chip Stearns - Partner, Keos
Technology
Marcus Boyd - Manager, Accenture
It worked!
Notable Events counts dropped between 30% &
80+% depending on the use case
False Positive Rate reduced by 30%

56. © 2022 SPLUNK INC.
Splunk
Enterprise
Security 7.0

57. © 2022 SPLUNK INC.
What’s New in
Splunk
Enterprise
Security 7.0?
● Executive Summary Dashboard
● Security Operations Dashboard
● Cloud Security Monitoring
Dashboards
● Real-Time Content Updates
● Dark Mode User Experience
(Cloud)
On Prem & Cloud

58. © 2022 SPLUNK INC.
© 2021 SPLUNK INC. On Prem & Cloud
Executive Summary
Dashboard
● Increased visibility for CISOs, Security
Directors and SOC Managers into overall
health of security program
● Key Insights
○ Mean Time to Triage
○ Mean Time to Respond
○ Investigations Created
○ Assigned Notables Over Time
○ Notable Event History Trends
○ Risk-Based Alerting Trends
○ Adaptive Response Action Trends
Executive Level Security Insights with
Trends over Time
A
v
a
i
l
a
b
l
e
N
o
w

59. © 2022 SPLUNK INC.
© 2021 SPLUNK INC.
On Prem & Cloud
A
v
a
i
l
a
b
l
e
N
o
w
Security Operations
Dashboard
● Key Insights
○ Mean Time to Triage
○ Mean Time to Respond
○ Investigations Created
○ Notable Assignments
○ Notable and Analyst Close Rate
○ Notable Disposition
■ False Positives
■ True Positives
■ Benign Positives
Performance and Efficiency
Insights across Security Operations

60. © 2022 SPLUNK INC.
● New Dashboards include
○ AWS Security Groups
○ AWS IAM Activity
○ AWS Network ACLs
○ AWS Access Analyzer
○ Microsoft 365
● Enterprise Security 7.0 proactively notifies you of new
content updates from the Splunk Threat Research Team
and enables updates in one click
Cloud Security
Dashboards
Visibility into AWS and Microsoft 365
Cloud Security Datasets
Real-Time
Content Updates
Automated Security Content Delivery
On Prem & Cloud
A
v
a
i
l
a
b
l
e
N
o
w

61. © 2022 SPLUNK INC.
Cloud
A
v
a
i
l
a
b
l
e
N
o
w
Modernized User
Experience
● Updated “Dark Mode” User Interface
● ES joins other Splunk Security Products
in adopting modern development
frameworks and best practices
Unified User Experience

62. © 2022 SPLUNK INC.
Learn More
about
Risk-Based
Alerting (RBA)
at .conf21
SEC1249A - Accenture’s Journey to RBA with Splunk
Enterprise Security and Beyond
SEC1163A - Proactive Risk Based Alerting for Insider Threats
SEC1162A - Supercharge Your Risk Based Alerting (RBA)
Implementation
SEC1466A - A Deep-Dive Into How Zoom Is Building Its
World-Class Detection Pipeline in Response to the
Zoom-Boom!
SEC1800A - Implementing Zero Trust: From Hype to Reality
SEC1590C - Augmented Case Management With Risk Based
Analytics and Splunk SOAR

63. © 2022 SPLUNK INC.
Additional
Resources
Continue your
Splunk Security Journey
Past RBA .conf Sessions
● SEC1113A - Streamlining Analysis of Security Stories with Risk-Based
Alerting
● SEC1391C - Full Speed Ahead with Risk-Based Alerting (RBA)
● SEC 1479 - Say Goodbye to Your big Alert Pipeline , and Say Hello to
Your New Risk-Based Approach
● SEC 1556 – Building Behavioral Detections: Cross-Correlating
Suspicious Activity with the MITRE ATT...
● SEC 1803 – Modernize and Mature Your SOC with Risk-Based
Alerting
● SEC 1538 - Getting started with Risk-Based Alerting and MITRE
● SEC 1908 – Tales from a Threat Team: Lessons and Strategies for
Succeeding with a Risk-Based Appr...
Solution Brief and Tech Talks
● Embark on your Risk-Based Alerting Journey With Splunk | Solution Brief
● Operationalize MITRE ATT&CK™ with Risk Based Alerting (RBA) | Tech Talk
● Risk Based Alerting at Machine Speed with Splunk Phantom | Tech Talk
● What’s New in Splunk Enterprise Security 6.6?
Success Advisors
● Risk-Based Alerting Launch Workshop and Implementation Offering

64. © 2021 SPLUNK INC.
© 2022 SPLUNK INC.
Thank You