This document provides an agenda and summaries for a Splunk User Group meeting in Edinburgh in April 2017. The meeting will include presentations and demos on building Splunk apps, development paths and certification, and Splunk User Behavior Analytics. The introductory presentation will be given by Harry McLaren from ECS and will provide background on ECS and the Splunk User Group. Additional presentations will cover building custom Splunk apps using both the web interface and direct XML editing, and paths for Splunk certification. The final presentation will demo Splunk UBA for detecting insider threats and advanced adversaries. Attendees are encouraged to discuss in-house developed apps and get involved in the Splunk community.
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Harry McLaren
Slide deck delivered at the June Splunk User Group in Edinburgh: Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security.
Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/
Splunk in the Cisco Unified Computing System (UCS) Splunk
Cisco has been a Splunk customer for 8 years, with a strong engineering partnership for 3+ years. Learn how several Cisco customers as well as Cisco IT have deployed, grown, and transformed our businesses using the advantages of Splunk Enterprise software together with Cisco UCS and Nexus hardware. We will also talk about scalability and performance considerations for all scales of data footprint and business growth.
ntroduced in Splunk 6.2, the Distributed Management Console helps Splunk Admins deal with the monitoring and health of their Splunk deployment. In Splunk 6.3, we built views for Splunk Index and Volume Usage, Forwarder Monitoring, Search Head Cluster Monitoring, Index Cluster Monitoring, and tools for visualizing your Splunk Topology. Leverage Splunk DMC and come see the forest -and- the trees in your Splunk deployment!
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Harry McLaren
Slide deck delivered at the June Splunk User Group in Edinburgh: Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Security.
Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/
Splunk in the Cisco Unified Computing System (UCS) Splunk
Cisco has been a Splunk customer for 8 years, with a strong engineering partnership for 3+ years. Learn how several Cisco customers as well as Cisco IT have deployed, grown, and transformed our businesses using the advantages of Splunk Enterprise software together with Cisco UCS and Nexus hardware. We will also talk about scalability and performance considerations for all scales of data footprint and business growth.
ntroduced in Splunk 6.2, the Distributed Management Console helps Splunk Admins deal with the monitoring and health of their Splunk deployment. In Splunk 6.3, we built views for Splunk Index and Volume Usage, Forwarder Monitoring, Search Head Cluster Monitoring, Index Cluster Monitoring, and tools for visualizing your Splunk Topology. Leverage Splunk DMC and come see the forest -and- the trees in your Splunk deployment!
Splunk is a powerful platform for understanding your data. The preview of the Machine Learning Toolkit and Showcase App extends Splunk with a rich suite of advanced analytics and machine learning algorithms. In this session, we'll present an overview of the app architecture and API and show you how to use Splunk to easily perform a variety of tasks, including outlier and anomaly detection, predictive analytics, and event clustering. We’ll use real data to explore these techniques and explain the intuition behind the analytics.
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunk
Besides seeing the newest features in Splunk Enterprise, we will show you how to use the Splunk Web Framework and 3rd party visualisations to create rich, interactive experiences using Splunk and its analytical capabilities.
Distributed Management Console helps Splunk Admins deal with the monitoring and health of their Splunk deployment. In Splunk 6.3, we built views for Splunk Index and Volume Usage, Forwarder Monitoring, Search Head Cluster Monitoring, Index Cluster Monitoring, and tools for visualizing your Splunk Topology. Leverage Splunk DMC and come see the forest -and- the trees in your Splunk deployment!
With a number of different applications on SplunkBase that help monitor Splunk environments, native tools, new introspection features, a Splunk Admin hardly knows where to start! This session will cut through the confusion and provide clear, direct advice for where to start with monitoring a Splunk environment, and how advanced users can gain new insight, covering traditional tools like SoS and new Splunk features like the Distributed Management Console. Come see the forest -and- the trees in your Splunk deployment!
Splunk Enterprise 6.4 delivers a new library of interactive visualizations, faster analytics, and can reduce your historical data storage costs by up to 80%.
See how you can:
• Use new interactive visualizations to view results, and easily create and share your own
• Speed investigation and discovery of large-scale data with event sampling
• Reduce storage costs by up to 80% for aged data
• Get wider visibility into system performance and health with new management views
With the new features and lower storage costs offered by Splunk Enterprise 6.4, doing big data analysis is now easier than ever. See it in action by attending this webinar.
In addition to seeing the latest features in Splunk Enterprise, learn some of the top commands that will solve most search and analytics needs. Ninja’s can use these blindfolded. New features will be demonstrated in the following areas: TCO and Performance Improvements, Platform Management and New Interactive Visualizations.
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
Using orchestration tools with Splunk to automate and respond to events of interest and what types of use cases and logs you can leverage AWS/Cloud as the source.
Delivered as part of the Splunk User Group in Edinburgh in August 2017
Steam: http://productfor.ge/SUGE0817
Splunk is a powerful platform for understanding your data. The preview of the Machine Learning Toolkit and Showcase App extends Splunk with a rich suite of advanced analytics and machine learning algorithms. In this session, we'll present an overview of the app architecture and API and show you how to use Splunk to easily perform a variety of tasks, including outlier and anomaly detection, predictive analytics, and event clustering. We’ll use real data to explore these techniques and explain the intuition behind the analytics.
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunk
Besides seeing the newest features in Splunk Enterprise, we will show you how to use the Splunk Web Framework and 3rd party visualisations to create rich, interactive experiences using Splunk and its analytical capabilities.
Distributed Management Console helps Splunk Admins deal with the monitoring and health of their Splunk deployment. In Splunk 6.3, we built views for Splunk Index and Volume Usage, Forwarder Monitoring, Search Head Cluster Monitoring, Index Cluster Monitoring, and tools for visualizing your Splunk Topology. Leverage Splunk DMC and come see the forest -and- the trees in your Splunk deployment!
With a number of different applications on SplunkBase that help monitor Splunk environments, native tools, new introspection features, a Splunk Admin hardly knows where to start! This session will cut through the confusion and provide clear, direct advice for where to start with monitoring a Splunk environment, and how advanced users can gain new insight, covering traditional tools like SoS and new Splunk features like the Distributed Management Console. Come see the forest -and- the trees in your Splunk deployment!
Splunk Enterprise 6.4 delivers a new library of interactive visualizations, faster analytics, and can reduce your historical data storage costs by up to 80%.
See how you can:
• Use new interactive visualizations to view results, and easily create and share your own
• Speed investigation and discovery of large-scale data with event sampling
• Reduce storage costs by up to 80% for aged data
• Get wider visibility into system performance and health with new management views
With the new features and lower storage costs offered by Splunk Enterprise 6.4, doing big data analysis is now easier than ever. See it in action by attending this webinar.
In addition to seeing the latest features in Splunk Enterprise, learn some of the top commands that will solve most search and analytics needs. Ninja’s can use these blindfolded. New features will be demonstrated in the following areas: TCO and Performance Improvements, Platform Management and New Interactive Visualizations.
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
Using orchestration tools with Splunk to automate and respond to events of interest and what types of use cases and logs you can leverage AWS/Cloud as the source.
Delivered as part of the Splunk User Group in Edinburgh in August 2017
Steam: http://productfor.ge/SUGE0817
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Splunk for Enterprise Security Featuring UBASplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and
incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.
Covering off some of the latest announcements at Splunk's user conference (.conf), an Add-on created to Splunk config files and also the presentation delivered at .conf18 on SplDevOps!
You and your colleagues are all doing great things with Splunk. But you seldom come together to share ideas, apps and best practices. This session will help you take Splunk to the next level by helping you establish a Splunk Center of Excellence (CoE) at your organization. The purpose of a COE is simple - to provide Splunk users an informal venue in which they can discuss ideas, diagnose challenges, share innovations and network with peers. This session will share the best practices you need to create and maintain a successful CoE practice.
Bengaluru Splunk User Group kick off.
Introduction to User Group Leaders,
Session 1 on Splunk Remote Work Insights
Session 2 on Splunk Dashboard Journey
Thanks for coming out to the first PNW user group of 2023, and our first IN PERSON user group in a couple years!
Dan Hogland caught us up on the latest Enterprise Security updates, Melissa Riley brought the best strategies to leverage FREE Splunk Education (and the Academic Alliances program for all you universities who joined us!) and we welcomed new User Group leader Rob de Luna.
See you in a couple of months, in person in Seattle!
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
Security Operations & MITRE ATT&CK
Description: A two topic talk covering the core functions of the blue team (security operations), common roles and the required skills to be successful. Then an overview of the threat-led knowledgebase MITRE ATT&CK and how to put it to good use for threat detection and response.
This session will outline common roles for cyber defenders, including areas like Security Operations, Engineering and Consultancy. It will focus on the fundamental competencies (skills/behaviours) expected of entry level applicants getting into cybersecurity and how to build yourself into a confident professional working to defend your employer and their customers.
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’.
- Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response)
-- Tom Wise (Phantom Security Solutions Engineer & Trainer)
- Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK
-- Cian Heasley / Fraser Dumayne (Security Engineers)
- Meet the Experts with SplunkTrust
-- Harry McLaren (Senior Splunk Consultant)
-- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)
Security operations centres are made up of several roles and each role benefits from a person with specific skills and competencies. This presentation was presented at Napier University on the 13/11/2019 at their 'Cyber Breakfast'.
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
Many organisations have invested millions in building security operations teams, deploying powerful monitoring and reporting tools and then asking for continual improvement in the form of tuning, threat hunting and developing new threat models. However, within large enterprises, these types of changes either represent a risk of making changes to a live production platform or take weeks or months to go through the development and release process or route-to-live. This session outlines some DevOps principals and associate framework for enforcing change management, but still supporting rapid changes to code and configuration.
* SOC Capabilities
* OODA & Threat Hunting
* Balancing SOC Risk
* Using Splunk for an Agile SIEM
* Result: Empowered Hunters
* Resources & Questions
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
We'll be coving the latest and greatest updates to Phantom (SOAR Platform), the ins-and-outs of the new Endpoint Data Model and what you can use it for and finally showcase some of the awesome beta features just released as part of the Splunk Security Essentials App which includes MITRE ATT&CK and Kill Chain Mappings!
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
Two presentations at the January Splunk User Group in Edinburgh. Presenters were Harry McLaren and Tomasz Dziwok.
Topics covered are collecting AWS based logs at scale with Splunk and what the new object-based storage feature is within Splunk Enterprise (SmartStore).
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
We explore "Metrics, mstats and Me: Splunking Human Data” and also have some insights into the KV Store and javascript use in dashboards. We’ll also re-cover the conf18 updates for those who couldn’t attend our last session.
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
As Splunk scales, it grows with more Splunk engineers, developers and users. Maintaining proper knowledge object development, deployment changes and best practices can become a daunting task where fear-driven development takes its toll. In this session we present our enhancement of Splunk’s scalability in terms of software management, continuous integration and continuous delivery (CI/CD) by providing a framework which consists of DevOps tooling in combination with our Splunk expertise. Specifically, we are able to maintain a proper Splunk development cycle by using Docker containers, configuration and secret management with Ansible and version control with Git (VCS), all achieved by taking advantage of Splunk's ".conf" versatility. Our result is a CI/CD development-to-testing-to-production framework that complements Splunk’s scalability with modern DevOps culture and facilitates a smoother yet moderated development experience.
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
Truths and lessons from a cybersecurity consultant who shares his experience with failure, vulnerability and the lessons we can all take forward to be kinder and healthier professionals.
This was also recorded here: https://youtu.be/-Rcfn1iFb1g?t=7m56s
Big Data For Threat Detection & ResponseHarry McLaren
Slides used at the University of Edinburgh SIGINT group (cybersecurity society). Covering what is big data, the value for security use cases, hunting for threats/actions, using Splunk to detect and respond, SIEM use and some useful searches (which were demoed).
OWASP - Analyst, Engineer or Consultant?Harry McLaren
The slides used at the March 2018 OWASP Edinburgh meetup to share a look at common roles within cybersecurity from the perspective of a Managing Consultant who’s been through several in quick succession and an introspective analysis of what makes a successful cybersecurity professional.
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Some interesting talks about using TSTATS and the internal Splunk logs, have a Splunk Trainer share his journey with Splunk and how he's managed to achieve every possible Splunk certification (over 10!), and a short discussion about emerging thoughts of using development/release frameworks with Splunk deployments.
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
What is Security Engineering?: Thoughts on the definition, placement, role and job of working within security engineering. Then a scenario of the activities a Security Engineer might do throughout a project. Finally, some resources and thoughts on skills for 2018.
Slides by: Harry McLaren
Website: https://cyberscotlandconnect.com/
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
Getting into Cybersecurity: Advice, tips and tricks from an experienced cybersecurity consultant.
Slides by: Robert Williamson
Website: https://cyberscotlandconnect.com/
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
Getting into Cybersecurity: Advice, tips and tricks from an experienced recruitment consultant.
Slides by: Stefanie Corlay
Website: https://cyberscotlandconnect.com/
We'll aim to do a brief intro to the event and an overview of our Mission Statement + Purpose (we promise to keep the boring stuff short!)
Our aim is to mix some short interactive sessions with some Q&A's, some brilliant speakers and other bits and pieces to hopefully deliver some real value to people attending.
Slides by: Stuart Turner
Website: https://cyberscotlandconnect.com/
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
Session detailing some of the best announcements from the recent Splunk users conference. Delivered at the Splunk User Group in Edinburgh on October 16, 2017.
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Opendatabay - Open Data Marketplace.pptxOpendatabay
Opendatabay.com unlocks the power of data for everyone. Open Data Marketplace fosters a collaborative hub for data enthusiasts to explore, share, and contribute to a vast collection of datasets.
First ever open hub for data enthusiasts to collaborate and innovate. A platform to explore, share, and contribute to a vast collection of datasets. Through robust quality control and innovative technologies like blockchain verification, opendatabay ensures the authenticity and reliability of datasets, empowering users to make data-driven decisions with confidence. Leverage cutting-edge AI technologies to enhance the data exploration, analysis, and discovery experience.
From intelligent search and recommendations to automated data productisation and quotation, Opendatabay AI-driven features streamline the data workflow. Finding the data you need shouldn't be a complex. Opendatabay simplifies the data acquisition process with an intuitive interface and robust search tools. Effortlessly explore, discover, and access the data you need, allowing you to focus on extracting valuable insights. Opendatabay breaks new ground with a dedicated, AI-generated, synthetic datasets.
Leverage these privacy-preserving datasets for training and testing AI models without compromising sensitive information. Opendatabay prioritizes transparency by providing detailed metadata, provenance information, and usage guidelines for each dataset, ensuring users have a comprehensive understanding of the data they're working with. By leveraging a powerful combination of distributed ledger technology and rigorous third-party audits Opendatabay ensures the authenticity and reliability of every dataset. Security is at the core of Opendatabay. Marketplace implements stringent security measures, including encryption, access controls, and regular vulnerability assessments, to safeguard your data and protect your privacy.
2. Introduction - Harry McLaren
2
● Alumnus of Edinburgh Napier
● Senior Security Consultant at ECS
– Role: Specialist Splunk Consultant & Enablement Lead
– Specialism: Enterprise Security (SIEM) / Complex Deployments
● Splunk User Group Edinburgh: Leader / Founder
3. Introduction to ECS
3
Strategic Splunk Partner - UK
– Type: Security / IT Operations / Managed Services
– Awards: Splunk Revolution Award & Splunk Partner of the Year 2016
5. Agenda
• Housekeeping: Overview & House Rules
• Presentation & Demo: Building Splunk Apps
• Group Discussion: In-House Developed Apps
• Presentation: Development Paths & Splunk Certification
• Presentation & Demo: Splunk User Behaviour Analytics
5
6. Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
6
9. What is an App?
Visualization, Analysis & Action
● Apps deliver a user experience designed to make Splunk immediately
useful and relevant for typical tasks and roles.
● Apps simplify and optimize user tasks, yet allow access to the data and
functions of the full platform.
– Pre-built dashboards, reports, alerts and workflows
– In-depth data analysis for power users
– Point-and-click analytics to empower business users
9
10. What can we do with them?
● Most apps are focused on:
– Carrying out Alert Actions
– Inputs
– Visualizations
10
11. Where do we get them from?
● Splunkbase.splunk.com
– Splunkbase has a library has 1000+ apps and add-ons from Splunk,
Partners, and the community.
– Splunkbase has a range of Premium Apps or Free Apps for a manner of
different categories
● Or Develop them yourself!!!
11
12. How can I Develop an App?
Splunk Web From Editor
12
● You don’t have to be a developer
or familiar with XML Scripting to
create an App.
● Splunk Web makes it easy to
create a UI in a simple point and
click manner
13. How can I Develop an App?
Edit XML Directly
13
● If you have some familiarity with
Simple XML, but you are not a
developer per say , and you want to
create/customize your dashboards
beyond want you can do in the
Splunk Web editor
● Then you can hack away on the
XML using your favorite text editor
or in browser with Splunk Web.
14. Make it your own
● You can add your own artefacts to the Apps configurations to improve
the appearance or the functionality
● Add your own images, emblems, logos etc.
● Configure workflow actions to trigger a script to carry out a specific
action taking parameters from the output of the search/report
14
15. My approach to Developing Apps
Hybrid Approach
● A combination of using both the Web Form Editor and the writing XML
can go a long way...
● The Web Form Editor is great for creating a simple template with views
and visualizations
● However writing the XML provides a much more granular approach to
configuring the layout and appearance of the Apps
● Using XML allows for creation of much more advanced dashboards and
visualisations
15
16. ECS Splunk Hackathon App
Requirements
● We needed a central location to outline the instructions, guidelines
and SPL language support etc
● The most elegant solution was to create an ECS branded app to house
all of the information in
16
22. Robert Williamson
Alumnus of Edinburgh Napier university
IBM - Security Specialist
ECS - SOC Analyst, Senior SOC Analyst and Security
Consultant
22
29. Duration of certification
Splunk Certified Power User = 24.5 hours
Creates and manages knowledge objects that are used across an organization.
● Training: Using Splunk | Searching and Reporting with Splunk |Creating Splunk
Knowledge Objects | Splunk Infrastructure Overview
Splunk Certified Administrator = 21 hours
System administrators who manage a Splunk Enterprise environment.
● Training: Enterprise System Administration | Enterprise Data Administration
Splunk Certified Architect = 20 hours
Design and implement Splunk installations including enterprise-level deployments.
● Training: Advanced Dashboards and Visualizations | Architecting and Deploying Splunk
| Splunk Cluster Administration | Advanced Searching and Reporting
29
30. Specialist Courses
Courses for Splunk Cloud Customers
Splunk Education's learning path for Splunk Cloud customers offers courses for end users as well those
in charge of managing Splunk Cloud users, data inputs, and configurations.
Courses for App Developers
Harness the power of Splunk's Web Framework. Create rich, interactive dashboards and forms, and
package Splunk knowledge objects for distribution across your organization, or share your
masterpiece with the world on the Splunk Apps site.
Courses for Enterprise Security Customers
Learn to install, configure, manage, and use the Splunk App for Enterprise Security. Two learning paths
cover both security analysts and Splunk administrators or architects.
Courses for IT Service Intelligence Customers
Learn to install, configure, manage, and use Splunk for IT Service Intelligence (ITSI). Learn about ITSI
architecture, deployment planning, installation, service design and implementation.
30
33. 33
Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
SIEM: Security Information & Event Management
34. 34
Inadequate
Contextual Data
68% of respondentsin
the survey said that
reportsoften only
indic ated c hanges
without spec ifying what
the c hange was.
Innocuous
Events of Interest
81% of respondentssaid
that SIEM reportsc ontain
too muc h extraneous
information and were
overwhelmed with
false positives.
2016 SIEM Efficiency Survey, conducted by Netwrix
39. DETECT ADVANCED
CYBERATTACKS
DETECT MALICIOUS
INSIDER THREATS
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR
BASELINING &
MODELING
REAL-TIME &
BIG DATA
ARCHITECTURE
What is Splunk
User Behavioral Analytics?
40. INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share
- finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates hisprivileges
root copies the document to another file share
- Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and
copy the data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
45. Coming Splunk Events!
● International Conference on Big Data in Cyber Security in Edinburgh
– by the Cyber Academy @ Wed 10 May 2017, 09:00 – 17:00 BST
– ECS Splunk Hackathon in the Morning!
● SplunkLive! at Intercontinental at the O2, London
– by Splunk @ Thur May 11th, 2017, 09:00 – 17:00 BST
– ECS Key Sponsor!
45
46. Get Involved!
● Splunk User Group Edinburgh
– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html
– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group
– Register via www.splunk402.com/chat
– Channel: #edinburgh
● Present & Share at the User Group?
Connect:
‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk
‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
46
An application that runs on Splunk Enterprise and typically addresses several use cases.
An app contains one or more views. An app can include various Splunk Enterprise knowledge objects such as reports, lookups, scripted inputs and modular inputs.
An app sometimes depends on one or more add-ons for specific functionality.
Integrate Apps to carry alerting actions based on scheduled searches and reports
Give examples of Workflow actions/Ticketing/Running Scripts
Simplify the onboarding process by using a vendor specific app which will contain the config to format the data as required
i.e. No need to create field extractions etc
Create custom visualizations based on non standard templates
Splunkbase has over 1000 different apps including both free and premium apps
You will find a selection of different apps for a wide variety of products which may have been developed by the vendor or a member of the community
Often the apps developed by vendors will have some sort of integration with the tool itself
i.e Cisco ISE, Carbon Black, AWS
In order to develop a Splunk App you dont have to be a developer or have much experience with any sort of complicated programming languages
You can simply use the Web Interface to create all of the visualisations and configure the layout using the GUI
Although there where always going to be limitations to being able to point and click to create an app
You don’t have the degree of granularity as you would using XML
XML provides increased granularity compared to using the GUI
Everything becomes customisable now
Never created splunk apps before unitl now
Recently created an app for the ECS Splunk Hackthon to guide and teach splunk to novice users
The app not only had to provide the instructions for the hackathon but a guide in how to craft searches, reports, dashbaord etc
Built in custom visualization
Provided a dashboard for marking and submitting solutions
Requirments included:
Somewhere to provide an overview of the hackathon
A list of teams competing
How to use Splunk
Examples of how to build a search
A page to display the solutions submitted by each team for marking purposes
And somewhere to advertise our current vacancies
It can be seen that the app follows ECS colour scheme and uses the logo
The menu bar is completely customizable
Most of the pages are XML so great for formatting the page
At the backend all the config is saved in the app – easy to copy and re-use
Live dashboards running
Explanations on how to the search was created and what each command is capabale of
The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.
Sources:
http://www.bloomberg.com/research/markets/news/article.asp?docKey=600-201603150921MRKTWIREUSPR_____1249121-1
http://www.information-age.com/technology/information-management/123461162/why-big-data-and-siem-dont-always-equal-big-answers-security