SlideShare a Scribd company logo

July 2021 Virtual PNW Splunk User Group Slides

Download as PPTX, PDF
A
Amanda Richardson

Thanks for coming out to another great PNW usergroup featuring Matt Snyder talking about RBA & Insider Threats, Thomas Booth discussing Splunk IT Essentials Work, and Larry Becker sharing cybersecurity best practices.

1 of 47
© 2021 SPLUNK INC. Splunk Pacific Northwest Usergroup 28 July, 2021
© 2021 SPLUNK INC. Thank you to Arcus Data for sponsoring lunch! Please enter checkout code provided in the zoom chat to complete your Grubhub order. ● Your Grubhub account must be associated with the email address you use for the usergroup ● Checkout code expires 11:59pm today in your timezone ● Secondary payment method needed for orders exceeding $25
© 2021 SPLUNK INC. WHAT WE DO Arcus incorporates a unique process fusing creativity and business aptitude with the expertise gained through hundreds of deployments. Consultants possess extensive cross-platform training and certifications, including: Splunk, AWS, Azure, etc. Arcus designs, builds, and operates a diverse suite of analytics solutions customized to industry needs. Our expertise ranges from energy & utilities to retail industries and beyond. Arcus Data has the training and expertise required to complement your Cloud strategy. Whether it’s AWS, Azure, or Google, Arcus can help migrate, assure and manage Cloud workloads. PROFESSIONAL & MANAGED SERVICES INDUSTRY SOLUTIONS PLATFORMS & APPLICATIONS 2021 | © Arcus Data Arcus Data designs, deploys, operates and optimizes analytics solutions through a mix of custom and managed services offerings. Thank you to Arcus Data for Lunch!
© 2021 SPLUNK INC. Agenda The 4-1-1 11:30 AM Welcome and Introductions 11:45 AM RBA with Matt Snyder Matt will discuss Risk-Based Alerting (RBA) in a large environment to drastically reduce alert noise, streamline their SOC around higher-fidelity, actionable alerts on insider threat. 12:05 PM Splunk IT Essentials with Thomas Booth Thomas will introduce Splunk IT Essentials and help you leverage it to replace Splunk App for Infrastructure and several legacy apps. 12:25 PM Efficient Security w/ Splunk and Phantom with Larry Becker 12:45 PM News and Updates
Confidential │ ©2019 VMware, Inc. RBA & Insider Threats Proactive Monitoring and Response Matt Snyder Program Lead – Advanced Security Analytics July 2021
Confidential │ ©2019 VMware, Inc. 6 ▪ DLP Tools: ▪ Too many false positives ▪ Limited detection capabilities ▪ Don’t add new tools ▪ Need for comprehensive coverage we could define and control ▪ Make use of vast EDR data we had in Splunk ▪ Could not increase SOC workload with unactionable events Problems we needed to solve ASAP… Building an Insider Threat Program
Advanced Analytics ES Correlation Rule Framework ES Asset Framework ES RBA Datamodel ES Identity Framework Enterprise Security Framework ES Datamodels ES Risk Framework Risk Rules Risk Attributions ES Notable Framework ES Incident Management framework Risk Notables ES Correlation Rule Framework Alert Rules Risk Macros Analysis Dashboard Source: http://deck.rbaallday.com/
Confidential │ ©2019 VMware, Inc. 8 RBA Features in Correlation Searches
Confidential │ ©2019 VMware, Inc. 9 Define what we want to detect Knowing is half the battle… o Built an Insider Threat matrix to help identify possible events of interest o Identify what was most important, then build detections to populate Risk index o Identify what we could not detect, work to get logs or accept risk o Link: https://github.com/Insider-Threat/Insider- Threat
Confidential │ ©2019 VMware, Inc. 10 Risk Workflow • Many correlation searches running to populate the Risk index • Risk Modifiers are created to either increase or decrease the users risk score • Finally, a couple correlation searches with a notable event are used to notify the SOC
Confidential │ ©2019 VMware, Inc. 11 High Risk File – key word-based list to help find files that might be sensitive SPL: • if(match(file, "CONFIDENTIAL, Sensitive, Important_Stuff_In_Here"), "1”, "0") • 1 = true and 0 = false Competitors List– key word-based list to help find files related to Competitors SPL: • if(match(file, ”Other_Company, Not_as_Good, Product_Stinks"), "1”, "0") • 1 = true and 0 = false More Info: https://docs.splunk.com/Documentation/Splunk/8.2.0/Knowledge/CreatecalculatedfieldswithSplunkWeb Calculated Fields
Confidential │ ©2019 VMware, Inc. 12 High Risk User – this is used for users that either have been identified as: • Behaving suspiciously • Part of a reduction in force (RIF) • Working on a sensitive project Fields: • Username • Date added • Status – active or not_active • Notes SPL: • index=risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status=”active” Pro Tip - keep list access to the lookup limited! Lookups
Confidential │ ©2019 VMware, Inc. 13 eventstats - Generates summary statistics from fields in your events and saves those statistics in a new field. SPL: • | eventstats avg(risk_score) as avg_risk stdev(risk_score) as stdev_risk Get average risk scores and see how they compare with other users. High Risk scores are great but don’t always capture everything More Info: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventstats eventstats
Confidential │ ©2019 VMware, Inc. 14 eval – one of the most powerful Splunk commands. SPL: • | eval risk_score=if(in(user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_mod_count+20,risk_score) • | eval risk_score=if(total_hvf >=1 AND total_hvf <=50, risk_mod_count+10,risk_score) Great way to apply dynamic scores based on your needs. More Info: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eval eval
Confidential │ ©2019 VMware, Inc. 15 where – The where command uses eval-expressions to filter search results. These eval- expressions must be Boolean expressions, where the expression returns either true or false. SPL: • | where (risk_score>=55 AND total_hvf>=10 AND (tactic_exfil_value >=100 OR tactic_delete_value>=100)) Awesome way to help set your threshold and filter out noise More Info: https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Where where
Confidential │ ©2019 VMware, Inc. 16 Risk Notable – A correlation search with a Notable Event attached. SPL: • index=risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status=”active” | eval risk_score=if(in(user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_mod_count+20,risk_score) | eval risk_score=if(total_hvf >=1 AND total_hvf <=50, risk_mod_count+10,risk_score) | eval aa_tactic_exfil_value=case(aa_tactic == "Exfiltration", "1", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "0") | eval aa_tactic_delete_value=case(aa_tactic == "Exfiltration", "0", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "1") | eventstats avg(risk_score) as avg_risk stdev(risk_score) as stdev_risk | stats dc(file) as file_count sum(hvf) as total_hvf values( aa_tactic) as aa _tactic values(aa_tech) as aa_tech by user | where (risk_score>=55 AND total_hvf>=10 AND (tactic_exfil_value >=100 OR tactic_delete_value>=100)) Risk Notable
Confidential │ ©2019 VMware, Inc. 17 RBA Stats Average Investigation Time Time to setup Program Number of Detections 10 Minutes 3 Weeks 52
18 Confidential │ ©2019 VMware, Inc. Check out my 2021 .conf Talk: Proactive Risk Based Alerting for Insider Threats
Confidential │ ©2019 VMware, Inc. Thank You Q and A
PSE Cybersecurity Past-Present-Future
21 About Puget Sound Energy • 1.1 M Electric Customers • 790 K Gas Customers • 6,000 square mile area • Deliver 5 GW of Electricity • Produce 3.6 GW • Jackson Prairie Gas Storage • 25 Billion Cubic Feet Working Capacity • 14th Largest in the Country
22 About Me • Pacific Northwest National Laboratory for 13 years + 3 years as an intern before moving to PSE. • Computer Forensics • Cyber Intelligence • Cyber Counterintelligence • Cyber Law Enforcement Support • Critical Infrastructure Protection Projects • + more stuff • PSE: 4 years and counting • Cybersecurity Incident Response Manager • Cyber Defense Center Lead
23 • Present – Where are we today • Future – Where are we going Topics
24 Splunk ES Build with Mitre Att&ck • Clean Slate to build from…Mitre Att&ck Framework • Methodology and Organization to event detections • Use Case: Identity and Access Monitoring
25 Phishing Scorecard • Insert text here
26 Phantom Screenshots
27 XDR / Phantom in Splunk
28 • Present – Where are we today • Future – Where are we going TEMPLATE Topics
29 Idealistic “End State” • Defensive Operations • SIEM + NTA/NDR + EDR + SOAR • Threat Intelligence Driven • Threat Hunting Focused (not alarm driven) • Threat/Incident Response are bored
30 Threat Intelligence Driven • Threat Model • Stix (v2.1 or newer) • Mitre Att&ck Techniques • Threat Actors • Targeting & Observables • 🡪Risk Model • 🡪 Threat Detections and Threat Hunts • Result = Cybersecurity Operations Threat Model
31 Incident Response err SOAR • Splunk Phantom - Automation does Threat/Incident Response • Risk Scoring • Ticketing – Opening, Updating, Closing • Get Info – Host & User & Application(s) if server • Enrichment – URL, Domain, User, Email, IP, etc • Related Information – Threat Intel Links • Lock AD Accounts – User and System • FW Blocks – IP, Domain, URL • Quarantine – Email or File • Isolate a System • EDR Isolate or Network Segment Isolate via SDN • And More…
© 2021 SPLUNK INC. News and Splunky Updates
© 2021 SPLUNK INC. Join us for a hybrid experience featuring dozens of engaging sessions and innumerable opportunities to learn how to turn data into doing. October 18–21 Impressive and very interesting conference. I learned so much about the technology and what Splunk can do, it was mesmerizing! Loved the atmosphere, diversity — great minds and amazing work!” https://conf.splunk.com/
© 2021 SPLUNK INC. What is it? ● One day competition, August 5, 2021 ● Special recognition for winning teams Prerequisites ● Basic experience with Splunk ● Basic security investigation knowledge ● A computer running a supported web browser and a solid Internet connection Format ● BOTS Competition Platform - Bots.splunk.com ● Teams up to four ● 4 hour competition BOTS August 5 Timezone Kickoff Competition Begins Competition Ends Pacific Time Zone 12:00pm 12:30pm 4:30pm Mountain Time Zone 1:00pm 1:30pm 5:30pm Central Time Zone 2:00pm 2:30pm 6:30pm Eastern Time Zone 3:00pm 3:30pm 7:30pm
© 2021 SPLUNK INC. Getting Started with Splunk for Security New on-demand security workshop delivery platform https://bots.splunk.com
© 2021 SPLUNK INC. National BOTS Day, August 5 New on-demand security workshop delivery platform https://bots.splunk.com
© 2021 SPLUNK INC. Ever get stuck and have to break out of your Splunk workflow to answer a crucial question? ● How do I get started? ● What data can / should I add? ● What search do I run? ● What do I do next? ● How do I monitor my network data? Splunk Product Guidance provides robust guidance for numerous use cases and tasks without navigating away from the product. SPG is for all Splunk users, regardless of role or expertise level, who are looking for timely, contextually-appropriate guidance to help answer questions. The content provided by SPG is powered by the Splunk Lantern Resource Hub. Splunk Lantern provides clear and actionable guidance from Splunk experts including step-by-step procedures for tasks like monitoring IT systems, investigating user activity, and monitoring network connections. SPG on Splunkbase
© 2021 SPLUNK INC. ● Splunk’s “new features app” ● Updated for all major and minor releases ● Not an in-depth tutorial ○ guide to help users understand each version’s new features ○ contains sample reports, dashboards and visualizations
© 2021 SPLUNK INC. IT Workshop Wednesdays Virtual. Interactive. Hands-On. Sign up for a single workshop or the whole series
© 2021 SPLUNK INC. Content Call Whatcha’ got?
© 2021 SPLUNK INC. Go-Forward Discussion Looking ahead to in-person meetings (Delta variant notwithstanding) . . . ● Every other month on a rotating basis between SEA and PDX? ● Hybrid model to allow for virtual attendees and those with health concerns? ● Other ideas/concerns? We merged, we’re vaccinated, now what??
© 2021 SPLUNK INC. User Group Slack: Submit a request through splk.it/slack Keep up with this group in #pnw
© 2021 SPLUNK INC. Jobs Corner Hiring for Splunk Skills is
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC. Thanks to the users and presenters! And big thanks too, to our lunch sponsor today:

Recommended

2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Portland Splunk User Group May 2020
Portland Splunk User Group May 2020
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
Splunk
SplunkSplunk
Splunk
Deep Mehta
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 

Recommended

2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Portland Splunk User Group May 2020
Portland Splunk User Group May 2020
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
Splunk
SplunkSplunk
Splunk
Deep Mehta
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
Splunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning WebinarSplunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
The Risks and Rewards of AI
The Risks and Rewards of AIThe Risks and Rewards of AI
The Risks and Rewards of AI
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Splunk
 
Splunk4Leaders
Splunk4Leaders Splunk4Leaders
Splunk4Leaders
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 

More Related Content

What's hot

Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
Splunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning WebinarSplunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
The Risks and Rewards of AI
The Risks and Rewards of AIThe Risks and Rewards of AI
The Risks and Rewards of AI
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Splunk
 
Splunk4Leaders
Splunk4Leaders Splunk4Leaders
Splunk4Leaders
Splunk
 

What's hot (20)

Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning WebinarSplunk Artificial Intelligence & Machine Learning Webinar
Splunk Artificial Intelligence & Machine Learning Webinar
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
 
The Risks and Rewards of AI
The Risks and Rewards of AIThe Risks and Rewards of AI
The Risks and Rewards of AI
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
 
Splunk4Leaders
Splunk4Leaders Splunk4Leaders
Splunk4Leaders
 

Similar to July 2021 Virtual PNW Splunk User Group Slides

Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
Marco Casassa Mont
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby SheltonA Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
John Billings CISSP
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Primend Pilvekonverents - Azure Infrastruktuur
Primend Pilvekonverents - Azure InfrastruktuurPrimend Pilvekonverents - Azure Infrastruktuur
Primend Pilvekonverents - Azure Infrastruktuur
Primend
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
Harry McLaren
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Building Elastic into security operations
Building Elastic into security operationsBuilding Elastic into security operations
Building Elastic into security operations
Elasticsearch
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
Splunk
 
Apache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyApache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise Company
Databricks
 
Get Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber SolutionGet Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber Solution
Cloudera, Inc.
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
Scalar Decisions
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 

Similar to July 2021 Virtual PNW Splunk User Group Slides (20)

Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby SheltonA Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Primend Pilvekonverents - Azure Infrastruktuur
Primend Pilvekonverents - Azure InfrastruktuurPrimend Pilvekonverents - Azure Infrastruktuur
Primend Pilvekonverents - Azure Infrastruktuur
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Building Elastic into security operations
Building Elastic into security operationsBuilding Elastic into security operations
Building Elastic into security operations
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
 
Apache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyApache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise Company
 
Get Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber SolutionGet Started with Cloudera’s Cyber Solution
Get Started with Cloudera’s Cyber Solution
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 

July 2021 Virtual PNW Splunk User Group Slides

  • 1. © 2021 SPLUNK INC. Splunk Pacific Northwest Usergroup 28 July, 2021
  • 2. © 2021 SPLUNK INC. Thank you to Arcus Data for sponsoring lunch! Please enter checkout code provided in the zoom chat to complete your Grubhub order. ● Your Grubhub account must be associated with the email address you use for the usergroup ● Checkout code expires 11:59pm today in your timezone ● Secondary payment method needed for orders exceeding $25
  • 3. © 2021 SPLUNK INC. WHAT WE DO Arcus incorporates a unique process fusing creativity and business aptitude with the expertise gained through hundreds of deployments. Consultants possess extensive cross-platform training and certifications, including: Splunk, AWS, Azure, etc. Arcus designs, builds, and operates a diverse suite of analytics solutions customized to industry needs. Our expertise ranges from energy & utilities to retail industries and beyond. Arcus Data has the training and expertise required to complement your Cloud strategy. Whether it’s AWS, Azure, or Google, Arcus can help migrate, assure and manage Cloud workloads. PROFESSIONAL & MANAGED SERVICES INDUSTRY SOLUTIONS PLATFORMS & APPLICATIONS 2021 | © Arcus Data Arcus Data designs, deploys, operates and optimizes analytics solutions through a mix of custom and managed services offerings. Thank you to Arcus Data for Lunch!
  • 4. © 2021 SPLUNK INC. Agenda The 4-1-1 11:30 AM Welcome and Introductions 11:45 AM RBA with Matt Snyder Matt will discuss Risk-Based Alerting (RBA) in a large environment to drastically reduce alert noise, streamline their SOC around higher-fidelity, actionable alerts on insider threat. 12:05 PM Splunk IT Essentials with Thomas Booth Thomas will introduce Splunk IT Essentials and help you leverage it to replace Splunk App for Infrastructure and several legacy apps. 12:25 PM Efficient Security w/ Splunk and Phantom with Larry Becker 12:45 PM News and Updates
  • 5. Confidential │ ©2019 VMware, Inc. RBA & Insider Threats Proactive Monitoring and Response Matt Snyder Program Lead – Advanced Security Analytics July 2021
  • 6. Confidential │ ©2019 VMware, Inc. 6 ▪ DLP Tools: ▪ Too many false positives ▪ Limited detection capabilities ▪ Don’t add new tools ▪ Need for comprehensive coverage we could define and control ▪ Make use of vast EDR data we had in Splunk ▪ Could not increase SOC workload with unactionable events Problems we needed to solve ASAP… Building an Insider Threat Program
  • 7. Advanced Analytics ES Correlation Rule Framework ES Asset Framework ES RBA Datamodel ES Identity Framework Enterprise Security Framework ES Datamodels ES Risk Framework Risk Rules Risk Attributions ES Notable Framework ES Incident Management framework Risk Notables ES Correlation Rule Framework Alert Rules Risk Macros Analysis Dashboard Source: http://deck.rbaallday.com/
  • 8. Confidential │ ©2019 VMware, Inc. 8 RBA Features in Correlation Searches
  • 9. Confidential │ ©2019 VMware, Inc. 9 Define what we want to detect Knowing is half the battle… o Built an Insider Threat matrix to help identify possible events of interest o Identify what was most important, then build detections to populate Risk index o Identify what we could not detect, work to get logs or accept risk o Link: https://github.com/Insider-Threat/Insider- Threat
  • 10. Confidential │ ©2019 VMware, Inc. 10 Risk Workflow • Many correlation searches running to populate the Risk index • Risk Modifiers are created to either increase or decrease the users risk score • Finally, a couple correlation searches with a notable event are used to notify the SOC
  • 11. Confidential │ ©2019 VMware, Inc. 11 High Risk File – key word-based list to help find files that might be sensitive SPL: • if(match(file, "CONFIDENTIAL, Sensitive, Important_Stuff_In_Here"), "1”, "0") • 1 = true and 0 = false Competitors List– key word-based list to help find files related to Competitors SPL: • if(match(file, ”Other_Company, Not_as_Good, Product_Stinks"), "1”, "0") • 1 = true and 0 = false More Info: https://docs.splunk.com/Documentation/Splunk/8.2.0/Knowledge/CreatecalculatedfieldswithSplunkWeb Calculated Fields
  • 12. Confidential │ ©2019 VMware, Inc. 12 High Risk User – this is used for users that either have been identified as: • Behaving suspiciously • Part of a reduction in force (RIF) • Working on a sensitive project Fields: • Username • Date added • Status – active or not_active • Notes SPL: • index=risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status=”active” Pro Tip - keep list access to the lookup limited! Lookups
  • 13. Confidential │ ©2019 VMware, Inc. 13 eventstats - Generates summary statistics from fields in your events and saves those statistics in a new field. SPL: • | eventstats avg(risk_score) as avg_risk stdev(risk_score) as stdev_risk Get average risk scores and see how they compare with other users. High Risk scores are great but don’t always capture everything More Info: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventstats eventstats
  • 14. Confidential │ ©2019 VMware, Inc. 14 eval – one of the most powerful Splunk commands. SPL: • | eval risk_score=if(in(user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_mod_count+20,risk_score) • | eval risk_score=if(total_hvf >=1 AND total_hvf <=50, risk_mod_count+10,risk_score) Great way to apply dynamic scores based on your needs. More Info: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eval eval
  • 15. Confidential │ ©2019 VMware, Inc. 15 where – The where command uses eval-expressions to filter search results. These eval- expressions must be Boolean expressions, where the expression returns either true or false. SPL: • | where (risk_score>=55 AND total_hvf>=10 AND (tactic_exfil_value >=100 OR tactic_delete_value>=100)) Awesome way to help set your threshold and filter out noise More Info: https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Where where
  • 16. Confidential │ ©2019 VMware, Inc. 16 Risk Notable – A correlation search with a Notable Event attached. SPL: • index=risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status=”active” | eval risk_score=if(in(user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_mod_count+20,risk_score) | eval risk_score=if(total_hvf >=1 AND total_hvf <=50, risk_mod_count+10,risk_score) | eval aa_tactic_exfil_value=case(aa_tactic == "Exfiltration", "1", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "0") | eval aa_tactic_delete_value=case(aa_tactic == "Exfiltration", "0", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "1") | eventstats avg(risk_score) as avg_risk stdev(risk_score) as stdev_risk | stats dc(file) as file_count sum(hvf) as total_hvf values( aa_tactic) as aa _tactic values(aa_tech) as aa_tech by user | where (risk_score>=55 AND total_hvf>=10 AND (tactic_exfil_value >=100 OR tactic_delete_value>=100)) Risk Notable
  • 17. Confidential │ ©2019 VMware, Inc. 17 RBA Stats Average Investigation Time Time to setup Program Number of Detections 10 Minutes 3 Weeks 52
  • 18. 18 Confidential │ ©2019 VMware, Inc. Check out my 2021 .conf Talk: Proactive Risk Based Alerting for Insider Threats
  • 19. Confidential │ ©2019 VMware, Inc. Thank You Q and A
  • 21. 21 About Puget Sound Energy • 1.1 M Electric Customers • 790 K Gas Customers • 6,000 square mile area • Deliver 5 GW of Electricity • Produce 3.6 GW • Jackson Prairie Gas Storage • 25 Billion Cubic Feet Working Capacity • 14th Largest in the Country
  • 22. 22 About Me • Pacific Northwest National Laboratory for 13 years + 3 years as an intern before moving to PSE. • Computer Forensics • Cyber Intelligence • Cyber Counterintelligence • Cyber Law Enforcement Support • Critical Infrastructure Protection Projects • + more stuff • PSE: 4 years and counting • Cybersecurity Incident Response Manager • Cyber Defense Center Lead
  • 23. 23 • Present – Where are we today • Future – Where are we going Topics
  • 24. 24 Splunk ES Build with Mitre Att&ck • Clean Slate to build from…Mitre Att&ck Framework • Methodology and Organization to event detections • Use Case: Identity and Access Monitoring
  • 27. 27 XDR / Phantom in Splunk
  • 28. 28 • Present – Where are we today • Future – Where are we going TEMPLATE Topics
  • 29. 29 Idealistic “End State” • Defensive Operations • SIEM + NTA/NDR + EDR + SOAR • Threat Intelligence Driven • Threat Hunting Focused (not alarm driven) • Threat/Incident Response are bored
  • 30. 30 Threat Intelligence Driven • Threat Model • Stix (v2.1 or newer) • Mitre Att&ck Techniques • Threat Actors • Targeting & Observables • 🡪Risk Model • 🡪 Threat Detections and Threat Hunts • Result = Cybersecurity Operations Threat Model
  • 31. 31 Incident Response err SOAR • Splunk Phantom - Automation does Threat/Incident Response • Risk Scoring • Ticketing – Opening, Updating, Closing • Get Info – Host & User & Application(s) if server • Enrichment – URL, Domain, User, Email, IP, etc • Related Information – Threat Intel Links • Lock AD Accounts – User and System • FW Blocks – IP, Domain, URL • Quarantine – Email or File • Isolate a System • EDR Isolate or Network Segment Isolate via SDN • And More…
  • 32. © 2021 SPLUNK INC. News and Splunky Updates
  • 33. © 2021 SPLUNK INC. Join us for a hybrid experience featuring dozens of engaging sessions and innumerable opportunities to learn how to turn data into doing. October 18–21 Impressive and very interesting conference. I learned so much about the technology and what Splunk can do, it was mesmerizing! Loved the atmosphere, diversity — great minds and amazing work!” https://conf.splunk.com/
  • 34. © 2021 SPLUNK INC. What is it? ● One day competition, August 5, 2021 ● Special recognition for winning teams Prerequisites ● Basic experience with Splunk ● Basic security investigation knowledge ● A computer running a supported web browser and a solid Internet connection Format ● BOTS Competition Platform - Bots.splunk.com ● Teams up to four ● 4 hour competition BOTS August 5 Timezone Kickoff Competition Begins Competition Ends Pacific Time Zone 12:00pm 12:30pm 4:30pm Mountain Time Zone 1:00pm 1:30pm 5:30pm Central Time Zone 2:00pm 2:30pm 6:30pm Eastern Time Zone 3:00pm 3:30pm 7:30pm
  • 35. © 2021 SPLUNK INC. Getting Started with Splunk for Security New on-demand security workshop delivery platform https://bots.splunk.com
  • 36. © 2021 SPLUNK INC. National BOTS Day, August 5 New on-demand security workshop delivery platform https://bots.splunk.com
  • 37. © 2021 SPLUNK INC. Ever get stuck and have to break out of your Splunk workflow to answer a crucial question? ● How do I get started? ● What data can / should I add? ● What search do I run? ● What do I do next? ● How do I monitor my network data? Splunk Product Guidance provides robust guidance for numerous use cases and tasks without navigating away from the product. SPG is for all Splunk users, regardless of role or expertise level, who are looking for timely, contextually-appropriate guidance to help answer questions. The content provided by SPG is powered by the Splunk Lantern Resource Hub. Splunk Lantern provides clear and actionable guidance from Splunk experts including step-by-step procedures for tasks like monitoring IT systems, investigating user activity, and monitoring network connections. SPG on Splunkbase
  • 38. © 2021 SPLUNK INC. ● Splunk’s “new features app” ● Updated for all major and minor releases ● Not an in-depth tutorial ○ guide to help users understand each version’s new features ○ contains sample reports, dashboards and visualizations
  • 39. © 2021 SPLUNK INC. IT Workshop Wednesdays Virtual. Interactive. Hands-On. Sign up for a single workshop or the whole series
  • 40. © 2021 SPLUNK INC. Content Call Whatcha’ got?
  • 41. © 2021 SPLUNK INC. Go-Forward Discussion Looking ahead to in-person meetings (Delta variant notwithstanding) . . . ● Every other month on a rotating basis between SEA and PDX? ● Hybrid model to allow for virtual attendees and those with health concerns? ● Other ideas/concerns? We merged, we’re vaccinated, now what??
  • 42. © 2021 SPLUNK INC. User Group Slack: Submit a request through splk.it/slack Keep up with this group in #pnw
  • 43. © 2021 SPLUNK INC. Jobs Corner Hiring for Splunk Skills is
  • 47. © 2021 SPLUNK INC. Thanks to the users and presenters! And big thanks too, to our lunch sponsor today: