This presentation introduces Splunk, an industry-leading platform for analyzing machine data. It provides an overview of Splunk capabilities including searching, dashboards, alerts and analytics. It then demonstrates how to install Splunk and import sample data, and provides examples of common searches over the data including filtering by status codes, visualizing results with charts, and performing field extractions. The presentation concludes with information on resources for learning more about Splunk.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
The document is a presentation on security analytics and finding malicious activities by looking for anomalies in large amounts of data. It discusses challenges such as the increasing spending on cybersecurity while breaches continue to rise. It advocates collecting the right data from the right devices for long enough to enable detection. The presentation outlines techniques for analyzing endpoint, DNS, web proxy, network traffic, and DHCP logs to detect tactics used by adversaries. It emphasizes the importance of profiling normal behavior to identify deviations that could indicate security incidents.
Hadoop has become a backbone of many enterprises. While it can do wonders for businesses, it sometimes can be overwhelming for its operators and users. Amateurs as well as seasoned operators of Hadoop are caught unaware by common pitfalls of deploying, tuning and operating a Hadoop cluster. Having spent 5+ years working with 100s of Hadoop users, running clusters with 1000s of nodes, managing 10s of petabytes of data and running 100s of 1000s of tasks per day, we have seen people's unintentional acts, suboptimal configurations and common mistakes have resulted into downtimes, SLA violations, many hours of recovery operations and in some cases even data loss! Most of these traumas could have been easily avoided by applying easy to follow best practices that would protect data and optimize performance. In this talk we present real life stories, common pitfalls and most importantly, strategies on how to correctly deploy and manage Hadoop clusters. The talk will empower users and help make their Hadoop journey more fulfilling and rewarding. We will also discuss SmartSense. SmartSense can identify latent problems in a cluster and provide recommendations so that an operator can fix them before they manifest as a service degradation or outage.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
This document discusses the digital forensic tool EnCase Forensic. It provides an overview of EnCase and its features, including that it is a leading forensic tool accepted in courts. The document then outlines a scenario where EnCase will be used to conduct a forensic investigation based on a search warrant. The remainder of the document walks through the key functions and screens of EnCase like adding disk images, searching for evidence, tagging evidence, and reporting while conducting the outlined forensic investigation scenario.
The document discusses OpenSOC, an open source security operations center platform for analyzing 1.2 million network packets per second in real time. It provides an overview of the business case for OpenSOC, the solution architecture and design, best practices and lessons learned from deploying OpenSOC at scale. The presentation covers topics like optimizing Kafka, HBase and Storm performance through techniques like tuning configurations, designing row keys, managing region splits, and handling errors. It also discusses integrating analytics tools and the community partnership opportunities around OpenSOC.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
The document is a presentation on security analytics and finding malicious activities by looking for anomalies in large amounts of data. It discusses challenges such as the increasing spending on cybersecurity while breaches continue to rise. It advocates collecting the right data from the right devices for long enough to enable detection. The presentation outlines techniques for analyzing endpoint, DNS, web proxy, network traffic, and DHCP logs to detect tactics used by adversaries. It emphasizes the importance of profiling normal behavior to identify deviations that could indicate security incidents.
Hadoop has become a backbone of many enterprises. While it can do wonders for businesses, it sometimes can be overwhelming for its operators and users. Amateurs as well as seasoned operators of Hadoop are caught unaware by common pitfalls of deploying, tuning and operating a Hadoop cluster. Having spent 5+ years working with 100s of Hadoop users, running clusters with 1000s of nodes, managing 10s of petabytes of data and running 100s of 1000s of tasks per day, we have seen people's unintentional acts, suboptimal configurations and common mistakes have resulted into downtimes, SLA violations, many hours of recovery operations and in some cases even data loss! Most of these traumas could have been easily avoided by applying easy to follow best practices that would protect data and optimize performance. In this talk we present real life stories, common pitfalls and most importantly, strategies on how to correctly deploy and manage Hadoop clusters. The talk will empower users and help make their Hadoop journey more fulfilling and rewarding. We will also discuss SmartSense. SmartSense can identify latent problems in a cluster and provide recommendations so that an operator can fix them before they manifest as a service degradation or outage.
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
This document discusses the digital forensic tool EnCase Forensic. It provides an overview of EnCase and its features, including that it is a leading forensic tool accepted in courts. The document then outlines a scenario where EnCase will be used to conduct a forensic investigation based on a search warrant. The remainder of the document walks through the key functions and screens of EnCase like adding disk images, searching for evidence, tagging evidence, and reporting while conducting the outlined forensic investigation scenario.
The document discusses OpenSOC, an open source security operations center platform for analyzing 1.2 million network packets per second in real time. It provides an overview of the business case for OpenSOC, the solution architecture and design, best practices and lessons learned from deploying OpenSOC at scale. The presentation covers topics like optimizing Kafka, HBase and Storm performance through techniques like tuning configurations, designing row keys, managing region splits, and handling errors. It also discusses integrating analytics tools and the community partnership opportunities around OpenSOC.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
The document is a disclaimer and introduction for a presentation on security correlation in Splunk. It states that any forward-looking statements made during the presentation reflect current expectations and estimates and may differ from actual results. It also notes that information on product roadmaps is subject to change and not binding. The presentation will cover four types of security correlation rules: across many data sources and events, privileged user monitoring, reducing alert fatigue, and threat intelligence hits.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
This document discusses strategies for effective security monitoring and incident response. It outlines a layered defense approach using tools like Sysmon and Splunk to analyze logs from endpoints, networks, and other systems. Specific events and log sources are identified that can help detect attacks by revealing new processes, account logins, file/share access, and other anomalous activity. The document emphasizes preparation, testing incident response plans, and hunting for threats by scrutinizing logs and following forensic trails left by attackers.
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
Betrouwbaar DNS en BGP4 spelen een belangrijke rol bij het veilig afhandelen van Internet verkeer. Bij diverse gerenommeerde instanties (Netherlabs, SIDN Labs en NLnet Labs) zijn veilige versies hiervan ontwikkeld, welke nog dagelijks worden verbeterd. In deze presentatie worden de belangrijkste ontwikkelingen tegen het licht gehouden.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
Managing your black friday logs - Code EuropeDavid Pilato
The document discusses optimally configuring Elasticsearch clusters for ingesting time-based data like logs. It recommends using time-based indices with a new index created each day. It also discusses techniques for scaling clusters by adding more shards as data volumes increase and distributing the data across nodes to avoid bottlenecks. The optimal bulk size for indexing may vary depending on factors like document size and should be tested.
This document outlines a 5-step process for developing purpose-driven hunt hypotheses to actively search for malicious activity in an environment. The steps include: 1) identifying the tactic and technique, 2) procedures, 3) data collection needs, 4) scope, and 5) excluded factors. It provides a case study demonstrating how to apply the process to develop a hypothesis for detecting golden tickets using Kerberos tickets and logon sessions. The case study walks through collecting the necessary data and provides examples of what was in and out of scope.
This document provides contact information for various people involved in planning an event at the Marriott Wardman Park hotel in Washington D.C. on April 7-8, 2015. It includes names, phone numbers, and emails for project managers, event managers, speakers, and sponsors. It also outlines the agenda and logistics for the multi-day event, including sessions, meals, sponsor areas, audiovisual needs, and transportation details.
Getting Started with Splunk Enterprise - DemoSplunk
Splunk can be used to analyze log data from an online gaming company to help identify issues causing customer complaints. The demo shows how to ingest sample log data, perform searches to find error codes and pages, create alerts, and generate statistics and reports on the data. Dynamic field extraction, pivoting, and over 140 search commands allow transforming and analyzing the data in various ways. Results can be saved as dashboards and applications for ongoing monitoring and insights.
Live data collection_from_windows_systemMaceni Muse
This document discusses techniques for collecting volatile data and performing a live response investigation on a Windows system. It provides a list of tools to create a response toolkit and obtain information such as running processes, open ports, logged on users, and network connections. The document recommends using these tools to review the event logs and registry for evidence, obtain passwords from the SAM database, and dump system memory for a more in-depth investigation.
David Veuve, SE, Splunk, walks the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain.
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
The document discusses the Splunk App for Stream, which enables real-time insights into private, public and hybrid cloud infrastructures by capturing and analyzing critical events from wire data not found in logs or with other collection methods. It provides an overview of the app, what's new, important features, architecture and deployment, customer success examples, and FAQs.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
The document discusses compromise assessments, which are proactive evaluations of systems to detect threats that have evaded existing security controls. A compromise assessment is faster, more affordable, and independent compared to traditional vulnerability assessments and penetration tests. The assessment methodology involves planning, preparation, discovery, collection of data from endpoints, analysis of the collected data using techniques like forensic state analysis, and reporting of findings. It is recommended that organizations conduct regular compromise assessments by a third party to validate network security and detect any unauthorized access.
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
The document provides an agenda for a SplunkLive! presentation on installing and using Splunk. It includes downloading required files, importing sample data, conducting searches on the data, and exploring various Splunk features through a live demonstration. Common installation problems are also addressed. The presentation aims to provide attendees with the knowledge and skills to get started using Splunk through hands-on learning and a question and answer session.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
The document is a disclaimer and introduction for a presentation on security correlation in Splunk. It states that any forward-looking statements made during the presentation reflect current expectations and estimates and may differ from actual results. It also notes that information on product roadmaps is subject to change and not binding. The presentation will cover four types of security correlation rules: across many data sources and events, privileged user monitoring, reducing alert fatigue, and threat intelligence hits.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
This document discusses strategies for effective security monitoring and incident response. It outlines a layered defense approach using tools like Sysmon and Splunk to analyze logs from endpoints, networks, and other systems. Specific events and log sources are identified that can help detect attacks by revealing new processes, account logins, file/share access, and other anomalous activity. The document emphasizes preparation, testing incident response plans, and hunting for threats by scrutinizing logs and following forensic trails left by attackers.
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
Betrouwbaar DNS en BGP4 spelen een belangrijke rol bij het veilig afhandelen van Internet verkeer. Bij diverse gerenommeerde instanties (Netherlabs, SIDN Labs en NLnet Labs) zijn veilige versies hiervan ontwikkeld, welke nog dagelijks worden verbeterd. In deze presentatie worden de belangrijkste ontwikkelingen tegen het licht gehouden.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
Managing your black friday logs - Code EuropeDavid Pilato
The document discusses optimally configuring Elasticsearch clusters for ingesting time-based data like logs. It recommends using time-based indices with a new index created each day. It also discusses techniques for scaling clusters by adding more shards as data volumes increase and distributing the data across nodes to avoid bottlenecks. The optimal bulk size for indexing may vary depending on factors like document size and should be tested.
This document outlines a 5-step process for developing purpose-driven hunt hypotheses to actively search for malicious activity in an environment. The steps include: 1) identifying the tactic and technique, 2) procedures, 3) data collection needs, 4) scope, and 5) excluded factors. It provides a case study demonstrating how to apply the process to develop a hypothesis for detecting golden tickets using Kerberos tickets and logon sessions. The case study walks through collecting the necessary data and provides examples of what was in and out of scope.
This document provides contact information for various people involved in planning an event at the Marriott Wardman Park hotel in Washington D.C. on April 7-8, 2015. It includes names, phone numbers, and emails for project managers, event managers, speakers, and sponsors. It also outlines the agenda and logistics for the multi-day event, including sessions, meals, sponsor areas, audiovisual needs, and transportation details.
Getting Started with Splunk Enterprise - DemoSplunk
Splunk can be used to analyze log data from an online gaming company to help identify issues causing customer complaints. The demo shows how to ingest sample log data, perform searches to find error codes and pages, create alerts, and generate statistics and reports on the data. Dynamic field extraction, pivoting, and over 140 search commands allow transforming and analyzing the data in various ways. Results can be saved as dashboards and applications for ongoing monitoring and insights.
Live data collection_from_windows_systemMaceni Muse
This document discusses techniques for collecting volatile data and performing a live response investigation on a Windows system. It provides a list of tools to create a response toolkit and obtain information such as running processes, open ports, logged on users, and network connections. The document recommends using these tools to review the event logs and registry for evidence, obtain passwords from the SAM database, and dump system memory for a more in-depth investigation.
David Veuve, SE, Splunk, walks the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain.
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
The document discusses the Splunk App for Stream, which enables real-time insights into private, public and hybrid cloud infrastructures by capturing and analyzing critical events from wire data not found in logs or with other collection methods. It provides an overview of the app, what's new, important features, architecture and deployment, customer success examples, and FAQs.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
The document discusses compromise assessments, which are proactive evaluations of systems to detect threats that have evaded existing security controls. A compromise assessment is faster, more affordable, and independent compared to traditional vulnerability assessments and penetration tests. The assessment methodology involves planning, preparation, discovery, collection of data from endpoints, analysis of the collected data using techniques like forensic state analysis, and reporting of findings. It is recommended that organizations conduct regular compromise assessments by a third party to validate network security and detect any unauthorized access.
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
The document provides an agenda for a SplunkLive! presentation on installing and using Splunk. It includes downloading required files, importing sample data, conducting searches on the data, and exploring various Splunk features through a live demonstration. Common installation problems are also addressed. The presentation aims to provide attendees with the knowledge and skills to get started using Splunk through hands-on learning and a question and answer session.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
We'll be coving the latest and greatest updates to Phantom (SOAR Platform), the ins-and-outs of the new Endpoint Data Model and what you can use it for and finally showcase some of the awesome beta features just released as part of the Splunk Security Essentials App which includes MITRE ATT&CK and Kill Chain Mappings!
Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk
This document provides an overview and demonstration of Splunk Enterprise. It discusses what machine data is and Splunk's mission to make it accessible. The presentation covers installing and onboarding data into Splunk, performing searches, creating dashboards and alerts. It also summarizes deployment architectures for Splunk and options for support and learning more.
This document discusses Splunk's HTTP Event Collector, which allows sending event data to Splunk via a token-based JSON API. Some key points covered include:
- The HTTP Event Collector provides a simple way to send events from anywhere to Splunk using HTTP and tokens.
- Events can be sent directly using HTTP requests or via supported logging libraries for languages like .NET, Java and JavaScript.
- The presentation demonstrates configuring and using the HTTP Event Collector via the CLI, as well as with CURL and Node.js. It also discusses scaling, high availability, and third party integrations.
This document discusses Splunk's HTTP Event Collector, which allows sending event data to Splunk via a token-based JSON API. Some key points covered include:
- The HTTP Event Collector provides a simple way to send events from anywhere to Splunk using HTTP and a token for authentication.
- Events can be sent directly using HTTP requests or via supported logging libraries for languages like .NET, Java and JavaScript.
- The presentation demonstrates configuring and using the HTTP Event Collector via the CLI, as well as with CURL and Node.js.
- Scaling, high availability, and distributed deployment options are discussed, including running the collector on indexers or dedicated instances.
Machine Data Is EVERYWHERE: Use It for TestingTechWell
As more applications are hosted on servers, they produce immense quantities of logging data. Quality engineers should verify that apps are producing log data that is existent, correct, consumable, and complete. Otherwise, apps in production are not easily monitored, have issues that are difficult to detect, and cannot be corrected quickly. Tom Chavez presents the four steps that quality engineers should include in every test plan for apps that produce log output or other machine data. First, test that the data is being created. Second, ensure that the entries are correctly formatted and complete. Third, make sure the data can be consumed by your company’s log analysis tools. And fourth, verify that the app will create all possible log entries from the test data that is supplied. Join Tom as he presents demos including free tools. Learn the steps you need to include in your test plans so your team’s apps not only function but also can be monitored and understood from their machine data when running in production.
This document contains a presentation about using Splunk software to analyze machine data and gain insights. Some key points:
- Splunk software allows users to search, monitor, and analyze machine-generated data from websites, apps, servers, sensors and other sources.
- Machine data contains critical insights for answering questions about security investigations, application performance, infrastructure issues, marketing campaign effectiveness and more.
- Splunk has over 3,000 employees globally, over 14,000 customers including 89 of the Fortune 100, and annual revenue of over $1 billion. It hosts a major annual conference called .conf to educate users.
Pivotal - Advanced Analytics for Telecommunications Hortonworks
Innovative mobile operators need to mine the vast troves of unstructured data now available to them to help develop compelling customer experiences and uncover new revenue opportunities. In this webinar, you’ll learn how HDB’s in-database analytics enable advanced use cases in network operations, customer care, and marketing for better customer experience. Join us, and get started on your advanced analytics journey today!
Splunk is a powerful platform that can harness your machine data and turn it into valuable information thereby enabling your business to make informed decisions, taking your organization from reactive to proactive. Just like any other platform, Splunk is only as powerful as the data it has access to, therefore in this session we will be conducting a walk thru of how to successfully on-board data, with samples of data ranging from simple to complex. We will also be taking a look at how to use common TA’s to bring valuable data into Splunk. This session is designed to give you a better understanding of how to onboard data into Splunk enabling you to unlock the power of your data.
Splunk is a powerful platform that can harness your machine data and turn it into valuable information thereby enabling your business to make informed decisions, taking your organization from reactive to proactive. Just like any other platform, Splunk is only as powerful as the data it has access to, therefore in this session we will be conducting a walk thru of how to successfully on-board data, with samples of data ranging from simple to complex. We will also be taking a look at how to use common TA’s to bring valuable data into Splunk. This session is designed to give you a better understanding of how to onboard data into Splunk enabling you to unlock the power of your data
Country domination - Causing chaos and wrecking havocTiago Henriques
This document discusses using the search engine Shodan to find exposed devices and systems online. It provides example search queries that can be used on Shodan to find devices by port, banner contents, or country. It also discusses how information can be gathered from devices using SNMP and how Nmap can be used with Shodan search results to take screenshots of websites with no authentication. The document suggests some potentially concerning searches related to SCADA systems and critical infrastructure.
These slides were presented at the #startathon2.0 pre-workshop on 20 September covering technology topics. For more information, please contact veera@sl2square.org.
This document provides an overview and demonstration of Splunk Enterprise. It discusses Splunk's capabilities for indexing, searching, and analyzing machine data from various sources. The live demonstration shows how to install Splunk, import sample data, perform searches, create dashboards and alerts. It also covers Splunk's deployment architecture and scalability options. Attendees are encouraged to ask questions on Splunk's online communities and support channels.
Splunk Enterprise is a software platform for searching, monitoring, and analyzing machine-generated big data, such as logs, metrics, and mobile data. The presentation provided an overview of Splunk Enterprise capabilities including: live demonstrations of installing Splunk, searching data, creating dashboards and alerts. It also covered Splunk deployment architectures for scaling from single instances to distributed environments supporting hundreds of terabytes per day.
Getting Started with Splunk Breakout SessionSplunk
This document provides an overview and introduction to Splunk Enterprise. It begins with an agenda that outlines discussing Splunk Enterprise, a live demonstration of using Splunk, deployment architecture, the Splunk community, and a Q&A. It then discusses how Splunk can unlock insights from machine data generated from various sources. The live demo shows installing Splunk, forwarding sample data, and performing searches. It also discusses deploying Splunk at scale, distributed architectures, and support resources available through the Splunk community.
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNCERT
The document summarizes the APNIC Community Honeynet Project, which uses distributed honeypots to observe cyber attacks in the Asia-Pacific region. The project aims to support capacity development, research, and information sharing between APNIC members and CERT teams. Honeypots emulate vulnerable systems and capture attacker activity, like downloaded files and scripts, to provide insights into threats. One example showed an attacker attempting to download malware payloads using HTTP, TFTP, and FTP. The project seeks to integrate honeypot data into a portal to help network operators identify potentially infected devices.
1. The presentation provides an overview of Splunk and how it can be used to access, analyze, and gain insights from machine data.
2. It demonstrates Splunk's core capabilities like universal data ingestion, schema-on-the-fly indexing, and fast search capabilities.
3. The presentation concludes with a demo of Splunk's interface and basic functions like searching, field extraction, alerting, and reporting.
Move out from AppEngine, and Python PaaS alternativestzang ms
This document discusses moving a podcast hosting application called MyAudioCast off of Google App Engine (GAE) and onto other Python platforms as a result of high costs and limitations. Some key points:
- MyAudioCast was running on GAE for over a year but costs were rising to $120/month due to high storage, bandwidth, and processing usage.
- Performance on GAE was poor with high error rates for operations like inserting logs and updating counters.
- Development was slowed by GAE limitations like long deployment times and inability to easily use common Python packages.
- The author chose to migrate MyAudioCast to the Linode VPS and Heroku PaaS for better pricing,
SnorGen is a tool that automatically generates signatures from network traffic data. It extracts content, packet, and flow signatures and converts them to Snort rule format. Content signatures identify unique substrings in packets, packet signatures identify sequences of content signatures in packets, and flow signatures identify sequences of packet signatures across an entire network flow. SnorGen analyzes captured network traffic and generates signatures that can then be used by the Snort intrusion detection system to monitor, block, and control network traffic.
Similar to SplunkLive! Zurich 2018: Getting Started & Hands On (20)
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
This document discusses standardizing security operations procedures (SOPs) to increase efficiency and automation. It recommends storing SOPs in a code repository for versioning and referencing them in workbooks which are lists of standard tasks to follow for investigations. The goal is to have investigation playbooks in the security orchestration, automation and response (SOAR) tool perform the predefined investigation steps from the workbooks to automate incident response. This helps analysts automate faster without wasting time by having standard, vendor-agnostic procedures.
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
.conf Go 2023 presentation:
"Das passende Rezept für die digitale (Security) Revolution zur Telematik Infrastruktur 2.0 im Gesundheitswesen?"
Speaker: Stefan Stein -
Teamleiter CERT | gematik GmbH M.Eng. IT-Sicherheit & Forensik,
doctorate student at TH Brandenburg & Universität Dresden
El documento describe la transición de Cellnex de un Centro de Operaciones de Seguridad (SOC) a un Equipo de Respuesta a Incidentes de Seguridad (CSIRT). La transición se debió al crecimiento de Cellnex y la necesidad de automatizar procesos y tareas para mejorar la eficiencia. Cellnex implementó Splunk SIEM y SOAR para automatizar la creación, remediación y cierre de incidentes. Esto permitió al personal concentrarse en tareas estratégicas y mejorar KPIs como tiempos de resolución y correos electrónicos anal
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
Este documento resume el recorrido de ABANCA en su camino hacia la ciberseguridad con Splunk, desde la incorporación de perfiles dedicados en 2016 hasta convertirse en un centro de monitorización y respuesta con más de 1TB de ingesta diaria y 350 casos de uso alineados con MITRE ATT&CK. También describe errores cometidos y soluciones implementadas, como la normalización de fuentes y formación de operadores, y los pilares actuales como la automatización, visibilidad y alineación con MITRE ATT&CK. Por último, señala retos
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
BMW is defining the next level of mobility - digital interactions and technology are the backbone to continued success with its customers. Discover how an IT team is tackling the journey of business transformation at scale whilst maintaining (and showing the importance of) business and IT service availability. Learn how BMW introduced frameworks to connect business and IT, using real-time data to mitigate customer impact, as Michael and Mark share their experience in building operations for a resilient future.
The document is a presentation on cyber security trends and Splunk security products from Matthias Maier, Product Marketing Director for Security at Splunk. The presentation covers trends in security operations like the evolution of SOCs, new security roles, and data-centric security approaches. It also provides updates on Splunk's security portfolio including recognition as a leader in SIEM by Gartner and growth in the SIEM market. Maier highlights some breakout sessions from the conference on topics like asset defense, machine learning, and building detections.
Data foundations building success, at city scale – Imperial College LondonSplunk
Universities have more in common with modern cities than traditional places of learning. This mini city needs to empower its citizens to thrive and achieve their ambitions. Operationalising data is key to building critical services; from understanding complex IT estates for smarter decision-making to robust security and a more reliable, resilient student experience. Juan will share his experience in building data foundations for a resilient future whilst enabling digital transformation at Imperial College London.
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
Learn how Vodafone has provided end-to-end visibility across services by building an Operational Analytics Platform. In this session, you will hear how Stefan and his team manage legacy, on premise, hybrid and public cloud services, and how they are providing a platform for complex triage and debugging to tackle use cases across Vodafone’s extensive ecosystem.
.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own.
Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo.
So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including:
Top challenges faced in improving security posture
Key KPIs implemented in order to measure success
Strategies and approaches applied in the SOC
How MITRE ATT&CK and Splunk Enterprise Security were utilised
Next steps in their maturity journey ahead
This document summarizes a presentation about observability using Splunk. It includes an agenda introducing observability and why Splunk for observability. It discusses the need for modernization initiatives in companies and the thousands of changes required. It presents that Splunk provides end-to-end visibility across metrics, traces and logs to detect, troubleshoot and optimize systems. It shares a customer case study of Accenture using Splunk observability in their hybrid cloud environment. Finally, it concludes that observability with Splunk can drive results like reduced downtime and faster innovation.
This document contains slides from a Splunk presentation covering the following topics:
- Updated Splunk logo and information about meetings in Zurich and sales engineering leads
- Ideas for confused or concerned human figures in design concepts
- Three buckets of challenges around websites slowing, apps being down, and supply chain issues
- Accelerating mean time to detect, identify, respond and resolve through cyber resilience with Splunk
- Unifying security, IT and DevOps teams
- Splunk's technology vision focusing on customer experience, hybrid/edge, unleashing data lakes, and ubiquitous machine learning
- Gaining operational resilience through correlating infrastructure, security, application and user data with business outcomes
This document summarizes a presentation about Splunk's platform. It discusses Splunk's mission of helping customers create value faster with insights from their data. It provides statistics on Splunk's daily ingest and users. It highlights examples of how Splunk has helped customers in areas like internet messaging and convergent services. It also discusses upcoming challenges and new capabilities in Splunk like federated search, flexible indexing, ingest actions, improved data onboarding and management, and increased platform resilience and security.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
2. Set Up Before You Can Play
Download the following at splunk.com
▶ Splunk Enterprise:
• https://www.splunk.com/download
▶ Tutorial Data:
• http://splk.it/2ey34P8
▶ Search Tutorial
• http://splk.it/2ePSYKB
5. Big Data Comes From Machines
Volume | Velocity | Variety | Variability
GPS,
RFID,
Hypervisor,
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops
Splunk’s Mission:
Make machine data accessible,
usable, and valuable to everyone
6. What Does Machine Data Look Like?
Order Processing
Twitter
Care IVR
Middleware Error
ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100
JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”}
SOURCES
7. Machine Data Contains Critical Insights
Order Processing
Twitter
Care IVR
Middleware Error
Customer ID Order ID
ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100
JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”}
Order ID
Customer’s Twitter ID
Customer ID
Customer ID
Time waiting on hold
Customer’s Tweet
Company’s Twitter ID
Product ID
SOURCES
8. Machine Data Contains Critical Insights
SOURCES
Order Processing
Twitter
Care IVR
Middleware Error
Customer ID Order ID
ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100
JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213.
Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException:
weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The
DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port:
ACMEDB-01:1521. Reason: Connection refused
01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type
0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a-
13ae51a6d092, Trunk T451.16
01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
CUSTID 10098213
01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092
{actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link:
http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”},
objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy
this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if
you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”}
Order ID
Customer’s Twitter ID
Customer ID
Customer ID
Time waiting on hold
Customer’s Tweet
Company’s Twitter ID
Product ID
9. Industry Leading Platform For Machine Data
Custom
dashboards
Report and
analyze
Monitor
and alert
Developer
Platform
Ad hoc
search
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Machine Data: Any Location, Type, Volume Answer Any Question
Any Amount, Any Location, Any Source
No
back-end
database
Schema
on-the-fly
No need
to filter
data
Quick
time to
value
Agile
reporting
and
analytics
Real-time
architecture
11. Set Up Before You Can Play
Get the following at splunk.com
▶ Splunk Enterprise:
• https://www.splunk.com/download
▶ Tutorial Data:
• http://splk.it/2ey34P8
▶ Search Tutorial
• http://splk.it/2ePSYKB
12. ▶ IMPORT THE ZIP FILE, not individual files within it:
http://www.splunkbook.com
(sample data is located under ‘related links’ section – *same tutorialdata.zip from
first page)
▶ Log in to Splunk – http://127.0.0.1:8000 username=admin password=changeme
▶ To add the file to Splunk:
• Click Add Data
• Click Upload files from my computer
• Drag and drop your sample data zip file
• Review and finish
Getting Data Into Splunk
We will import sample
web e-commerce
store events
13. ▶ License expired (already had older version installed)
• Close browser, empty cache, open browser. If that doesn’t work:
• Stop Splunk
• Uninstall all Splunk versions
• Windows Control Panel->Uninstall programs->Splunk
• OS X. Finder->Applications->Right click Splunk, Move to trash
• Reinstall
• Start Splunk
▶ Can’t start Splunk
• Windows, Search Control panel ->Services->Splunk start
• Linux; cd <SPLUNK dir>/splunk/bin;./splunk start
Common Problems at This Point
16. ▶ buttercupgames
▶ buttercupgames 400
▶ buttercupgames 400 OR 500
▶ buttercupgames status=400 OR status=500
▶ buttercupgames status=400 OR status=500 | timechart count by status limit=10
▶ buttercupgames status=*
▶ buttercupgames status=* | timechart count by status limit=10
▶ buttercupgames status=* AND status!=200 | timechart count by status limit=10
▶ index=* sourcetype=access_combined_wcookie
Searches Used
17.
18. ▶ index=* sourcetype=access_combined_wcookie | top limit=20
browser_type (field extraction necessary)
▶ buttercupgames status!=200
▶ buttercupgames status!=200 | stats count by status | where count > 100
▶ buttercupgames status=* | iplocation clientip
▶ buttercupgames status=* | iplocation clientip | geostats count by action
Searches Used (Continued)
19. ▶ SplunkLive! Presentations
• http://splunklive.splunk.com/presentations.html
▶ Documentation
• http://www.splunk.com/base/Documentation
▶ Technical Support
• http://www.splunk.com/support
▶ Videos
• http://www.splunk.com/videos
▶ Education
• http://www.splunk.com/view/education/SP-
CAAAAH9
▶ Community
• http://answers.splunk.com
▶ Splunk Book
• http://splunkbook.com
Time to Start SPLUNKING!!!
Where do I go for help?
21. ▶Save the Date 2018
October 1-4, 2018
▶ 8,750+ Splunk Enthusiasts
▶ 300+ Sessions
▶ 100+ Customer Speakers
Plus Splunk University:
▶ Three Days: September 29-October 1, 2018
▶ Get Splunk Certified for FREE!
▶ Get CPE credits for CISSP, CAP, SSCP
Walt Disney World Swan and Dolphin Resort in Orlando
conf .splunk.com
SAVE THE DATE!
59. Let’s add this search to our dashboard, and then view the dashboard.
Click Edit -> Edit Panels to drag the different panels to different positions.