SlideShare a Scribd company logo

Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day

Zivaro Inc
Zivaro Inc

This document provides an overview of a Splunk fundamentals training hosted by Global Technology Resources, Inc. The training covers Splunk architecture, data collection, using Splunk for investigations and discovery, automation with reports, alerts and dashboards, and Splunk apps. Hands-on labs are included to allow attendees to explore the Splunk interface, conduct searches, and create a simple dashboard. Global Technology Resources, Inc. is a solutions-oriented consulting firm with extensive experience and credentials in Splunk.

1 of 42
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 1 Splunk Fundamentals Investigations with Core Splunk Hosted by Global Technology Resources, Inc. Taylor Williams twilliams@gtri.com
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 2 GTRI Quick Facts  Unique federal qualifications  Cleared to support mission-critical projects  Highly successful SBA 8 (a) program graduate (2010)  Proven graduate of DoD Mentor Protégé of NGA/Raytheon IIS (2010)  Solutions-oriented consultants  Averaging over 10 years of hands-on experience  Culture of customer focus  Relentless Commitment  Operational excellence  ISO 9001:2008 quality management certified  Proven processes designed to mitigate risk
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. GTRI Splunk-Practice Overview Highlights: • Splunk’s 1st Elite Partner and one of only two Splunk Certified Training Centers in the U.S. • GTRI provides end-to-end support for Splunk from pre-sales engineering to post-sales professional services, implementation, training and optimization • Splunk’s most credentialed partner in N. America: – GTRI holds over 60 Splunk Certifications: • 8 Certified Architects • 14 Certified Solutions Engineers (SE-I & SE-2) • Certified Training Center 3
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 4 GTRI Overview and Capabilities
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Agenda • Provide a fundamental understanding of the components in a Splunk implementation and how they scale • Provide hands-on examples of Splunk tasks to provide insight on how Splunk expedites system diagnostics and investigation • Labs are incorporated to allow the attendees to learn by exploring. They have practical instruction not directly covered by the lecture. 5http://www.splunk.com/view/SP-CAAAH9Q
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Topics • Splunk Overview • Splunk Architecture • Data Collection • Splunk for Discovery • Automation: Let Splunk Do the Work • Splunk Apps 6
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Overview: What is Splunk? Splunk is a big data platform designed to make machine data accessible and meaningful 7 Data Collection Ad-hoc searches Dashboards
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Overview: How is Splunk Used? Traditional • Applications • Security • SOC • NOC 8 Custom • SCADA • Election Data • Energy Consumption • … Use Cases
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Main Splunk Server Functions 9 Searching and Reporting A Splunk install can be one or all roles… Indexing and Search Services Data Collection and Forwarding Search Head Indexer Forwarder
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Multi-tiered Environment 10 Single Server: Demos, POC, … Enterprise Scale
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Operating Systems Splunk runs on most Windows and Unix Variants (32 bit/64 bit) All binaries • have identical disk structure • have identical command line interface • communicate via network bridging operating systems Windows binaries include extra inputs • Registry • Event Logs 11http://docs.splunk.com/Documentation/Splunk/6.1/Installation/Systemrequirements
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Lab Access This is a hands on class where everyone has their own sandbox to work in. Logins are a part of the provided class materials. Server: http://bootcamp.gtri-training.com Credentials are provided in logins.pdf 12http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Supported_browsers
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 13 LAB 1: Getting Connected (5 minutes) • Log in to Splunk • Customize display information
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk is licensed by volume of uncompressed data/day – collect what is needed. Questions to ask: • What are you trying so solve? • Where is that information? • How is your data accessed? • How long do you want that data searchable? • Is there information that needs to have limited visibility? • What kind of archival strategy(ies) is needed? Data Collection: Know Your Data 14
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 15 Data Collection: Where is Your Data? • Any log files • Custom applications • Web servers • User clickstreams • Social platforms • Configuration files • Telecoms devices • Storage devices • Network devices • Databases • Web Services • System metrics Splunk can digest any type of text data – What data do you want to Splunk? • GPS • Security devices • Servers/Hypervisors/VMs • DNS, DHCP • AAA Logs • Proxy servers • Errors • Scripts • Sensors • …
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Data Collection: Inputs 16 Types of inputs • Files and directories – monitor physical files on disk • Network inputs – monitor network data feeds on specific ports • Scripted inputs – import from non-traditional sources, APIs, databases, etc. • Windows inputs – are Windows specific; Windows event logs, performance monitoring, AD monitoring, and local registry monitoring • File system change monitoring – monitor the state: permissions, read only, last changed, etc. of key config or security files
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 17 LAB 2: Exploring the Splunk Interface (10 minutes) • Find the data • Run basic key word searches • Challenge: Using a key word search, find the number of times in the last 8 hours that the access control list blocked an action.
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 18 Lab Review • Search Application • Keyword Searches • Booleans: AND, OR, NOT • Not Case Sensitive
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Event A single piece of data in Splunk, similar to a record in a log file. When you run a search, events are what you get back. Can be single or multiple lines Each event has the following fields • timestamp • host • source • source type • index 19
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Field Searchable name/value pair associated with Splunk event data. Fields give you more precision in searches. 20
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Source type the data format from which the event originates, such as ps or cisco:asa. • Splunk has many source types pre-trained • Additional source types can be created as needed • Field definitions are defined per source type. • Splunk Common Information Model (CIM) defines what fields should be extracted from source types and what their names should be. This facilitates field reuse in different applications. 21 http://docs.splunk.com/Documentation/Splunk/6.1/Data/Listofpretrainedsourcetypes
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Demo Purchasing Problem Scenario: A call comes in about users not being able to make purchases. The lab has a multi-tier implementation so let’s step through the investigation and where it leads us. 22
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 23 LAB 3: Core Splunk Investigation • Calls have come in reporting users having difficulty connecting to a web application..
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 24 Lab Review 1. Search for concur* 2. Chart the status
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 25 Lab Review: (cont.) 3. Check the Remedy Change Ticket data 4. Chart the Firewall connections denied over time
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Let Splunk Do the Work Rapid Investigation 26 Proactive Monitoring
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Saving Searches After you develop a search you may want to persist it as a Knowledge Object to be reused or referenced • Report • Alert • Dashboard Panel 27
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Report Knowledge Object 28 Save a Report from the search screen Access the report using the Reports menu item NOTE: You can also access Reports from the Settings link
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Alerting Anything that can be searched for can be alerted upon Alert Actions • list in triggered alerts • send an email • custom action via a script – automatic actions – entries into a ticketing system 29
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Creating an Alert 30 Step one Step two Save As Alert Flow
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Reports, and Alerts Reports and alerts are really the same type of Knowledge Object. Reports just have more fields filled out. 31 Search String Schedule Alert Defined Report x Scheduled Report x x Alert x x x
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Simple Dashboards 32 Add the Report to a new or existing dashboard Start with a developed search and select the Save As > Dashboard Panel
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Editing Dashboards 33 Use the Edit->Edit Panels feature to rearrange charts or modify searches • Drag the header to change rows or combine panels on one row • Use the paint brush to modify the labeling • Use the chart line to modify the visualization • Use the magnify icon to modify the search
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 34 LAB 4: Splunk Investigation and Simple Dashboard (15-20 min) • Users have reported that internet applications have suddenly gotten sluggish. The likely cause is network bandwidth, so we will look at the proxy logs to determine how bandwidth is being used • Add the result to a new dashboard • Add the searches from the previous 2 labs to the dashboard
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Apps: Definition From Splunk website: “Apps are a self-service, out-of-the box extension for Splunk. Apps serve as workspaces for tailored configuration for configuration or display.” Most apps are just fancy versions of the dashboard you created in the lab. Apps may contain • A UI context selected from the App list dropdown • Knowledge objects including saved reports, alerts, and custom-designed views and dashboards • Configuration Apps are available at apps.splunk.com for free with the exception of Enterprise Security, VMWare, PCI, Exchange 35
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Apps: Repository apps.splunk.com • Many providers, from Splunk to individuals • Collected data is immutable, apps will not change existing data • Apps can change how data is collected and how it is displayed 36
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 37 Cisco Security Suite App Provided by Cisco Dashboards and searches for Cisco appliance data • Cisco Client Security Agent (CSA) • Cisco IronPort Email Security Appliance (ESA) • Cisco IronPort Web Security Appliance (WSA) • Cisco Firewalls (PIX, FWSM, ASA) • Cisco IPS • Cisco MARS
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 38 Application Management App Custom App Developed by Splunk for Demo purposes Provides an example of how Splunk can monitor a multi-tiered system. Demo: Investigating Environment Issues within an application
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 39 Application Management: Recap From the Environment State dashboard, it is clear that the DB layer is taking too much time Further, the Queue size is running higher than the 7 day average Drilling into the DB State dashboard, there is a recent unauthorized change to the queue size.
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 40 Return to normal… Observe the changes to your dashboard when conditions are corrected and activity returns to normal. page Not Found errors drop off DirecTV load disappears
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Summary Topics • Splunk Overview • Splunk Architecture • Data Collection • Splunk for Discovery • Automation: Let Splunk Do the Work • Splunk Apps 41
© 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 43 Thank You! Global Technology Resources, Inc.
Ad

Recommended

Splunk Advanced searching and reporting Class description
Splunk Advanced searching and reporting Class descriptionSplunk Advanced searching and reporting Class description
Splunk Advanced searching and reporting Class description
Greg Hanchin
 
GTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech DayGTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech Day
Zivaro Inc
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for Developers
Splunk
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout Session
Splunk
 
Group Health Cooperative Customer Presentation
Group Health Cooperative Customer PresentationGroup Health Cooperative Customer Presentation
Group Health Cooperative Customer Presentation
Splunk
 
AdvancedMD Customer Presentation
AdvancedMD Customer PresentationAdvancedMD Customer Presentation
AdvancedMD Customer Presentation
Splunk
 
Sqrrl March Webinar: How to Build a Big App
Sqrrl March Webinar: How to Build a Big AppSqrrl March Webinar: How to Build a Big App
Sqrrl March Webinar: How to Build a Big App
Sqrrl
 
University of Alberta Customer Presentation
University of Alberta Customer PresentationUniversity of Alberta Customer Presentation
University of Alberta Customer Presentation
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
Splunk
 
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with SplunkSplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.
Splunk
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting Started
Sqrrl
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
Shannon Cuthbertson
 
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
Splunk
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
Piacere general presentation
Piacere general presentationPiacere general presentation
Piacere general presentation
PIACERE
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout Session
Splunk
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
SplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event AnalyticsSplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit
Erin Sweeney
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use Cases
Beth Goldman
 
Ad

More Related Content

What's hot (20)

Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
Splunk
 
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with SplunkSplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.
Splunk
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting Started
Sqrrl
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
Shannon Cuthbertson
 
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
Splunk
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
Piacere general presentation
Piacere general presentationPiacere general presentation
Piacere general presentation
PIACERE
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout Session
Splunk
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
SplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event AnalyticsSplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
WestJet Customer Presentation
WestJet Customer PresentationWestJet Customer Presentation
WestJet Customer Presentation
Splunk
 
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with SplunkSplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.SplunkLive! Customer Presentation - Cisco Systems, Inc.
SplunkLive! Customer Presentation - Cisco Systems, Inc.
Splunk
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting Started
Sqrrl
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
Shannon Cuthbertson
 
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
Splunk
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
Piacere general presentation
Piacere general presentationPiacere general presentation
Piacere general presentation
PIACERE
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout Session
Splunk
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
SplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event AnalyticsSplunkLive! Zurich 2018: Event Analytics
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 

Viewers also liked (16)

.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit
Erin Sweeney
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use Cases
Beth Goldman
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Tripwire
 
Rapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDealRapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDeal
Splunk
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-On
Splunk
 
Data Mining with Splunk
Data Mining with SplunkData Mining with Splunk
Data Mining with Splunk
David Carasso
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
IISPEastMids
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Tripwire
 
Delivering business value from operational insights at ING Bank
Delivering business value from operational insights at ING BankDelivering business value from operational insights at ING Bank
Delivering business value from operational insights at ING Bank
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit
Erin Sweeney
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use Cases
Beth Goldman
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Tripwire
 
Rapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDealRapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDeal
Splunk
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-On
Splunk
 
Data Mining with Splunk
Data Mining with SplunkData Mining with Splunk
Data Mining with Splunk
David Carasso
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
IISPEastMids
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Tripwire
 
Delivering business value from operational insights at ING Bank
Delivering business value from operational insights at ING BankDelivering business value from operational insights at ING Bank
Delivering business value from operational insights at ING Bank
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Ad

Similar to Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day (20)

Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn'tSingle Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Zivaro Inc
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
Splunk
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
Accelerating SDLC for Large Public Sector Enterprise Applications
Accelerating SDLC for Large Public Sector Enterprise ApplicationsAccelerating SDLC for Large Public Sector Enterprise Applications
Accelerating SDLC for Large Public Sector Enterprise Applications
Splunk
 
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
Java Card Platform Security and Performance
Java Card Platform Security and PerformanceJava Card Platform Security and Performance
Java Card Platform Security and Performance
Eric Vétillard
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
Splunk
 
5DV Advanced_Dashboards_and_Visualisations.pdf
5DV Advanced_Dashboards_and_Visualisations.pdf5DV Advanced_Dashboards_and_Visualisations.pdf
5DV Advanced_Dashboards_and_Visualisations.pdf
Genestapower
 
Big Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better TogetherBig Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better Together
Zivaro Inc
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September Event
Harry McLaren
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Splunk at Sabre
Splunk at SabreSplunk at Sabre
Splunk at Sabre
Splunk
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...
CollabNet
 
SplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptxSplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptx
KhongHieu2
 
SplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptxSplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptx
Cazlp1
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats new
Splunk
 
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn'tSingle Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Zivaro Inc
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
Splunk
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
Accelerating SDLC for Large Public Sector Enterprise Applications
Accelerating SDLC for Large Public Sector Enterprise ApplicationsAccelerating SDLC for Large Public Sector Enterprise Applications
Accelerating SDLC for Large Public Sector Enterprise Applications
Splunk
 
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
Java Card Platform Security and Performance
Java Card Platform Security and PerformanceJava Card Platform Security and Performance
Java Card Platform Security and Performance
Eric Vétillard
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
Splunk
 
5DV Advanced_Dashboards_and_Visualisations.pdf
5DV Advanced_Dashboards_and_Visualisations.pdf5DV Advanced_Dashboards_and_Visualisations.pdf
5DV Advanced_Dashboards_and_Visualisations.pdf
Genestapower
 
Big Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better TogetherBig Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better Together
Zivaro Inc
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September Event
Harry McLaren
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
Splunk at Sabre
Splunk at SabreSplunk at Sabre
Splunk at Sabre
Splunk
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...
CollabNet
 
SplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptxSplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptx
KhongHieu2
 
SplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptxSplunkGettingStartedWorkshop.pptx
SplunkGettingStartedWorkshop.pptx
Cazlp1
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats new
Splunk
 
Ad

More from Zivaro Inc (20)

How to Rightsize Your Citrix Investment
How to Rightsize Your Citrix InvestmentHow to Rightsize Your Citrix Investment
How to Rightsize Your Citrix Investment
Zivaro Inc
 
On-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration ShowdownOn-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration Showdown
Zivaro Inc
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security Technologies
Zivaro Inc
 
Organizational Change Management
Organizational Change ManagementOrganizational Change Management
Organizational Change Management
Zivaro Inc
 
Software-Defined WAN 101
Software-Defined WAN 101Software-Defined WAN 101
Software-Defined WAN 101
Zivaro Inc
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
Zivaro Inc
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics Day
Zivaro Inc
 
Support Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network ArchitectureSupport Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network Architecture
Zivaro Inc
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
Zivaro Inc
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology Brief
Zivaro Inc
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
Zivaro Inc
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech Day
Zivaro Inc
 
GTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech DayGTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech Day
Zivaro Inc
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
Zivaro Inc
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
Zivaro Inc
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
Post IPv6 Implementation and Security: Now What?
Post IPv6 Implementation and Security: Now What?Post IPv6 Implementation and Security: Now What?
Post IPv6 Implementation and Security: Now What?
Zivaro Inc
 
How to Rightsize Your Citrix Investment
How to Rightsize Your Citrix InvestmentHow to Rightsize Your Citrix Investment
How to Rightsize Your Citrix Investment
Zivaro Inc
 
On-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration ShowdownOn-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration Showdown
Zivaro Inc
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security Technologies
Zivaro Inc
 
Organizational Change Management
Organizational Change ManagementOrganizational Change Management
Organizational Change Management
Zivaro Inc
 
Software-Defined WAN 101
Software-Defined WAN 101Software-Defined WAN 101
Software-Defined WAN 101
Zivaro Inc
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
Zivaro Inc
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics Day
Zivaro Inc
 
Support Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network ArchitectureSupport Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network Architecture
Zivaro Inc
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
Zivaro Inc
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology Brief
Zivaro Inc
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
Zivaro Inc
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech Day
Zivaro Inc
 
GTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech DayGTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech Day
Zivaro Inc
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
Zivaro Inc
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
Zivaro Inc
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
Post IPv6 Implementation and Security: Now What?
Post IPv6 Implementation and Security: Now What?Post IPv6 Implementation and Security: Now What?
Post IPv6 Implementation and Security: Now What?
Zivaro Inc
 

Recently uploaded (20)

Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 

Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day

  • 1. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 1 Splunk Fundamentals Investigations with Core Splunk Hosted by Global Technology Resources, Inc. Taylor Williams [email protected]
  • 2. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 2 GTRI Quick Facts  Unique federal qualifications  Cleared to support mission-critical projects  Highly successful SBA 8 (a) program graduate (2010)  Proven graduate of DoD Mentor Protégé of NGA/Raytheon IIS (2010)  Solutions-oriented consultants  Averaging over 10 years of hands-on experience  Culture of customer focus  Relentless Commitment  Operational excellence  ISO 9001:2008 quality management certified  Proven processes designed to mitigate risk
  • 3. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. GTRI Splunk-Practice Overview Highlights: • Splunk’s 1st Elite Partner and one of only two Splunk Certified Training Centers in the U.S. • GTRI provides end-to-end support for Splunk from pre-sales engineering to post-sales professional services, implementation, training and optimization • Splunk’s most credentialed partner in N. America: – GTRI holds over 60 Splunk Certifications: • 8 Certified Architects • 14 Certified Solutions Engineers (SE-I & SE-2) • Certified Training Center 3
  • 4. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 4 GTRI Overview and Capabilities
  • 5. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Agenda • Provide a fundamental understanding of the components in a Splunk implementation and how they scale • Provide hands-on examples of Splunk tasks to provide insight on how Splunk expedites system diagnostics and investigation • Labs are incorporated to allow the attendees to learn by exploring. They have practical instruction not directly covered by the lecture. 5http://www.splunk.com/view/SP-CAAAH9Q
  • 6. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Topics • Splunk Overview • Splunk Architecture • Data Collection • Splunk for Discovery • Automation: Let Splunk Do the Work • Splunk Apps 6
  • 7. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Overview: What is Splunk? Splunk is a big data platform designed to make machine data accessible and meaningful 7 Data Collection Ad-hoc searches Dashboards
  • 8. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Overview: How is Splunk Used? Traditional • Applications • Security • SOC • NOC 8 Custom • SCADA • Election Data • Energy Consumption • … Use Cases
  • 9. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Main Splunk Server Functions 9 Searching and Reporting A Splunk install can be one or all roles… Indexing and Search Services Data Collection and Forwarding Search Head Indexer Forwarder
  • 10. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Multi-tiered Environment 10 Single Server: Demos, POC, … Enterprise Scale
  • 11. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Architecture: Operating Systems Splunk runs on most Windows and Unix Variants (32 bit/64 bit) All binaries • have identical disk structure • have identical command line interface • communicate via network bridging operating systems Windows binaries include extra inputs • Registry • Event Logs 11http://docs.splunk.com/Documentation/Splunk/6.1/Installation/Systemrequirements
  • 12. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Lab Access This is a hands on class where everyone has their own sandbox to work in. Logins are a part of the provided class materials. Server: http://bootcamp.gtri-training.com Credentials are provided in logins.pdf 12http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Supported_browsers
  • 13. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 13 LAB 1: Getting Connected (5 minutes) • Log in to Splunk • Customize display information
  • 14. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk is licensed by volume of uncompressed data/day – collect what is needed. Questions to ask: • What are you trying so solve? • Where is that information? • How is your data accessed? • How long do you want that data searchable? • Is there information that needs to have limited visibility? • What kind of archival strategy(ies) is needed? Data Collection: Know Your Data 14
  • 15. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 15 Data Collection: Where is Your Data? • Any log files • Custom applications • Web servers • User clickstreams • Social platforms • Configuration files • Telecoms devices • Storage devices • Network devices • Databases • Web Services • System metrics Splunk can digest any type of text data – What data do you want to Splunk? • GPS • Security devices • Servers/Hypervisors/VMs • DNS, DHCP • AAA Logs • Proxy servers • Errors • Scripts • Sensors • …
  • 16. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Data Collection: Inputs 16 Types of inputs • Files and directories – monitor physical files on disk • Network inputs – monitor network data feeds on specific ports • Scripted inputs – import from non-traditional sources, APIs, databases, etc. • Windows inputs – are Windows specific; Windows event logs, performance monitoring, AD monitoring, and local registry monitoring • File system change monitoring – monitor the state: permissions, read only, last changed, etc. of key config or security files
  • 17. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 17 LAB 2: Exploring the Splunk Interface (10 minutes) • Find the data • Run basic key word searches • Challenge: Using a key word search, find the number of times in the last 8 hours that the access control list blocked an action.
  • 18. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 18 Lab Review • Search Application • Keyword Searches • Booleans: AND, OR, NOT • Not Case Sensitive
  • 19. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Event A single piece of data in Splunk, similar to a record in a log file. When you run a search, events are what you get back. Can be single or multiple lines Each event has the following fields • timestamp • host • source • source type • index 19
  • 20. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Field Searchable name/value pair associated with Splunk event data. Fields give you more precision in searches. 20
  • 21. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Definitions Source type the data format from which the event originates, such as ps or cisco:asa. • Splunk has many source types pre-trained • Additional source types can be created as needed • Field definitions are defined per source type. • Splunk Common Information Model (CIM) defines what fields should be extracted from source types and what their names should be. This facilitates field reuse in different applications. 21 http://docs.splunk.com/Documentation/Splunk/6.1/Data/Listofpretrainedsourcetypes
  • 22. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk for Discovery: Demo Purchasing Problem Scenario: A call comes in about users not being able to make purchases. The lab has a multi-tier implementation so let’s step through the investigation and where it leads us. 22
  • 23. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 23 LAB 3: Core Splunk Investigation • Calls have come in reporting users having difficulty connecting to a web application..
  • 24. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 24 Lab Review 1. Search for concur* 2. Chart the status
  • 25. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 25 Lab Review: (cont.) 3. Check the Remedy Change Ticket data 4. Chart the Firewall connections denied over time
  • 26. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Let Splunk Do the Work Rapid Investigation 26 Proactive Monitoring
  • 27. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Saving Searches After you develop a search you may want to persist it as a Knowledge Object to be reused or referenced • Report • Alert • Dashboard Panel 27
  • 28. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Report Knowledge Object 28 Save a Report from the search screen Access the report using the Reports menu item NOTE: You can also access Reports from the Settings link
  • 29. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Alerting Anything that can be searched for can be alerted upon Alert Actions • list in triggered alerts • send an email • custom action via a script – automatic actions – entries into a ticketing system 29
  • 30. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Creating an Alert 30 Step one Step two Save As Alert Flow
  • 31. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Reports, and Alerts Reports and alerts are really the same type of Knowledge Object. Reports just have more fields filled out. 31 Search String Schedule Alert Defined Report x Scheduled Report x x Alert x x x
  • 32. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Simple Dashboards 32 Add the Report to a new or existing dashboard Start with a developed search and select the Save As > Dashboard Panel
  • 33. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Automation: Editing Dashboards 33 Use the Edit->Edit Panels feature to rearrange charts or modify searches • Drag the header to change rows or combine panels on one row • Use the paint brush to modify the labeling • Use the chart line to modify the visualization • Use the magnify icon to modify the search
  • 34. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 34 LAB 4: Splunk Investigation and Simple Dashboard (15-20 min) • Users have reported that internet applications have suddenly gotten sluggish. The likely cause is network bandwidth, so we will look at the proxy logs to determine how bandwidth is being used • Add the result to a new dashboard • Add the searches from the previous 2 labs to the dashboard
  • 35. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Apps: Definition From Splunk website: “Apps are a self-service, out-of-the box extension for Splunk. Apps serve as workspaces for tailored configuration for configuration or display.” Most apps are just fancy versions of the dashboard you created in the lab. Apps may contain • A UI context selected from the App list dropdown • Knowledge objects including saved reports, alerts, and custom-designed views and dashboards • Configuration Apps are available at apps.splunk.com for free with the exception of Enterprise Security, VMWare, PCI, Exchange 35
  • 36. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Splunk Apps: Repository apps.splunk.com • Many providers, from Splunk to individuals • Collected data is immutable, apps will not change existing data • Apps can change how data is collected and how it is displayed 36
  • 37. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 37 Cisco Security Suite App Provided by Cisco Dashboards and searches for Cisco appliance data • Cisco Client Security Agent (CSA) • Cisco IronPort Email Security Appliance (ESA) • Cisco IronPort Web Security Appliance (WSA) • Cisco Firewalls (PIX, FWSM, ASA) • Cisco IPS • Cisco MARS
  • 38. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 38 Application Management App Custom App Developed by Splunk for Demo purposes Provides an example of how Splunk can monitor a multi-tiered system. Demo: Investigating Environment Issues within an application
  • 39. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 39 Application Management: Recap From the Environment State dashboard, it is clear that the DB layer is taking too much time Further, the Queue size is running higher than the 7 day average Drilling into the DB State dashboard, there is a recent unauthorized change to the queue size.
  • 40. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 40 Return to normal… Observe the changes to your dashboard when conditions are corrected and activity returns to normal. page Not Found errors drop off DirecTV load disappears
  • 41. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. Summary Topics • Splunk Overview • Splunk Architecture • Data Collection • Splunk for Discovery • Automation: Let Splunk Do the Work • Splunk Apps 41
  • 42. © 2015 Global Technology Resources, Inc. All Rights Reserved. Contents herein contain confidential information not to be copied. 43 Thank You! Global Technology Resources, Inc.

Editor's Notes

  • #8: DEMO: Provide a short demo going from streaming data (rt 30s) to events to dashboards
  • #13: Note: This webinar requires the presenter to enable scripts during the presentation. Participants who try to work ahead on labs 3 and 4 will not see the expected results until the scripts are enabled.
  • #14: http://docs.splunk.com/Documentation/Splunk/6.2.0/Installation/Systemrequirements#Supported_browsers
  • #18: Take a step by step discovery of the different files, sources and source types Look for key words and explore the search time range options
  • #23: This uses the application intelligence demo data gens generating data across a multitier application The goal is to show how an experienced user can get to the root cause quickly. Once there, back up and explain things in a little more detail Steps: 1: look up in our apache logs: sourcetype=access_combined action=purchase status=503 hosts – note it is on all apache servers and unlikely an issue in this layer 2: Move to the Websphere tier with a new search: Start: sourcetype=websphere_trlog Narrow: sourcetype=websphere_trlog exception Filter: sourcetype=websphere_trlog exception NOT getPolicy find the reference to a DB issue 3: Look through the db logs: Start: sourcetype=mysqld Find the error messages and walk back to the disk full message.
  • #24: PRESENTER MUST ENABLE THE fw_block_apache.py SCRIPT BEFORE STARTING THE LAB (look on second page of scripts) Firewall rule change Topic: Support calls have begun to arrive reporting users having difficulty getting to the online expense reporting system, Concur. Use core Splunk to determine what is happening and the root cause for the problem.   What’s happening: Cannot connect to the site getting 404’s search for concur* status field Top values by time sourcetype=access_combined | timechart count by status_description limit=10 Save As -> Report Why: A firewall change blocked access sourcetype=remedy_changeticket sourcetype=cisco:asa "connection denied“ Challenge: Create an alert
  • #35: PRESENTER MUST ENABLE THE proxy_net_load.py SCRIPT BEFORE STARTING THE LAB sourcetype="cisco:wsa:squid" directv| timechart avg(bytes_in) by cs_username
  • #40: Database Queue size change
  • #41: PRESENTER MUST DISABLE THE proxy_net_load.py AND THE fw_block_apache.py SCRIPT BEFORE THIS WILL SHOW.