SlideShare a Scribd company logo

Splunk .conf18 Updates, Config Add-on, SplDevOps

Download as PPTX, PDF
H
Harry McLaren

Covering off some of the latest announcements at Splunk's user conference (.conf), an Add-on created to Splunk config files and also the presentation delivered at .conf18 on SplDevOps!

Data & Analytics
1 of 68
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk User Group Edinburgh
© 2018 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Splunk Enablement Lead & Member of Splunk Trust ● Leader of the Splunk User Group Edinburgh
© 2018 SPLUNK INC. Introduction to ECS Security Splunk Partner - UK – Security Consultancy & Managed SOC Provider – Splunk Revolution Award & Splunk Partner of the Year
© 2018 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Splunk .conf18 Updates (Harry McLaren) • Security • IT Ops • Others (Docker) • Splunking .conf Files (Tomasz Dziwok) • Break • SplDevOps (Harry McLaren & Ilias Diamantakos)
© 2018 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
© 2018 SPLUNK INC. Splunk .conf18 Updates Harry McLaren
© 2018 SPLUNK INC. Introducing Splunk Enterprise Security 5.2 Generally Available: 16/10/18
© 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events ▶ The Event Sequencing Engine runs as a real- time search and listens for incoming notable events and risk modifiers that are triggered by correlation searches. ▶ Transitions can also be configured to aggregate notable events or risk modifiers that may happen after a transition match is found.
© 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events
© 2018 SPLUNK INC. Use Case Library ES Content Updates Type Function Integrated
© 2018 SPLUNK INC. Investigation Workbench Two New Artifact Types - File Name & URL
© 2018 SPLUNK INC. Introducing Splunk Phantom Version 4.0 Security Orchestration, Automation, & Response (SOAR) Platform ▶ Clustering support for added performance and redundancy • Enables Phantom to scale horizontally using additional instances for added performance and redundancy ▶ Indicator View for threat intelligence style analysis • Provides a new and important way to visualize security data on the Phantom platform. Data is presented in the view organized by indicator, versus event, for easier threat- intelligence style analysis. ▶ Native Splunk search support • Splunk is now the default search engine shipped with the Phantom product. Users are able to use their existing or new external Splunk instances to achieve a single source for security data storage. Elasticsearch engine remains an external option for those that prefer it.
© 2018 SPLUNK INC. Introducing Splunk User Behaviour Analytics 4.2 Generally Available: 16/10/18 ▶ User Feedback for machine learning models provides anomaly customization and improved threat detection accuracy ▶ Improved data ingestion performance by up to 10x, with the new Splunk-to-Kafka UBA ingestion connector. Kafka ingestion does not require UBA to run real-time indexed search queries on core Splunk, rather uses micro-batched queries. ▶ Native single-sign-on authentication support for multiple identity providers Okta, Microsoft ADFS and Ping Identity
© 2018 SPLUNK INC. Introducing Splunk ITSI 4.0 Predictive Analytics for Real-Time Insights ▶ KPI Predictions We’re excited to deliver deeper insights into a potential health degradation with KPI Predictions. These utilize the breadth of data in the platform to help predict KPIs like customer experience, application workload, and infrastructure health, in order to identify issues or outages in advance. ▶ Predictive Cause Analysis This new feature helps you drill down into the specific services underlying a predicted issue to proactively remediate and resolve it before customer experience is impacted.
© 2018 SPLUNK INC. Introducing Splunk SmartStore Cut the Cord by Decoupling Compute and Storage ▶ Allowing compute and storage tiers to be independently scaled. ▶ Automatically evaluates users’ data access patterns to determine which data needs to be accessible for real-time analytics and which data should reside in lower cost, long-term storage.
© 2018 SPLUNK INC. Introducing Dynamic Data: Active Archive Data Retention Options in Splunk Cloud ▶ Data Management • Splunk provides complete lifecycle management of the archive on your behalf and remains the custodian of your data. Just like your Active Searchable data, Splunk manages all aspects of archive availability, durability, security and privacy requirements on your behalf. ▶ Data Restore • Enables you to request a slice of your data to be restored back into your Splunk Cloud instance. The entire workflow is fully integrated into Splunk Web so your archived data is available at your fingertips with predictable time between retrieval to search.
© 2018 SPLUNK INC. Other Features! Selection of Interesting New Releases! ▶ Dark Mode heightens visual contrast within Splunk dashboards. ▶ Workload Management enables users to prioritize the allocation of compute and memory resources used by Splunk on searches and alerts to ensure users’ most critical analytics are completed first. ▶ Guided Data Onboarding is a new graphical user interface helping customers move data into Splunk Cloud or Splunk Enterprise and guiding them through the best onboarding methodology based on their specific architecture. ▶ Logs to Metrics helps configure and convert log events to metrics, enabling users to take advantage of breakthrough performance when monitoring and alerting on metrics with the Splunk platform. ▶ Health Report gives Splunk administrators immediate visibility into the overall health status of their Splunk environments.
© 2018 SPLUNK INC. Introducing Splunk Next Splunk Works the Way Your Data Works ▶ Feedback from Splunk Customers • Make it easier to access data with Splunk no matter where it lives or what format it is in. • Make it easier to automate the actions and outcomes in order to drive the business forward. • Make it possible for all kinds of people to ask questions of Splunk and get to answers, no matter their role or where they might be in the world. ▶ What Does Splunk Next Do For You? • Ask Questions: Open customers to a broader set of data sources. • Get Answers: Empower a broader set of customers from IT and Security to Lines of Business. • Take Action: Operate on data wherever it lives.
© 2018 SPLUNK INC. Splunk Next Experimental, Pre-release Features (Alpha/Beta) ▶ Splunk Developer Cloud: Write Splunk applications natively in the cloud. ▶ Splunk Business Flow: Analytics-driven approach into customer/user’s interactions and identify ways to optimize those interactions and processes. ▶ Splunk Data Fabric Search: Seamlessly search across massive amounts of data and federated searches across multiple instances. ▶ Splunk Data Stream Processor: Refine, modify and adjust data mid-stream and within milliseconds before the data reaches its destination. ▶ Splunk Cloud Gateway: Secure cloud service with end-to-end encryption for easy mobile engagement through a simple to install Splunk app for Mobile. ▶ Splunk Mobile: Actionable alerts and mobile-friendly dashboards on mobile devices through our Splunk Mobile App. ▶ Splunk Natural Language: Query a system and ask question of Splunk without knowing SPL ▶ Splunk TV: View Splunk on any peripheral device instead of having to purchase a dedicated PC ▶ Splunk Augmented Reality: Enjoy direct access to the Splunk dashboard and live augmented reality Splunk-powered gauges on top of real-world objects.
© 2018 SPLUNK INC. Splunk on Docker Containers are now a First-Class Citizen ▶ Splunk Support now covers Splunk Enterprise 7.2 deployments in Docker containers, enabling customers to quickly deploy and scale Splunk based on their organizations’ demands.
© 2018 SPLUNK INC. Splunking .conf Files Tomasz Dziwok
Splunk Configuration Management Tomasz Dziwok ECS
> whoami | fields name, occupation  ECS  Associate Security Consultant / Engineer
Why configuration change control/monitoring?  Accountability  Failure recovery  Historical reference  Training  Enforcing change approval  …
What’s the absolute best way to do this?
This is the best way to do it…
There is no best way…  Version control; git  Automation; jenkins  Orchestration; ansible
Where to start?  I recommend  version control of configuration  monitor .conf files for changes  ideally store backup of configuration somewhere  git  can be simple  monitor file changes  But perhaps something easier…
Configuration Monitoring App  DEMO
Open Source & SplunkBase  https://gitlab.com/ecs_public_projects  https://splunkbase.splunk.com/  First open source software  Open to feedback  Will maintain on a best effort basis  PRs welcome!
Thank you…  Questions  Comments  Feedback
© 2018 SPLUNK INC. Break 10mins
© 2018 SPLUNK INC. SplDevOps Harry McLaren & Ilias Diamantakos
© 2018 SPLUNK INC.© 2018 SPLUNK INC. SplDevOps Making Splunk Development a Breeze with a Deep Dive on DevOps, Containerization, Version Control & Automation Harry McLaren, Ilias Diamantakos, Tomasz Dziwok October 2018 | Version 1.3
© 2018 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved. Forward-Looking Statements
v © 2018 SPLUNK INC. HARRY MCLAREN Splunk Enablement Lead, Managing Consultant ILIAS DIAMANTAKOS Splunk Engineer, Associate Consultant Who Are We? cyberharibu ilias-diamantakos
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Best Security Company of the Year Employer: ECS (UK Splunk Elite Partner)
© 2018 SPLUNK INC.© 2018 SPLUNK INC. What’s It All About? ▶ Customer Challenges ▶ What Do We Want? ▶ Our Idea to Deploy Splunk ▶ Technical Deep Dive ▶ Project Roadmap ▶ Key Takeaways ~40mins
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Customer Challenges “The expansion of Splunk has increased operational complexity, as we manage it manually and can’t keep on top of project change requests.” – High-Street Retailer “We require a full route- to-live to maintain system integrity and can’t deploy changes fast enough in our current setup.” – National Bank “Multiple developers within the same DEV environment, causes repeated configuration conflicts and delays to planned changes.” – National Building Society
© 2018 SPLUNK INC.© 2018 SPLUNK INC. What Do We Want? Enterprises Want to Respond Quickly, Safely & With Less Risk Rapid Changes to Splunk Software 01 Orchestrated Deployment 02 Fragile Route-to-Live  Fail Safe, Fast Backout 03 Development at Scale • Enterprise Scale Development • Synchronous Changes / Multiple Admins & Developers • Splunk Defined via Code • Familiar Approach (AKA: DevOps/Agile) Reduction in Custom Config • Every ’Custom’ Configuration Introduces Disparity • Inconsistent Dev, Test, Pre-Prod, Prod • Testing is “Best Endeavors” • Increased Risk, Changes Batched
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk for Agility Supporting Agile Methodology by Default Schema at Read, Supporting Multiple Use Cases Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Documented & Supported Splunk API is Enumerated, Dev Licenses, Labs Encouraged SPL Web UI Plain Text Config Open API Monitor InvestigateIntelligence
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Our Idea “SplDevOps” Became the Solution Version Control  Git[Lab] Utilized  Multiple Projects/Branches  Key Releases Tagged Full Route-to-Live  Multi-Stage Environments  Dev > Pre-Prod > Prod • Automated Testing Agile Development  Short Sprints  Test Driven Development  Issue Management & Feature Backlog Configuration Management  Orchestrated Deployment  Centralized Config  Ansible used via SSH
© 2018 SPLUNK INC. Project: Internal Monitoring Ask: Deploy Splunk Internally for SecOps & ITOps Use Cases
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Automation Engine Containerization Version Control Brief Background Let’s talk tools!
© 2018 SPLUNK INC. What Tool Fits Where? a new Splunk infrastructure the DevOps way! ▶ Identical environments & route-to-live • Development, Pre-production, Production ▶ Eliminate fear driven development • It’s ok to make mistakes! ▶ Minimize direct production changes • Always go through route-to-live • Transparent change control ▶ Modern means of disaster recovery ▶ Security driven ← Ansible + Git + Docker + Python ← Docker + Git ← GitLab ← Ansible (IaC) ← Ansible Vault
© 2018 SPLUNK INC. How We Wanted It To Look Spoiler Alert: This is also the end result dev pre-prod prod IX: Splunk Indexer SH: Splunk Search Head DS: Splunk Deployment Server AS: Ansible Server
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Multiple Repositories Of /opt/splunk/etc for each instance Ansible & DS IX splunk_ix SH splunk_sh Syslog Collector syslog ansible splunk_ds
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Git Workflow aka “the change process”
© 2018 SPLUNK INC. Everything starts from our DevEnv So let’s spin one up
© 2018 SPLUNK INC. What’s going on in the background
© 2018 SPLUNK INC. What’s going on in the background
© 2018 SPLUNK INC. How It Looks
© 2018 SPLUNK INC. How It Looks
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Let’s Share Secrets No really, we are sharing! ▶ How to version sensitive information • Encryption ▶ How to decrypt automatically • Ansible Vault ▶ How to store Ansible Vault Password • More encryption
© 2018 SPLUNK INC. Let’s Decrypt One password to rule them all Ansible Server
© 2018 SPLUNK INC. Use Case Scenario Demo time
© 2018 SPLUNK INC.© 2018 SPLUNK INC. How it should have been done Integrating with our change process
© 2018 SPLUNK INC.© 2018 SPLUNK INC. How it should have been done Integrating with our change process
© 2018 SPLUNK INC. How it gets deployed
© 2018 SPLUNK INC. How it gets deployed
© 2018 SPLUNK INC. How it gets deployed
© 2018 SPLUNK INC. Lessons We Learned Not everything was easy… ▶ Multiple repositories • What goes where? • Many lines of history ▶ Identical code for different environments • There are always exceptions (Eventgen, production API calls) ▶ Data for different environments • Production data is sensitive ▶ Automated deployment of code • When do you restart?
© 2018 SPLUNK INC. Deployment Results Did it work!?
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Full Route-to-Live Implemented in Production Users & Admins Educated & Empowered Everything Under Version Control Promoting Changes in ~ 5mins (Dev>Prod) Foundations Built for Future Development End Result Prototype Success, Production Rollout
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Adaptable Framework Expressed in Software (Python + Git + Ansible) Environment Agnostic & Scales to Clustered Deployments& Hybrid Cloud Architecture User Friendly & End-to-End Integrated with Issue/Change Management Roadmap Introducing “Splunk Compiler” (v2.0+)
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk Supports Experimentation by Default Agile/DevOps Methodologies are Compatible Doesn’t Require Automation Expertise Version Control BEFORE Software Orchestration Key Takeaways Remember Four Things…
© 2018 SPLUNK INC. Don't forget to rate this session in the .conf18 mobile app Thank You
© 2018 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via http://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecssecurity.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk

Recommended

SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Amanda Richardson
 
Sl boston 05_12_15_ener_noc_final_public
Sl boston 05_12_15_ener_noc_final_publicSl boston 05_12_15_ener_noc_final_public
Sl boston 05_12_15_ener_noc_final_publicSplunk
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer PresentationSplunk
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesAmanda Richardson
 

Recommended

SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore) Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Portland Splunk User Group May 2020
Portland Splunk User Group May 2020 Amanda Richardson
 
Sl boston 05_12_15_ener_noc_final_public
Sl boston 05_12_15_ener_noc_final_publicSl boston 05_12_15_ener_noc_final_public
Sl boston 05_12_15_ener_noc_final_publicSplunk
 
Wipro Customer Presentation
Wipro Customer PresentationWipro Customer Presentation
Wipro Customer PresentationSplunk
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesAmanda Richardson
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunk
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunk
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
Splunk
SplunkSplunk
SplunkDeep Mehta
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats newSplunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk
 
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogicWebinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogicSnapLogic
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunkSplunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for DevelopersSplunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...Splunk
 
Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring Greg Hanchin
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseSplunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk
 

More Related Content

What's hot

Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunk
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunk
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats newSplunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk
 
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogicWebinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogicSnapLogic
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunkSplunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for DevelopersSplunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...Splunk
 
Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring Greg Hanchin
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 

What's hot (20)

Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
SplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – AvailitySplunkLive! Customer Presentation – Availity
SplunkLive! Customer Presentation – Availity
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense CenterSplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
 
QCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT RodeoQCon London 2015 - Wrangling Data at the IOT Rodeo
QCon London 2015 - Wrangling Data at the IOT Rodeo
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
Splunk
SplunkSplunk
Splunk
 
6.4 whats new
6.4 whats new6.4 whats new
6.4 whats new
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data InSplunk Discovery: Warsaw 2018 - Getting Data In
Splunk Discovery: Warsaw 2018 - Getting Data In
 
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party VisualizationSplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
SplunkLive! Amsterdam 2015 - Web Framework & 3rd Party Visualization
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
 
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogicWebinar: Improve Splunk Analytics and Automate Processes with SnapLogic
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Splunk for Developers
Splunk for DevelopersSplunk for Developers
Splunk for Developers
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
 
Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring Splunk FISMA for Continuous Monitoring
Splunk FISMA for Continuous Monitoring
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 

Similar to Splunk .conf18 Updates, Config Add-on, SplDevOps

What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseSplunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseSplunk
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupAmanda Richardson
 
Encontro anual para apresentação das novidades da .conf23
Encontro anual para apresentação das novidades da .conf23Encontro anual para apresentação das novidades da .conf23
Encontro anual para apresentação das novidades da .conf23Rafael Santos
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfdjdhhdddhhd
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetupkamlesh2410
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DayZivaro Inc
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Harry McLaren
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 

Similar to Splunk .conf18 Updates, Config Add-on, SplDevOps (20)

What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
 
Encontro anual para apresentação das novidades da .conf23
Encontro anual para apresentação das novidades da .conf23Encontro anual para apresentação das novidades da .conf23
Encontro anual para apresentação das novidades da .conf23
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout SessionGetting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech Day
 
Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements Latest Updates to Splunk from .conf 2017 Announcements
Latest Updates to Splunk from .conf 2017 Announcements
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 

More from Harry McLaren

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Harry McLaren
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsHarry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberHarry McLaren
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentHarry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementHarry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Harry McLaren
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventHarry McLaren
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventHarry McLaren
 

More from Harry McLaren (20)

Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)Becoming a Defender (Blue Teams FTW!)
Becoming a Defender (Blue Teams FTW!)
 
SOC Fundamental Roles & Skills
SOC Fundamental Roles & SkillsSOC Fundamental Roles & Skills
SOC Fundamental Roles & Skills
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)Hunting Hard & Failing Fast (ScotSoft 2019)
Hunting Hard & Failing Fast (ScotSoft 2019)
 
Lessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/CyberLessons on Human Vulnerability within InfoSec/Cyber
Lessons on Human Vulnerability within InfoSec/Cyber
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?OWASP - Analyst, Engineer or Consultant?
OWASP - Analyst, Engineer or Consultant?
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk DevelopmentTSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
 
Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?Cyber Scotland Connect: What is Security Engineering?
Cyber Scotland Connect: What is Security Engineering?
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
 
Cyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose StatementCyber Scotland Connect: Welcome & Purpose Statement
Cyber Scotland Connect: Welcome & Purpose Statement
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
 
Deconstructing SIEM
Deconstructing SIEMDeconstructing SIEM
Deconstructing SIEM
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November EventSplunk User Group Edinburgh - November Event
Splunk User Group Edinburgh - November Event
 
Splunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September EventSplunk User Group Edinburgh - September Event
Splunk User Group Edinburgh - September Event
 

Recently uploaded

Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一ffjhghh
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 

Recently uploaded (20)

Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 

Splunk .conf18 Updates, Config Add-on, SplDevOps

  • 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk User Group Edinburgh
  • 2. © 2018 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Splunk Enablement Lead & Member of Splunk Trust ● Leader of the Splunk User Group Edinburgh
  • 3. © 2018 SPLUNK INC. Introduction to ECS Security Splunk Partner - UK – Security Consultancy & Managed SOC Provider – Splunk Revolution Award & Splunk Partner of the Year
  • 4. © 2018 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Splunk .conf18 Updates (Harry McLaren) • Security • IT Ops • Others (Docker) • Splunking .conf Files (Tomasz Dziwok) • Break • SplDevOps (Harry McLaren & Ilias Diamantakos)
  • 5. © 2018 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
  • 6. © 2018 SPLUNK INC. Splunk .conf18 Updates Harry McLaren
  • 7. © 2018 SPLUNK INC. Introducing Splunk Enterprise Security 5.2 Generally Available: 16/10/18
  • 8. © 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events ▶ The Event Sequencing Engine runs as a real- time search and listens for incoming notable events and risk modifiers that are triggered by correlation searches. ▶ Transitions can also be configured to aggregate notable events or risk modifiers that may happen after a transition match is found.
  • 9. © 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events
  • 10. © 2018 SPLUNK INC. Use Case Library ES Content Updates Type Function Integrated
  • 11. © 2018 SPLUNK INC. Investigation Workbench Two New Artifact Types - File Name & URL
  • 12. © 2018 SPLUNK INC. Introducing Splunk Phantom Version 4.0 Security Orchestration, Automation, & Response (SOAR) Platform ▶ Clustering support for added performance and redundancy • Enables Phantom to scale horizontally using additional instances for added performance and redundancy ▶ Indicator View for threat intelligence style analysis • Provides a new and important way to visualize security data on the Phantom platform. Data is presented in the view organized by indicator, versus event, for easier threat- intelligence style analysis. ▶ Native Splunk search support • Splunk is now the default search engine shipped with the Phantom product. Users are able to use their existing or new external Splunk instances to achieve a single source for security data storage. Elasticsearch engine remains an external option for those that prefer it.
  • 13. © 2018 SPLUNK INC. Introducing Splunk User Behaviour Analytics 4.2 Generally Available: 16/10/18 ▶ User Feedback for machine learning models provides anomaly customization and improved threat detection accuracy ▶ Improved data ingestion performance by up to 10x, with the new Splunk-to-Kafka UBA ingestion connector. Kafka ingestion does not require UBA to run real-time indexed search queries on core Splunk, rather uses micro-batched queries. ▶ Native single-sign-on authentication support for multiple identity providers Okta, Microsoft ADFS and Ping Identity
  • 14. © 2018 SPLUNK INC. Introducing Splunk ITSI 4.0 Predictive Analytics for Real-Time Insights ▶ KPI Predictions We’re excited to deliver deeper insights into a potential health degradation with KPI Predictions. These utilize the breadth of data in the platform to help predict KPIs like customer experience, application workload, and infrastructure health, in order to identify issues or outages in advance. ▶ Predictive Cause Analysis This new feature helps you drill down into the specific services underlying a predicted issue to proactively remediate and resolve it before customer experience is impacted.
  • 15. © 2018 SPLUNK INC. Introducing Splunk SmartStore Cut the Cord by Decoupling Compute and Storage ▶ Allowing compute and storage tiers to be independently scaled. ▶ Automatically evaluates users’ data access patterns to determine which data needs to be accessible for real-time analytics and which data should reside in lower cost, long-term storage.
  • 16. © 2018 SPLUNK INC. Introducing Dynamic Data: Active Archive Data Retention Options in Splunk Cloud ▶ Data Management • Splunk provides complete lifecycle management of the archive on your behalf and remains the custodian of your data. Just like your Active Searchable data, Splunk manages all aspects of archive availability, durability, security and privacy requirements on your behalf. ▶ Data Restore • Enables you to request a slice of your data to be restored back into your Splunk Cloud instance. The entire workflow is fully integrated into Splunk Web so your archived data is available at your fingertips with predictable time between retrieval to search.
  • 17. © 2018 SPLUNK INC. Other Features! Selection of Interesting New Releases! ▶ Dark Mode heightens visual contrast within Splunk dashboards. ▶ Workload Management enables users to prioritize the allocation of compute and memory resources used by Splunk on searches and alerts to ensure users’ most critical analytics are completed first. ▶ Guided Data Onboarding is a new graphical user interface helping customers move data into Splunk Cloud or Splunk Enterprise and guiding them through the best onboarding methodology based on their specific architecture. ▶ Logs to Metrics helps configure and convert log events to metrics, enabling users to take advantage of breakthrough performance when monitoring and alerting on metrics with the Splunk platform. ▶ Health Report gives Splunk administrators immediate visibility into the overall health status of their Splunk environments.
  • 18. © 2018 SPLUNK INC. Introducing Splunk Next Splunk Works the Way Your Data Works ▶ Feedback from Splunk Customers • Make it easier to access data with Splunk no matter where it lives or what format it is in. • Make it easier to automate the actions and outcomes in order to drive the business forward. • Make it possible for all kinds of people to ask questions of Splunk and get to answers, no matter their role or where they might be in the world. ▶ What Does Splunk Next Do For You? • Ask Questions: Open customers to a broader set of data sources. • Get Answers: Empower a broader set of customers from IT and Security to Lines of Business. • Take Action: Operate on data wherever it lives.
  • 19. © 2018 SPLUNK INC. Splunk Next Experimental, Pre-release Features (Alpha/Beta) ▶ Splunk Developer Cloud: Write Splunk applications natively in the cloud. ▶ Splunk Business Flow: Analytics-driven approach into customer/user’s interactions and identify ways to optimize those interactions and processes. ▶ Splunk Data Fabric Search: Seamlessly search across massive amounts of data and federated searches across multiple instances. ▶ Splunk Data Stream Processor: Refine, modify and adjust data mid-stream and within milliseconds before the data reaches its destination. ▶ Splunk Cloud Gateway: Secure cloud service with end-to-end encryption for easy mobile engagement through a simple to install Splunk app for Mobile. ▶ Splunk Mobile: Actionable alerts and mobile-friendly dashboards on mobile devices through our Splunk Mobile App. ▶ Splunk Natural Language: Query a system and ask question of Splunk without knowing SPL ▶ Splunk TV: View Splunk on any peripheral device instead of having to purchase a dedicated PC ▶ Splunk Augmented Reality: Enjoy direct access to the Splunk dashboard and live augmented reality Splunk-powered gauges on top of real-world objects.
  • 20. © 2018 SPLUNK INC. Splunk on Docker Containers are now a First-Class Citizen ▶ Splunk Support now covers Splunk Enterprise 7.2 deployments in Docker containers, enabling customers to quickly deploy and scale Splunk based on their organizations’ demands.
  • 21. © 2018 SPLUNK INC. Splunking .conf Files Tomasz Dziwok
  • 23. > whoami | fields name, occupation  ECS  Associate Security Consultant / Engineer
  • 24. Why configuration change control/monitoring?  Accountability  Failure recovery  Historical reference  Training  Enforcing change approval  …
  • 25. What’s the absolute best way to do this?
  • 26. This is the best way to do it…
  • 27. There is no best way…  Version control; git  Automation; jenkins  Orchestration; ansible
  • 28. Where to start?  I recommend  version control of configuration  monitor .conf files for changes  ideally store backup of configuration somewhere  git  can be simple  monitor file changes  But perhaps something easier…
  • 30. Open Source & SplunkBase  https://gitlab.com/ecs_public_projects  https://splunkbase.splunk.com/  First open source software  Open to feedback  Will maintain on a best effort basis  PRs welcome!
  • 31. Thank you…  Questions  Comments  Feedback
  • 32. © 2018 SPLUNK INC. Break 10mins
  • 33. © 2018 SPLUNK INC. SplDevOps Harry McLaren & Ilias Diamantakos
  • 34. © 2018 SPLUNK INC.© 2018 SPLUNK INC. SplDevOps Making Splunk Development a Breeze with a Deep Dive on DevOps, Containerization, Version Control & Automation Harry McLaren, Ilias Diamantakos, Tomasz Dziwok October 2018 | Version 1.3
  • 35. © 2018 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 36. v © 2018 SPLUNK INC. HARRY MCLAREN Splunk Enablement Lead, Managing Consultant ILIAS DIAMANTAKOS Splunk Engineer, Associate Consultant Who Are We? cyberharibu ilias-diamantakos
  • 37. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Best Security Company of the Year Employer: ECS (UK Splunk Elite Partner)
  • 38. © 2018 SPLUNK INC.© 2018 SPLUNK INC. What’s It All About? ▶ Customer Challenges ▶ What Do We Want? ▶ Our Idea to Deploy Splunk ▶ Technical Deep Dive ▶ Project Roadmap ▶ Key Takeaways ~40mins
  • 39. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Customer Challenges “The expansion of Splunk has increased operational complexity, as we manage it manually and can’t keep on top of project change requests.” – High-Street Retailer “We require a full route- to-live to maintain system integrity and can’t deploy changes fast enough in our current setup.” – National Bank “Multiple developers within the same DEV environment, causes repeated configuration conflicts and delays to planned changes.” – National Building Society
  • 40. © 2018 SPLUNK INC.© 2018 SPLUNK INC. What Do We Want? Enterprises Want to Respond Quickly, Safely & With Less Risk Rapid Changes to Splunk Software 01 Orchestrated Deployment 02 Fragile Route-to-Live  Fail Safe, Fast Backout 03 Development at Scale • Enterprise Scale Development • Synchronous Changes / Multiple Admins & Developers • Splunk Defined via Code • Familiar Approach (AKA: DevOps/Agile) Reduction in Custom Config • Every ’Custom’ Configuration Introduces Disparity • Inconsistent Dev, Test, Pre-Prod, Prod • Testing is “Best Endeavors” • Increased Risk, Changes Batched
  • 41. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk for Agility Supporting Agile Methodology by Default Schema at Read, Supporting Multiple Use Cases Analytic Tools Exposed to UI, Empowering Users to Experiment Plain Text Configuration Files, Documented & Supported Splunk API is Enumerated, Dev Licenses, Labs Encouraged SPL Web UI Plain Text Config Open API Monitor InvestigateIntelligence
  • 42. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Our Idea “SplDevOps” Became the Solution Version Control  Git[Lab] Utilized  Multiple Projects/Branches  Key Releases Tagged Full Route-to-Live  Multi-Stage Environments  Dev > Pre-Prod > Prod • Automated Testing Agile Development  Short Sprints  Test Driven Development  Issue Management & Feature Backlog Configuration Management  Orchestrated Deployment  Centralized Config  Ansible used via SSH
  • 43. © 2018 SPLUNK INC. Project: Internal Monitoring Ask: Deploy Splunk Internally for SecOps & ITOps Use Cases
  • 44. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Automation Engine Containerization Version Control Brief Background Let’s talk tools!
  • 45. © 2018 SPLUNK INC. What Tool Fits Where? a new Splunk infrastructure the DevOps way! ▶ Identical environments & route-to-live • Development, Pre-production, Production ▶ Eliminate fear driven development • It’s ok to make mistakes! ▶ Minimize direct production changes • Always go through route-to-live • Transparent change control ▶ Modern means of disaster recovery ▶ Security driven ← Ansible + Git + Docker + Python ← Docker + Git ← GitLab ← Ansible (IaC) ← Ansible Vault
  • 46. © 2018 SPLUNK INC. How We Wanted It To Look Spoiler Alert: This is also the end result dev pre-prod prod IX: Splunk Indexer SH: Splunk Search Head DS: Splunk Deployment Server AS: Ansible Server
  • 47. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Multiple Repositories Of /opt/splunk/etc for each instance Ansible & DS IX splunk_ix SH splunk_sh Syslog Collector syslog ansible splunk_ds
  • 48. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Git Workflow aka “the change process”
  • 49. © 2018 SPLUNK INC. Everything starts from our DevEnv So let’s spin one up
  • 50. © 2018 SPLUNK INC. What’s going on in the background
  • 51. © 2018 SPLUNK INC. What’s going on in the background
  • 52. © 2018 SPLUNK INC. How It Looks
  • 53. © 2018 SPLUNK INC. How It Looks
  • 54. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Let’s Share Secrets No really, we are sharing! ▶ How to version sensitive information • Encryption ▶ How to decrypt automatically • Ansible Vault ▶ How to store Ansible Vault Password • More encryption
  • 55. © 2018 SPLUNK INC. Let’s Decrypt One password to rule them all Ansible Server
  • 56. © 2018 SPLUNK INC. Use Case Scenario Demo time
  • 57. © 2018 SPLUNK INC.© 2018 SPLUNK INC. How it should have been done Integrating with our change process
  • 58. © 2018 SPLUNK INC.© 2018 SPLUNK INC. How it should have been done Integrating with our change process
  • 59. © 2018 SPLUNK INC. How it gets deployed
  • 60. © 2018 SPLUNK INC. How it gets deployed
  • 61. © 2018 SPLUNK INC. How it gets deployed
  • 62. © 2018 SPLUNK INC. Lessons We Learned Not everything was easy… ▶ Multiple repositories • What goes where? • Many lines of history ▶ Identical code for different environments • There are always exceptions (Eventgen, production API calls) ▶ Data for different environments • Production data is sensitive ▶ Automated deployment of code • When do you restart?
  • 63. © 2018 SPLUNK INC. Deployment Results Did it work!?
  • 64. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Full Route-to-Live Implemented in Production Users & Admins Educated & Empowered Everything Under Version Control Promoting Changes in ~ 5mins (Dev>Prod) Foundations Built for Future Development End Result Prototype Success, Production Rollout
  • 65. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Adaptable Framework Expressed in Software (Python + Git + Ansible) Environment Agnostic & Scales to Clustered Deployments& Hybrid Cloud Architecture User Friendly & End-to-End Integrated with Issue/Change Management Roadmap Introducing “Splunk Compiler” (v2.0+)
  • 66. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk Supports Experimentation by Default Agile/DevOps Methodologies are Compatible Doesn’t Require Automation Expertise Version Control BEFORE Software Orchestration Key Takeaways Remember Four Things…
  • 67. © 2018 SPLUNK INC. Don't forget to rate this session in the .conf18 mobile app Thank You
  • 68. © 2018 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via http://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecssecurity.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk