SlideShare a Scribd company logo

Splunk PNW User Group - Seattle - 2023-06-28.pdf

A
Amanda Richardson

The very first in-person PNW Splunk user group in Seattle since before the pandemic! REI's Michael Bunner brought us a constellation of automation patterns, and Splunk's Rob de Luna walked us through Edge Processor. It was so great to see folks out and about and getting into deep discussion! Next in-person meeting in PDX. Sponsored by Arcus Data.

Technology
1 of 24
Download to read offline
© 2022 SPLUNK INC. Splunk PNW User Group 28 June, 2023
© 2022 SPLUNK INC. Agenda Topic Speaker Organization Time Welcome Grab a seat, get comfy Intros and announcements Josh Hritz CEO & Co-Founder Arcus Data 15m Splunk Enterprise Security and SOAR Michael Bunner Sr Cybersecurity Analyst REI 20m Splunk Edge Processor Introduction and demo Rob de Luna Sr. Sales Engineer Splunk 30m Open Discussion and Networking Time! Food delivery from qdoba at 11AM User Community All 45m Wrap up Closing remarks, topic ideas Travis Volker Consulting Sales Engineer Splunk 15m
© 2022 SPLUNK INC. Stargazing with Splunk Mike Bunner (he/him/his) Sr. Security Automation Engineer, REI https://www.linkedin.com/in/mikedba A Constellation of Automation Patterns
© 2022 SPLUNK INC. "Not speaking on behalf of my employer, past or present; any opinions expressed are my own."
© 2022 SPLUNK INC. Automation is High-Value Data I K D W I K D W I K D W I K D W ( Data, Information, Knowledge, Wisdom )
© 2022 SPLUNK INC. Moving Beyond Regex LLM
© 2022 SPLUNK INC. Data Routing as Code Policy as Code: •SIEM •Compliance Concepts: •Security •Collaboration •Data structure •Existing data locations and relationships •Analytics Capabilities •Response actions •Operations •Tiering and Availability Requirements
© 2022 SPLUNK INC. Weighted scoring by grouped question sets { 'time': True, 'user': True, 'host': True, 'action': True, 'result': False, 'source’: True, 'destination': False } Existence of security specific fields? math.log() math.sqrt() Use log or sqrt transforms to give weighted preference to sums of a related answers or number input.
© 2022 SPLUNK INC. Automate & Integrate Where Possible Data Routing Definition Data Routing Function Data Dictionary Data Routing Definition Builder BC / DR CMDB / Service Cat. Enterprise Policies Outputs Used by Asks Scoring output
© 2022 SPLUNK INC. Utility Scripts Before After 1. Download/clone 2. Runs locally 3. Output to console or file / CI/CD - Manage in a container - Protect tokens/secrets - Scan and run “local” repo - Format / structured output - Schedule or run on-demand Data Routing Policy/Decision
© 2022 SPLUNK INC. Automation Observability - Add observability to existing utility scripts and pipelines - Build custom modules and packages - Front with a custom API relay
© 2022 SPLUNK INC. Additional Common Patterns Trending is required Strict RBAC and Auditing Tool consolidation efforts Technology value realization & maturity deficits – Can Splunk do the basics of a point-solution first? Can existing Splunk infrastructure be utilized?
© 2022 SPLUNK INC. Edge Processor Introduction and demonstration Rob de Luna Sr Sales Engineer
This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements 2.18.22-19:04
© 2022 SPLUNK INC. Rob de Luna
© 2022 SPLUNK INC. Filter, Mask, Transform, Route Edge Processor is the latest innovation in data preprocessing with Splunk Powerful and performant edge processing using Props and Transforms New UI leveraging Props and Transforms to author and deploy ingest or edge transformations and routing Edge processing with new, intuitive UI and SPL2-based pipeline authoring to author, deploy and manage transformations and routing Heavyweight Forwarders Ingest Actions Edge Processor `
© 2022 SPLUNK INC. Introducing Edge Processor Service offering delivered through cloud control plane, available on Splunk Cloud Platform Customer supplies hosts on which edge processors are deployed, with flexibility to scale New pipeline authoring experience - SPL2 - delivers efficient, flexible data transformation Use cases include filter, mask, and route to Splunk platform or S3 Customers enjoy real-time visibility into and control over their data in motion Customers can derive more value from and generate new insights into their data Simplified data processing within the customers’ network boundaries How’s it work? What’s this? So what?
© 2022 SPLUNK INC. ● Filter verbose or low-value sources, like DEBUG logs or other noisy data ● Extract just the critical data ● Mask PII ● Route different “slices” of data to desired destinations Amazon S3 Forwarders (UF or HWF) ` ` ` ` Edge Processor Filter & Mask Route Pre-process Transform Customer Environment Splunk Cloud Index Splunk Index Control Plane (on Splunk Cloud Services) What is Edge Processing?
© 2022 SPLUNK INC. Splunk Cloud Platform Customer Host Server Customer Agents Customer Destinations Edge Processor Overview ● Central pipeline management ● Global visibility ` Enterprise Cloud ` ` Cloud Managed ((HTTPS out) Audit logs Processor logs Pipeline metrics Data Edge Processor Service UI Pipelines Service S3 Data Edge Processor Node User
© 2022 SPLUNK INC. ● Use SPL2 for data transformations like field extraction, filtering, and masking ○ Act on entire events or parts of events ○ e.g. retain only a subset of fields within an event ● Supports Infrastructure as Code. All pipelines are just SPL2 ● Splunk-provided SPL2 Templates and (future) Bundles Everything is SPL2
© 2022 SPLUNK INC. SPL2 Concepts Dataset Variables - represent datasets of varying kinds from which data can be read from, or written into. $source and $destination are specific dataset variables overwritten with an actual dataset passed as a param (such as s3_bucket_A) in a pipeline. This is an SPL2 statement, assigned to the dataset variable $pipeline. Commands - actions that can be taken on data in an Edge Processor pipeline; acted on sequentially, respecting pipes. ● SPL2 is built around the concept of Datasets. A dataset is anything that contains data which can be read from and/or written into. ● Each dataset may have a different Kind. Relevant Edge Processor Kinds: ○ Forwarder ○ Indexer ○ S3 buckets ● Datasets can be referenced literally in the SPL2, or passed as parameter to a variable.
© 2021 SPLUNK INC. Edge Processor Demo
© 2023 SPLUNK INC. Leaders ● User leaders needed! Next meeting ● In person in Portland Wrap up Topic ideas ● Drop suggestions or offers to speak to the #pnw channel in the UG slack .conf23 ● July 17-20 ● Las Vegas
© 2022 SPLUNK INC. Thank You

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
sfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdfsfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdf
JeffForrest8
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
Becky Burwell
 
2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
sfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdfsfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdf
JeffForrest8
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
Becky Burwell
 
2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
Becky Burwell
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShift
Eric Gardner
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
Splunk
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
Becky Burwell
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
Becky Burwell
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
Splunk
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Splunk
 
SSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdfSSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdf
Ulf Thornander
 
Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Splunk EMEA
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
FIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDO Alliance
 

More Related Content

Similar to Splunk PNW User Group - Seattle - 2023-06-28.pdf

Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 

Similar to Splunk PNW User Group - Seattle - 2023-06-28.pdf (20)

IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShift
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
 
SSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdfSSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdf
 
Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
 

Recently uploaded

Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Paige Cruz
 

Recently uploaded (20)

Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 

Splunk PNW User Group - Seattle - 2023-06-28.pdf

  • 1. © 2022 SPLUNK INC. Splunk PNW User Group 28 June, 2023
  • 2. © 2022 SPLUNK INC. Agenda Topic Speaker Organization Time Welcome Grab a seat, get comfy Intros and announcements Josh Hritz CEO & Co-Founder Arcus Data 15m Splunk Enterprise Security and SOAR Michael Bunner Sr Cybersecurity Analyst REI 20m Splunk Edge Processor Introduction and demo Rob de Luna Sr. Sales Engineer Splunk 30m Open Discussion and Networking Time! Food delivery from qdoba at 11AM User Community All 45m Wrap up Closing remarks, topic ideas Travis Volker Consulting Sales Engineer Splunk 15m
  • 3. © 2022 SPLUNK INC. Stargazing with Splunk Mike Bunner (he/him/his) Sr. Security Automation Engineer, REI https://www.linkedin.com/in/mikedba A Constellation of Automation Patterns
  • 4. © 2022 SPLUNK INC. "Not speaking on behalf of my employer, past or present; any opinions expressed are my own."
  • 5. © 2022 SPLUNK INC. Automation is High-Value Data I K D W I K D W I K D W I K D W ( Data, Information, Knowledge, Wisdom )
  • 6. © 2022 SPLUNK INC. Moving Beyond Regex LLM
  • 7. © 2022 SPLUNK INC. Data Routing as Code Policy as Code: •SIEM •Compliance Concepts: •Security •Collaboration •Data structure •Existing data locations and relationships •Analytics Capabilities •Response actions •Operations •Tiering and Availability Requirements
  • 8. © 2022 SPLUNK INC. Weighted scoring by grouped question sets { 'time': True, 'user': True, 'host': True, 'action': True, 'result': False, 'source’: True, 'destination': False } Existence of security specific fields? math.log() math.sqrt() Use log or sqrt transforms to give weighted preference to sums of a related answers or number input.
  • 9. © 2022 SPLUNK INC. Automate & Integrate Where Possible Data Routing Definition Data Routing Function Data Dictionary Data Routing Definition Builder BC / DR CMDB / Service Cat. Enterprise Policies Outputs Used by Asks Scoring output
  • 10. © 2022 SPLUNK INC. Utility Scripts Before After 1. Download/clone 2. Runs locally 3. Output to console or file / CI/CD - Manage in a container - Protect tokens/secrets - Scan and run “local” repo - Format / structured output - Schedule or run on-demand Data Routing Policy/Decision
  • 11. © 2022 SPLUNK INC. Automation Observability - Add observability to existing utility scripts and pipelines - Build custom modules and packages - Front with a custom API relay
  • 12. © 2022 SPLUNK INC. Additional Common Patterns Trending is required Strict RBAC and Auditing Tool consolidation efforts Technology value realization & maturity deficits – Can Splunk do the basics of a point-solution first? Can existing Splunk infrastructure be utilized?
  • 13. © 2022 SPLUNK INC. Edge Processor Introduction and demonstration Rob de Luna Sr Sales Engineer
  • 14. This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements 2.18.22-19:04
  • 15. © 2022 SPLUNK INC. Rob de Luna
  • 16. © 2022 SPLUNK INC. Filter, Mask, Transform, Route Edge Processor is the latest innovation in data preprocessing with Splunk Powerful and performant edge processing using Props and Transforms New UI leveraging Props and Transforms to author and deploy ingest or edge transformations and routing Edge processing with new, intuitive UI and SPL2-based pipeline authoring to author, deploy and manage transformations and routing Heavyweight Forwarders Ingest Actions Edge Processor `
  • 17. © 2022 SPLUNK INC. Introducing Edge Processor Service offering delivered through cloud control plane, available on Splunk Cloud Platform Customer supplies hosts on which edge processors are deployed, with flexibility to scale New pipeline authoring experience - SPL2 - delivers efficient, flexible data transformation Use cases include filter, mask, and route to Splunk platform or S3 Customers enjoy real-time visibility into and control over their data in motion Customers can derive more value from and generate new insights into their data Simplified data processing within the customers’ network boundaries How’s it work? What’s this? So what?
  • 18. © 2022 SPLUNK INC. ● Filter verbose or low-value sources, like DEBUG logs or other noisy data ● Extract just the critical data ● Mask PII ● Route different “slices” of data to desired destinations Amazon S3 Forwarders (UF or HWF) ` ` ` ` Edge Processor Filter & Mask Route Pre-process Transform Customer Environment Splunk Cloud Index Splunk Index Control Plane (on Splunk Cloud Services) What is Edge Processing?
  • 19. © 2022 SPLUNK INC. Splunk Cloud Platform Customer Host Server Customer Agents Customer Destinations Edge Processor Overview ● Central pipeline management ● Global visibility ` Enterprise Cloud ` ` Cloud Managed ((HTTPS out) Audit logs Processor logs Pipeline metrics Data Edge Processor Service UI Pipelines Service S3 Data Edge Processor Node User
  • 20. © 2022 SPLUNK INC. ● Use SPL2 for data transformations like field extraction, filtering, and masking ○ Act on entire events or parts of events ○ e.g. retain only a subset of fields within an event ● Supports Infrastructure as Code. All pipelines are just SPL2 ● Splunk-provided SPL2 Templates and (future) Bundles Everything is SPL2
  • 21. © 2022 SPLUNK INC. SPL2 Concepts Dataset Variables - represent datasets of varying kinds from which data can be read from, or written into. $source and $destination are specific dataset variables overwritten with an actual dataset passed as a param (such as s3_bucket_A) in a pipeline. This is an SPL2 statement, assigned to the dataset variable $pipeline. Commands - actions that can be taken on data in an Edge Processor pipeline; acted on sequentially, respecting pipes. ● SPL2 is built around the concept of Datasets. A dataset is anything that contains data which can be read from and/or written into. ● Each dataset may have a different Kind. Relevant Edge Processor Kinds: ○ Forwarder ○ Indexer ○ S3 buckets ● Datasets can be referenced literally in the SPL2, or passed as parameter to a variable.
  • 22. © 2021 SPLUNK INC. Edge Processor Demo
  • 23. © 2023 SPLUNK INC. Leaders ● User leaders needed! Next meeting ● In person in Portland Wrap up Topic ideas ● Drop suggestions or offers to speak to the #pnw channel in the UG slack .conf23 ● July 17-20 ● Las Vegas
  • 24. © 2022 SPLUNK INC. Thank You