This document provides an agenda and summaries for a Splunk User Group meeting in Edinburgh in April 2017. The meeting will include presentations and demos on building Splunk apps, development paths and certification, and Splunk User Behavior Analytics. The introductory presentation will be given by Harry McLaren from ECS and will provide background on ECS and the Splunk User Group. Additional presentations will cover building custom Splunk apps using both the web interface and direct XML editing, and paths for Splunk certification. The final presentation will demo Splunk UBA for detecting insider threats and advanced adversaries. Attendees are encouraged to discuss in-house developed apps and get involved in the Splunk community.
2. Introduction - Harry McLaren
2
● Alumnus of Edinburgh Napier
● Senior Security Consultant at ECS
– Role: Specialist Splunk Consultant & Enablement Lead
– Specialism: Enterprise Security (SIEM) / Complex Deployments
● Splunk User Group Edinburgh: Leader / Founder
3. Introduction to ECS
3
Strategic Splunk Partner - UK
– Type: Security / IT Operations / Managed Services
– Awards: Splunk Revolution Award & Splunk Partner of the Year 2016
5. Agenda
• Housekeeping: Overview & House Rules
• Presentation & Demo: Building Splunk Apps
• Group Discussion: In-House Developed Apps
• Presentation: Development Paths & Splunk Certification
• Presentation & Demo: Splunk User Behaviour Analytics
5
6. Splunk [Official] User Group
“The overall goal is to create an authentic, ongoing
user group experience for our users, where
they contribute and get involved”
● User Lead Technical Discussions
● Sharing Environment
● Build Trust
● No Sales!
6
9. What is an App?
Visualization, Analysis & Action
● Apps deliver a user experience designed to make Splunk immediately
useful and relevant for typical tasks and roles.
● Apps simplify and optimize user tasks, yet allow access to the data and
functions of the full platform.
– Pre-built dashboards, reports, alerts and workflows
– In-depth data analysis for power users
– Point-and-click analytics to empower business users
9
10. What can we do with them?
● Most apps are focused on:
– Carrying out Alert Actions
– Inputs
– Visualizations
10
11. Where do we get them from?
● Splunkbase.splunk.com
– Splunkbase has a library has 1000+ apps and add-ons from Splunk,
Partners, and the community.
– Splunkbase has a range of Premium Apps or Free Apps for a manner of
different categories
● Or Develop them yourself!!!
11
12. How can I Develop an App?
Splunk Web From Editor
12
● You don’t have to be a developer
or familiar with XML Scripting to
create an App.
● Splunk Web makes it easy to
create a UI in a simple point and
click manner
13. How can I Develop an App?
Edit XML Directly
13
● If you have some familiarity with
Simple XML, but you are not a
developer per say , and you want to
create/customize your dashboards
beyond want you can do in the
Splunk Web editor
● Then you can hack away on the
XML using your favorite text editor
or in browser with Splunk Web.
14. Make it your own
● You can add your own artefacts to the Apps configurations to improve
the appearance or the functionality
● Add your own images, emblems, logos etc.
● Configure workflow actions to trigger a script to carry out a specific
action taking parameters from the output of the search/report
14
15. My approach to Developing Apps
Hybrid Approach
● A combination of using both the Web Form Editor and the writing XML
can go a long way...
● The Web Form Editor is great for creating a simple template with views
and visualizations
● However writing the XML provides a much more granular approach to
configuring the layout and appearance of the Apps
● Using XML allows for creation of much more advanced dashboards and
visualisations
15
16. ECS Splunk Hackathon App
Requirements
● We needed a central location to outline the instructions, guidelines
and SPL language support etc
● The most elegant solution was to create an ECS branded app to house
all of the information in
16
22. Robert Williamson
Alumnus of Edinburgh Napier university
IBM - Security Specialist
ECS - SOC Analyst, Senior SOC Analyst and Security
Consultant
22
29. Duration of certification
Splunk Certified Power User = 24.5 hours
Creates and manages knowledge objects that are used across an organization.
● Training: Using Splunk | Searching and Reporting with Splunk |Creating Splunk
Knowledge Objects | Splunk Infrastructure Overview
Splunk Certified Administrator = 21 hours
System administrators who manage a Splunk Enterprise environment.
● Training: Enterprise System Administration | Enterprise Data Administration
Splunk Certified Architect = 20 hours
Design and implement Splunk installations including enterprise-level deployments.
● Training: Advanced Dashboards and Visualizations | Architecting and Deploying Splunk
| Splunk Cluster Administration | Advanced Searching and Reporting
29
30. Specialist Courses
Courses for Splunk Cloud Customers
Splunk Education's learning path for Splunk Cloud customers offers courses for end users as well those
in charge of managing Splunk Cloud users, data inputs, and configurations.
Courses for App Developers
Harness the power of Splunk's Web Framework. Create rich, interactive dashboards and forms, and
package Splunk knowledge objects for distribution across your organization, or share your
masterpiece with the world on the Splunk Apps site.
Courses for Enterprise Security Customers
Learn to install, configure, manage, and use the Splunk App for Enterprise Security. Two learning paths
cover both security analysts and Splunk administrators or architects.
Courses for IT Service Intelligence Customers
Learn to install, configure, manage, and use Splunk for IT Service Intelligence (ITSI). Learn about ITSI
architecture, deployment planning, installation, service design and implementation.
30
33. 33
Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
SIEM: Security Information & Event Management
34. 34
Inadequate
Contextual Data
68% of respondentsin
the survey said that
reportsoften only
indic ated c hanges
without spec ifying what
the c hange was.
Innocuous
Events of Interest
81% of respondentssaid
that SIEM reportsc ontain
too muc h extraneous
information and were
overwhelmed with
false positives.
2016 SIEM Efficiency Survey, conducted by Netwrix
39. DETECT ADVANCED
CYBERATTACKS
DETECT MALICIOUS
INSIDER THREATS
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR
BASELINING &
MODELING
REAL-TIME &
BIG DATA
ARCHITECTURE
What is Splunk
User Behavioral Analytics?
40. INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share
- finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates hisprivileges
root copies the document to another file share
- Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and
copy the data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
45. Coming Splunk Events!
● International Conference on Big Data in Cyber Security in Edinburgh
– by the Cyber Academy @ Wed 10 May 2017, 09:00 – 17:00 BST
– ECS Splunk Hackathon in the Morning!
● SplunkLive! at Intercontinental at the O2, London
– by Splunk @ Thur May 11th, 2017, 09:00 – 17:00 BST
– ECS Key Sponsor!
45
46. Get Involved!
● Splunk User Group Edinburgh
– https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html
– https://www.linkedin.com/groups/12013212
● Splunk’s Slack Group
– Register via www.splunk402.com/chat
– Channel: #edinburgh
● Present & Share at the User Group?
Connect:
‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk
‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
46
An application that runs on Splunk Enterprise and typically addresses several use cases.
An app contains one or more views. An app can include various Splunk Enterprise knowledge objects such as reports, lookups, scripted inputs and modular inputs.
An app sometimes depends on one or more add-ons for specific functionality.
Integrate Apps to carry alerting actions based on scheduled searches and reports
Give examples of Workflow actions/Ticketing/Running Scripts
Simplify the onboarding process by using a vendor specific app which will contain the config to format the data as required
i.e. No need to create field extractions etc
Create custom visualizations based on non standard templates
Splunkbase has over 1000 different apps including both free and premium apps
You will find a selection of different apps for a wide variety of products which may have been developed by the vendor or a member of the community
Often the apps developed by vendors will have some sort of integration with the tool itself
i.e Cisco ISE, Carbon Black, AWS
In order to develop a Splunk App you dont have to be a developer or have much experience with any sort of complicated programming languages
You can simply use the Web Interface to create all of the visualisations and configure the layout using the GUI
Although there where always going to be limitations to being able to point and click to create an app
You don’t have the degree of granularity as you would using XML
XML provides increased granularity compared to using the GUI
Everything becomes customisable now
Never created splunk apps before unitl now
Recently created an app for the ECS Splunk Hackthon to guide and teach splunk to novice users
The app not only had to provide the instructions for the hackathon but a guide in how to craft searches, reports, dashbaord etc
Built in custom visualization
Provided a dashboard for marking and submitting solutions
Requirments included:
Somewhere to provide an overview of the hackathon
A list of teams competing
How to use Splunk
Examples of how to build a search
A page to display the solutions submitted by each team for marking purposes
And somewhere to advertise our current vacancies
It can be seen that the app follows ECS colour scheme and uses the logo
The menu bar is completely customizable
Most of the pages are XML so great for formatting the page
At the backend all the config is saved in the app – easy to copy and re-use
Live dashboards running
Explanations on how to the search was created and what each command is capabale of
The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.
Sources:
http://www.bloomberg.com/research/markets/news/article.asp?docKey=600-201603150921MRKTWIREUSPR_____1249121-1
http://www.information-age.com/technology/information-management/123461162/why-big-data-and-siem-dont-always-equal-big-answers-security