SlideShare a Scribd company logo

Splunk PNW User Group - Seattle - 2023-06-28.pdf

A
Amanda Richardson

The very first in-person PNW Splunk user group in Seattle since before the pandemic! REI's Michael Bunner brought us a constellation of automation patterns, and Splunk's Rob de Luna walked us through Edge Processor. It was so great to see folks out and about and getting into deep discussion! Next in-person meeting in PDX. Sponsored by Arcus Data.

Technology
1 of 24
Download to read offline
© 2022 SPLUNK INC. Splunk PNW User Group 28 June, 2023
© 2022 SPLUNK INC. Agenda Topic Speaker Organization Time Welcome Grab a seat, get comfy Intros and announcements Josh Hritz CEO & Co-Founder Arcus Data 15m Splunk Enterprise Security and SOAR Michael Bunner Sr Cybersecurity Analyst REI 20m Splunk Edge Processor Introduction and demo Rob de Luna Sr. Sales Engineer Splunk 30m Open Discussion and Networking Time! Food delivery from qdoba at 11AM User Community All 45m Wrap up Closing remarks, topic ideas Travis Volker Consulting Sales Engineer Splunk 15m
© 2022 SPLUNK INC. Stargazing with Splunk Mike Bunner (he/him/his) Sr. Security Automation Engineer, REI https://www.linkedin.com/in/mikedba A Constellation of Automation Patterns
© 2022 SPLUNK INC. "Not speaking on behalf of my employer, past or present; any opinions expressed are my own."
© 2022 SPLUNK INC. Automation is High-Value Data I K D W I K D W I K D W I K D W ( Data, Information, Knowledge, Wisdom )
© 2022 SPLUNK INC. Moving Beyond Regex LLM
© 2022 SPLUNK INC. Data Routing as Code Policy as Code: •SIEM •Compliance Concepts: •Security •Collaboration •Data structure •Existing data locations and relationships •Analytics Capabilities •Response actions •Operations •Tiering and Availability Requirements
© 2022 SPLUNK INC. Weighted scoring by grouped question sets { 'time': True, 'user': True, 'host': True, 'action': True, 'result': False, 'source’: True, 'destination': False } Existence of security specific fields? math.log() math.sqrt() Use log or sqrt transforms to give weighted preference to sums of a related answers or number input.
© 2022 SPLUNK INC. Automate & Integrate Where Possible Data Routing Definition Data Routing Function Data Dictionary Data Routing Definition Builder BC / DR CMDB / Service Cat. Enterprise Policies Outputs Used by Asks Scoring output
© 2022 SPLUNK INC. Utility Scripts Before After 1. Download/clone 2. Runs locally 3. Output to console or file / CI/CD - Manage in a container - Protect tokens/secrets - Scan and run “local” repo - Format / structured output - Schedule or run on-demand Data Routing Policy/Decision
© 2022 SPLUNK INC. Automation Observability - Add observability to existing utility scripts and pipelines - Build custom modules and packages - Front with a custom API relay
© 2022 SPLUNK INC. Additional Common Patterns Trending is required Strict RBAC and Auditing Tool consolidation efforts Technology value realization & maturity deficits – Can Splunk do the basics of a point-solution first? Can existing Splunk infrastructure be utilized?
© 2022 SPLUNK INC. Edge Processor Introduction and demonstration Rob de Luna Sr Sales Engineer
This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements 2.18.22-19:04
© 2022 SPLUNK INC. Rob de Luna
© 2022 SPLUNK INC. Filter, Mask, Transform, Route Edge Processor is the latest innovation in data preprocessing with Splunk Powerful and performant edge processing using Props and Transforms New UI leveraging Props and Transforms to author and deploy ingest or edge transformations and routing Edge processing with new, intuitive UI and SPL2-based pipeline authoring to author, deploy and manage transformations and routing Heavyweight Forwarders Ingest Actions Edge Processor `
© 2022 SPLUNK INC. Introducing Edge Processor Service offering delivered through cloud control plane, available on Splunk Cloud Platform Customer supplies hosts on which edge processors are deployed, with flexibility to scale New pipeline authoring experience - SPL2 - delivers efficient, flexible data transformation Use cases include filter, mask, and route to Splunk platform or S3 Customers enjoy real-time visibility into and control over their data in motion Customers can derive more value from and generate new insights into their data Simplified data processing within the customers’ network boundaries How’s it work? What’s this? So what?
© 2022 SPLUNK INC. ● Filter verbose or low-value sources, like DEBUG logs or other noisy data ● Extract just the critical data ● Mask PII ● Route different “slices” of data to desired destinations Amazon S3 Forwarders (UF or HWF) ` ` ` ` Edge Processor Filter & Mask Route Pre-process Transform Customer Environment Splunk Cloud Index Splunk Index Control Plane (on Splunk Cloud Services) What is Edge Processing?
© 2022 SPLUNK INC. Splunk Cloud Platform Customer Host Server Customer Agents Customer Destinations Edge Processor Overview ● Central pipeline management ● Global visibility ` Enterprise Cloud ` ` Cloud Managed ((HTTPS out) Audit logs Processor logs Pipeline metrics Data Edge Processor Service UI Pipelines Service S3 Data Edge Processor Node User
© 2022 SPLUNK INC. ● Use SPL2 for data transformations like field extraction, filtering, and masking ○ Act on entire events or parts of events ○ e.g. retain only a subset of fields within an event ● Supports Infrastructure as Code. All pipelines are just SPL2 ● Splunk-provided SPL2 Templates and (future) Bundles Everything is SPL2
© 2022 SPLUNK INC. SPL2 Concepts Dataset Variables - represent datasets of varying kinds from which data can be read from, or written into. $source and $destination are specific dataset variables overwritten with an actual dataset passed as a param (such as s3_bucket_A) in a pipeline. This is an SPL2 statement, assigned to the dataset variable $pipeline. Commands - actions that can be taken on data in an Edge Processor pipeline; acted on sequentially, respecting pipes. ● SPL2 is built around the concept of Datasets. A dataset is anything that contains data which can be read from and/or written into. ● Each dataset may have a different Kind. Relevant Edge Processor Kinds: ○ Forwarder ○ Indexer ○ S3 buckets ● Datasets can be referenced literally in the SPL2, or passed as parameter to a variable.
© 2021 SPLUNK INC. Edge Processor Demo
© 2023 SPLUNK INC. Leaders ● User leaders needed! Next meeting ● In person in Portland Wrap up Topic ideas ● Drop suggestions or offers to speak to the #pnw channel in the UG slack .conf23 ● July 17-20 ● Las Vegas
© 2022 SPLUNK INC. Thank You

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
sfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdfsfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdf
JeffForrest8
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
Becky Burwell
 
2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
sfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdfsfbaug20230215-230310221623-88beae19.pdf
sfbaug20230215-230310221623-88beae19.pdf
JeffForrest8
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
Becky Burwell
 
2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group 2022 09 March Splunk PNW User Group
2022 09 March Splunk PNW User Group
Amanda Richardson
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
Becky Burwell
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShift
Eric Gardner
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
Splunk
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
Becky Burwell
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
Becky Burwell
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
Splunk
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Splunk
 
SSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdfSSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdf
Ulf Thornander
 
Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Splunk EMEA
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
FIDO Alliance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 

More Related Content

Similar to Splunk PNW User Group - Seattle - 2023-06-28.pdf

Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 

Similar to Splunk PNW User Group - Seattle - 2023-06-28.pdf (20)

IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
 
Deploying Splunk on OpenShift
Deploying Splunk on OpenShiftDeploying Splunk on OpenShift
Deploying Splunk on OpenShift
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
 
SSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdfSSE Overview Deck - Swedish User Group.pdf
SSE Overview Deck - Swedish User Group.pdf
 
Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond Splunk Platform 2020 & Beyond
Splunk Platform 2020 & Beyond
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
Die Rolle von KI in der digitalen Widerstandsfähigkeit - Splunk Public Sector...
 

Recently uploaded

Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 

Splunk PNW User Group - Seattle - 2023-06-28.pdf

  • 1. © 2022 SPLUNK INC. Splunk PNW User Group 28 June, 2023
  • 2. © 2022 SPLUNK INC. Agenda Topic Speaker Organization Time Welcome Grab a seat, get comfy Intros and announcements Josh Hritz CEO & Co-Founder Arcus Data 15m Splunk Enterprise Security and SOAR Michael Bunner Sr Cybersecurity Analyst REI 20m Splunk Edge Processor Introduction and demo Rob de Luna Sr. Sales Engineer Splunk 30m Open Discussion and Networking Time! Food delivery from qdoba at 11AM User Community All 45m Wrap up Closing remarks, topic ideas Travis Volker Consulting Sales Engineer Splunk 15m
  • 3. © 2022 SPLUNK INC. Stargazing with Splunk Mike Bunner (he/him/his) Sr. Security Automation Engineer, REI https://www.linkedin.com/in/mikedba A Constellation of Automation Patterns
  • 4. © 2022 SPLUNK INC. "Not speaking on behalf of my employer, past or present; any opinions expressed are my own."
  • 5. © 2022 SPLUNK INC. Automation is High-Value Data I K D W I K D W I K D W I K D W ( Data, Information, Knowledge, Wisdom )
  • 6. © 2022 SPLUNK INC. Moving Beyond Regex LLM
  • 7. © 2022 SPLUNK INC. Data Routing as Code Policy as Code: •SIEM •Compliance Concepts: •Security •Collaboration •Data structure •Existing data locations and relationships •Analytics Capabilities •Response actions •Operations •Tiering and Availability Requirements
  • 8. © 2022 SPLUNK INC. Weighted scoring by grouped question sets { 'time': True, 'user': True, 'host': True, 'action': True, 'result': False, 'source’: True, 'destination': False } Existence of security specific fields? math.log() math.sqrt() Use log or sqrt transforms to give weighted preference to sums of a related answers or number input.
  • 9. © 2022 SPLUNK INC. Automate & Integrate Where Possible Data Routing Definition Data Routing Function Data Dictionary Data Routing Definition Builder BC / DR CMDB / Service Cat. Enterprise Policies Outputs Used by Asks Scoring output
  • 10. © 2022 SPLUNK INC. Utility Scripts Before After 1. Download/clone 2. Runs locally 3. Output to console or file / CI/CD - Manage in a container - Protect tokens/secrets - Scan and run “local” repo - Format / structured output - Schedule or run on-demand Data Routing Policy/Decision
  • 11. © 2022 SPLUNK INC. Automation Observability - Add observability to existing utility scripts and pipelines - Build custom modules and packages - Front with a custom API relay
  • 12. © 2022 SPLUNK INC. Additional Common Patterns Trending is required Strict RBAC and Auditing Tool consolidation efforts Technology value realization & maturity deficits – Can Splunk do the basics of a point-solution first? Can existing Splunk infrastructure be utilized?
  • 13. © 2022 SPLUNK INC. Edge Processor Introduction and demonstration Rob de Luna Sr Sales Engineer
  • 14. This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements 2.18.22-19:04
  • 15. © 2022 SPLUNK INC. Rob de Luna
  • 16. © 2022 SPLUNK INC. Filter, Mask, Transform, Route Edge Processor is the latest innovation in data preprocessing with Splunk Powerful and performant edge processing using Props and Transforms New UI leveraging Props and Transforms to author and deploy ingest or edge transformations and routing Edge processing with new, intuitive UI and SPL2-based pipeline authoring to author, deploy and manage transformations and routing Heavyweight Forwarders Ingest Actions Edge Processor `
  • 17. © 2022 SPLUNK INC. Introducing Edge Processor Service offering delivered through cloud control plane, available on Splunk Cloud Platform Customer supplies hosts on which edge processors are deployed, with flexibility to scale New pipeline authoring experience - SPL2 - delivers efficient, flexible data transformation Use cases include filter, mask, and route to Splunk platform or S3 Customers enjoy real-time visibility into and control over their data in motion Customers can derive more value from and generate new insights into their data Simplified data processing within the customers’ network boundaries How’s it work? What’s this? So what?
  • 18. © 2022 SPLUNK INC. ● Filter verbose or low-value sources, like DEBUG logs or other noisy data ● Extract just the critical data ● Mask PII ● Route different “slices” of data to desired destinations Amazon S3 Forwarders (UF or HWF) ` ` ` ` Edge Processor Filter & Mask Route Pre-process Transform Customer Environment Splunk Cloud Index Splunk Index Control Plane (on Splunk Cloud Services) What is Edge Processing?
  • 19. © 2022 SPLUNK INC. Splunk Cloud Platform Customer Host Server Customer Agents Customer Destinations Edge Processor Overview ● Central pipeline management ● Global visibility ` Enterprise Cloud ` ` Cloud Managed ((HTTPS out) Audit logs Processor logs Pipeline metrics Data Edge Processor Service UI Pipelines Service S3 Data Edge Processor Node User
  • 20. © 2022 SPLUNK INC. ● Use SPL2 for data transformations like field extraction, filtering, and masking ○ Act on entire events or parts of events ○ e.g. retain only a subset of fields within an event ● Supports Infrastructure as Code. All pipelines are just SPL2 ● Splunk-provided SPL2 Templates and (future) Bundles Everything is SPL2
  • 21. © 2022 SPLUNK INC. SPL2 Concepts Dataset Variables - represent datasets of varying kinds from which data can be read from, or written into. $source and $destination are specific dataset variables overwritten with an actual dataset passed as a param (such as s3_bucket_A) in a pipeline. This is an SPL2 statement, assigned to the dataset variable $pipeline. Commands - actions that can be taken on data in an Edge Processor pipeline; acted on sequentially, respecting pipes. ● SPL2 is built around the concept of Datasets. A dataset is anything that contains data which can be read from and/or written into. ● Each dataset may have a different Kind. Relevant Edge Processor Kinds: ○ Forwarder ○ Indexer ○ S3 buckets ● Datasets can be referenced literally in the SPL2, or passed as parameter to a variable.
  • 22. © 2021 SPLUNK INC. Edge Processor Demo
  • 23. © 2023 SPLUNK INC. Leaders ● User leaders needed! Next meeting ● In person in Portland Wrap up Topic ideas ● Drop suggestions or offers to speak to the #pnw channel in the UG slack .conf23 ● July 17-20 ● Las Vegas
  • 24. © 2022 SPLUNK INC. Thank You