Visual link analysis with Splunk and Gephi

As cyber-security risks and attacks have surged in recent years, identity fraud has become all too familiar for the common, unsuspecting user. You might wonder, “why don’t we have the capabilities to eliminate these incidents of fraud completely?” The reality is that fraud is difficult to characterize as it often requires much contextual information about what was occurring before, during, and after the event of concern in order to identify if any fraudulent behavior was even occurring at all. Cyber-security analysts therefore require a host of tools to monitor and investigate fraudulent behavior; tools capable of dealing with large amounts of disparate data sets. It would be great for these security analysts to have a platform to be able to …

» Continue reading

Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Dashboard Digest Series – Episode 5: Maps!

splunk_maps“A map does not just chart, it unlocks and formulates meaning; it forms bridges between here and there, between disparate ideas that we did not know were previously connected.” ― Reif Larsen, The Selected Works of T.S. Spivet

Welcome to Episode 5 of the Dashboard Digest series!

Maps play a critical role in visualizing machine data in almost any industry for thousands of use cases.  We’ve been continuously adding more mapping functionality to Splunk and with the recent addition of Custom Visualizations in Splunk 6.4 you (the community) have too!  This is exciting news as I’ve noticed many times the first panel on a dashboard that draws attention is a map.  The best part is that each of these displays …

» Continue reading

Splunk and AWS: Monitoring & Metrics in a Serverless World

Bill Bartlett (fellow Splunker) and I have recently had the distinct pleasure of moving some workloads from AWS EC2 over to a combo of AWS Lambda and AWS API Gateway. Between the dramatic cost savings, and wonderful experience of not managing a server, making this move was a no brainer (facilitated as well by great frameworks like Zappa). Both services are pretty robust, and while perhaps not perfect, to us they are a beautiful thing.

While we were using Splunk to monitor several EC2 servers with various bits of custom code via the Splunk App and Add-On for AWS, we realized (ex post facto) that while Lambda was supported out of the box by the Add-On, API Gateway was …

» Continue reading

Smart AnSwerS #83

Hey there community and welcome to the 83rd installment of Smart AnSwerS.

After a dry spell, Splunk HQ is finally experiencing a good amount of rain in the San Francisco Bay Area. As per usual, people have forgotten how to navigate around the city, both on the roads and sidewalks. On the plus side, we can finally see rain water get collected above the courtyard and flow into a huge basin that distributes the water to surrounding plants. Splunkers have been taking breaks to check out the recycled water system in action as a serene escape, making rainy days at the office something to look forward to.

Check out this week’s featured Splunk Answers posts:

Why is the

» Continue reading

Universal or Heavy, that is the question?

Introduction

As a Professional Services Consultant, a discussion that I often encounter when on site with customers is whether to use a Universal Forwarder or a Heavy Forwarder.

Splunk provides two different binaries, the full version of Splunk and the Universal Forwarder. A full Splunk instance can be configured as a Heavy Forwarder.  The Universal Forwarder is a cut down version of Splunk, with limited features and a much smaller footprint.

I am going to show in this blog why Splunk Professional Services recommend the use of Universal Forwarders in preference to Heavy Forwarders whenever possible to ensure a faster, more efficient Splunk Platform.

When should the Universal Forwarder be used and why?

The Universal Forwarder is ideal for collecting files from disk (e.g. a syslog …

» Continue reading

Easily Create Mod Inputs Using Splunk Add-on Builder 2.0 – Part IV

Add-on Builder 2.0 provides capabilities to build modular inputs without writing any code. In this post however, we focus on using an advanced feature of Splunk’s Add-on Builder 2.0 to write custom python while taking advantage of its powerful helper functions.

NB: Future versions of Add-on Builder will obviate the need for some of the techniques mentioned below, most notably techniques in step #6 & step #8.


There is a veritable cornucopia of useful resources for building modular inputs at docs.splunk.com, dev.splunk.com, blogs.splunk.com, and more. This post certainly isn’t meant to replace those. No no, this post will simply walk you through leveraging Splunk Add-on Builder 2.0 to create custom code to query an API.

In this post we will create a …

» Continue reading

Smart AnSwerS #82

Hey there community and welcome to the 82nd installment of Smart AnSwerS.

Have you ever wondered what makes the Splunk community so special, and why many people from various backgrounds are so engaged in all things Splunk? Well, look no further! alacercogitatus, aka Kyle Smith of the SplunkTrust, posted this awesome heartfelt blog post from his experiences engaging with users in the community on and offline, emphasizing how the culture plays an essential role in the success of users stepping into the world of Splunk. You’re not simply learning how to use the products – you’re entering a community of users that are incredibly supportive, passionate, and willing to share their knowledge to help you meet …

» Continue reading

Head in the Cloud? Maximize your Operational Intelligence with Even Deeper Integration Between Splunk and AWS

Even more exciting news from re:invent!

In case you weren’t watching the live-stream of the event, you may have missed the keynote announcement this morning about the new service called AWS Personal Health.

Splunk’s integration with AWS Personal Health allows AWS customers to proactively monitor over 70 services and quickly act on personal service interruptions informing their users of things like reserved instance retirement, network issues, even instance failures. Before, if there was a network issue, your only way of knowing was based on regional or availability zone messaging. This integration brings an even more personalized experience to using Splunk for monitoring and managing your mission critical workloads in AWS.

The AWS Health API delivers critical data on AWS service quality and …

» Continue reading

Dashboard Digest Series – Episode 4 – NFL Predictions

In Episode 4 we will take a look at the four downs of football. We used the Machine Learning Toolkit and more than a decade of NFL data to build models to make predictions during NFL games.

In order to make it quick and easy to plug in a scenario and visualize the most likely outcomes, we made a simple dashboard so editors at Sports Illustrated could try it out during a game. You may have seen the dashboard if you were watching CNN before the Super Bowl earlier this year:

Purpose: Predict the next play
Splunk Version: Splunk 6.4
Data Sources: Every NFL play and player since 1999
Apps: Machine Learning Toolkit, Shapester

The data contains a lot of fields

» Continue reading