WEBVTT 0:00:03.700000 --> 0:00:07.620000 Introduction to Splunk for Security Operations. 0:00:07.620000 --> 0:00:13.020000 So now that you've gotten a formal introduction to the ELK stack or Elastic 0:00:13.020000 --> 0:00:18.640000 Stack, you've gotten to experience it yourself as we did in the previous 0:00:18.640000 --> 0:00:27.520000 video, where we were using the lab to search for very interesting activity, 0:00:27.520000 --> 0:00:34.400000 I wanted to introduce you to Splunk, but more specifically Splunk for 0:00:34.400000 --> 0:00:37.480000 Security Operations, as the title suggests. 0:00:37.480000 --> 0:00:43.300000 Now, by this point in the course, you've probably interacted with Splunk 0:00:43.300000 --> 0:00:49.080000 because we had one video that had a lab where we were essentially taking 0:00:49.080000 --> 0:00:55.200000 a look at how to forward or how to collect ship and aggregate logs into 0:00:55.200000 --> 0:00:57.400000 Splunk Enterprise. 0:00:57.400000 --> 0:01:02.880000 And one of the reasons I'm making this video is to give you a formal introduction 0:01:02.880000 --> 0:01:09.880000 to Splunk and sort of explain what Splunk is, because just like the ELK 0:01:09.880000 --> 0:01:16.220000 stack or Elastic Stack, there's different versions of Splunk that have 0:01:16.220000 --> 0:01:20.100000 been designed for different use cases. 0:01:20.100000 --> 0:01:26.120000 And I've spoken about Splunk as just Splunk and we also then have Enterprise 0:01:26.120000 --> 0:01:30.960000 Splunk Enterprise and then Splunk Enterprise Security. 0:01:30.960000 --> 0:01:34.680000 And I think it's very important for you to understand the differences 0:01:34.680000 --> 0:01:40.900000 between them, because Splunk really can be used to do quite a lot of things, 0:01:40.900000 --> 0:01:43.960000 just like the Elastic Stack. 0:01:43.960000 --> 0:01:52.760000 But given the popularity or the fact that you are likely to either encounter 0:01:52.760000 --> 0:01:59.080000 ELK or Splunk, it's very important that you understand the differences 0:01:59.080000 --> 0:02:02.860000 between the two, but we're really going to be focusing on the similarities. 0:02:02.860000 --> 0:02:06.880000 In any case, we need to start with the basics. 0:02:06.880000 --> 0:02:08.660000 So what is Splunk? 0:02:08.660000 --> 0:02:12.560000 Well, Splunk, and of course, I'm tailoring this to be very specific to 0:02:12.560000 --> 0:02:13.980000 security operations. 0:02:13.980000 --> 0:02:21.540000 So Splunk in the context of security operations is seen as a theme, so 0:02:21.540000 --> 0:02:26.720000 security information and event management system tool or platform. 0:02:26.720000 --> 0:02:30.860000 And in addition to that, and this is sort of what I was referring to when 0:02:30.860000 --> 0:02:36.500000 it comes to Splunk, it's also a data analytics platform. 0:02:36.500000 --> 0:02:41.680000 So if you trace back the history of Splunk and where it started, it really 0:02:41.680000 --> 0:02:44.780000 wasn't a theme in terms of its inception. 0:02:44.780000 --> 0:02:48.840000 It started off as a data analytics platform. 0:02:48.840000 --> 0:02:54.920000 And then as they progressed all the needs of the security industry or 0:02:54.920000 --> 0:03:06.420000 the digital industry increased, they found it fit or sound to incorporate 0:03:06.420000 --> 0:03:13.320000 or to build a version of Splunk or to start building in the various features 0:03:13.320000 --> 0:03:18.240000 or functionality that you'd associate with a theme. 0:03:18.240000 --> 0:03:22.540000 And this is where you have the different versions of theme, which you 0:03:22.540000 --> 0:03:25.920000 can actually see for yourself on their website. 0:03:25.920000 --> 0:03:30.480000 Now, the bottom line is what is Splunk? 0:03:30.480000 --> 0:03:35.980000 We're talking about it here, but if you take a look at how it works, as 0:03:35.980000 --> 0:03:39.280000 summarized in the second paragraph here, you can see it's fairly similar 0:03:39.280000 --> 0:03:44.360000 to ELK. And from that point of view, they are quite similar, but there's 0:03:44.360000 --> 0:03:46.020000 obviously nuances. 0:03:46.020000 --> 0:03:51.540000 So it ingests data from a variety of sources, such as servers, operating 0:03:51.540000 --> 0:03:56.760000 systems, network devices, applications and security tools, and makes that 0:03:56.760000 --> 0:03:59.420000 data searchable and actionable. 0:03:59.420000 --> 0:04:03.960000 Now, the best way to view Splunk is to think of Splunk as a giant search 0:04:03.960000 --> 0:04:05.760000 engine for your machine data. 0:04:05.760000 --> 0:04:08.340000 Now, why is this very generalized? 0:04:08.340000 --> 0:04:12.880000 Why am I not referring to logs and I'm using machine data instead of logs? 0:04:12.880000 --> 0:04:17.660000 Well, again, that goes back to the history of Splunk and what it was before 0:04:17.660000 --> 0:04:22.880000 it became, before they offered a version that had seen functionality or, 0:04:22.880000 --> 0:04:29.200000 you know, simply put before they started offering the Splunk Enterprise 0:04:29.200000 --> 0:04:33.900000 security, which is different from Splunk Enterprise. 0:04:33.900000 --> 0:04:41.700000 The reason I'm doing that is to give some precedent to that particular 0:04:41.700000 --> 0:04:47.900000 fact and also outline the fact that to this day, you can still use Splunk 0:04:47.900000 --> 0:04:53.060000 as a data analytics platform and indeed many organizations still do. 0:04:53.060000 --> 0:04:57.380000 That's why we'll see Splunk being used to track sales, use activity, so 0:04:57.380000 --> 0:04:58.080000 on and so forth. 0:04:58.080000 --> 0:05:02.800000 You know, there's a lot of users for Splunk data analytics, you know, 0:05:02.800000 --> 0:05:04.620000 data science to a certain extent. 0:05:04.620000 --> 0:05:08.520000 In any case, sorry, to a broader extent. 0:05:08.520000 --> 0:05:14.400000 In any case, you know, how does it work in terms of its core functionality? 0:05:14.400000 --> 0:05:17.000000 Well, Splunk handles the following types of data. 0:05:17.000000 --> 0:05:21.640000 I mentioned that it deals with a lot of data and so what types of data 0:05:21.640000 --> 0:05:24.860000 does it deal with or handle or ingest? 0:05:24.860000 --> 0:05:30.880000 Well, log files from operating systems, alerts and telemetry from firewalls, 0:05:30.880000 --> 0:05:34.700000 intrusion detection systems, intrusion prevention systems, anti viruses, 0:05:34.700000 --> 0:05:39.240000 etc. Of course, you also have support for application logs, including 0:05:39.240000 --> 0:05:42.920000 web servers, databases, as well as APIs. 0:05:42.920000 --> 0:05:50.360000 You also have robust support for cloud infrastructure logs from AWS, Azure, 0:05:50.360000 --> 0:05:55.860000 GCP. To put it simply, basically anything that generates logs or events 0:05:55.860000 --> 0:06:00.100000 can be ingested by Splunk, which is, you know, one of the reasons why 0:06:00.100000 --> 0:06:08.020000 it's, you know, quite a popular or widely deployed solution. 0:06:08.020000 --> 0:06:15.680000 And I'm not really comparing it here to ELK or anything of that, you know, 0:06:15.680000 --> 0:06:20.720000 on that line of thinking, but, you know, as I said, you'll tip it out. 0:06:20.720000 --> 0:06:25.580000 You typically see Splunk being used or being deployed for a variety of 0:06:25.580000 --> 0:06:31.740000 use cases, not, and not specific, you know, just to, or not exclusive 0:06:31.740000 --> 0:06:35.160000 to just, you know, security operations. 0:06:35.160000 --> 0:06:40.180000 So that brings us to the next logical question, which is, what are the 0:06:40.180000 --> 0:06:46.440000 use cases of Splunk or how is Splunk, generally speaking, used? 0:06:46.440000 --> 0:06:51.120000 Well, firstly, for IT operations monitoring, it's quite popular in this 0:06:51.120000 --> 0:06:57.120000 regard. Of course, it also shares that, that spotlight with the ELK stack. 0:06:57.120000 --> 0:07:02.000000 So think of, you know, using it to troubleshoot performance issues, monitoring 0:07:02.000000 --> 0:07:05.680000 up time and application health, so on and so forth. 0:07:05.680000 --> 0:07:08.140000 It also is used for security monitoring. 0:07:08.140000 --> 0:07:14.460000 So think of detecting and investigating threats, as well as real time 0:07:14.460000 --> 0:07:17.440000 alerting on suspicious behavior. 0:07:17.440000 --> 0:07:22.540000 And then this is where you start seeing some of the, you know, more, I 0:07:22.540000 --> 0:07:28.640000 wouldn't say nuanced, but more broader use cases, you know, specifically 0:07:28.640000 --> 0:07:30.300000 in business intelligence. 0:07:30.300000 --> 0:07:34.380000 When we talk about data analytics, it's used, you know, to analyze user 0:07:34.380000 --> 0:07:38.420000 behavior, traffic, so on and so forth. 0:07:38.420000 --> 0:07:43.320000 You know, things like tracking KPIs using machine data, etc. 0:07:43.320000 --> 0:07:44.780000 You also have compliance. 0:07:44.780000 --> 0:07:51.640000 So, you know, ensuring log retention and audit trails, automating compliance, 0:07:51.640000 --> 0:07:54.040000 reporting, things like this. 0:07:54.040000 --> 0:07:56.620000 So how does Splunk work? 0:07:56.620000 --> 0:08:00.820000 Just like the ELK stack, you know, with any seem generally speaking, it 0:08:00.820000 --> 0:08:04.700000 all starts with the ingestion or, you know, you could also include collection 0:08:04.700000 --> 0:08:09.700000 in there. But we've already explored what collection and, you know, shipping 0:08:09.700000 --> 0:08:22.960000 an ingestion looks like, practically, as we did earlier in this course. 0:08:22.960000 --> 0:08:24.180000 So, you know, we're going to be able to do, you know, operating system, 0:08:24.180000 --> 0:08:28.620000 log server, logs, network devices, logs from network devices, application 0:08:28.620000 --> 0:08:34.180000 logs, cloud services, logs from cloud services, pardon me, and logs from 0:08:34.180000 --> 0:08:38.820000 security tools. And this is where you have the forters, which we actually 0:08:38.820000 --> 0:08:53.160000 covered, right? So, for example, for the data analytics, we have the universal 0:08:53.160000 --> 0:08:58.280000 forters, we utilize the universal forters, abbreviated as UF. 0:08:58.280000 --> 0:09:02.260000 The universal forters is lightweight and is typically for data forwarding 0:09:02.260000 --> 0:09:05.820000 only, not typically it is for data forwarding only. 0:09:05.820000 --> 0:09:10.020000 But you also have the heavy forters abbreviated as HF. 0:09:10.020000 --> 0:09:15.080000 And this is unique in the sense that it can perform the passing and indexing 0:09:15.080000 --> 0:09:20.920000 of data and, you know, data and logs before it's sent to the indexer or 0:09:20.920000 --> 0:09:24.980000 before. For lack of a, you know, to simplify your understanding before 0:09:24.980000 --> 0:09:26.120000 it's sent to Splunk. 0:09:26.120000 --> 0:09:33.880000 So, as we saw with ELK or the Elastic Stack, as it's now called, the process 0:09:33.880000 --> 0:09:39.440000 of normalization and passing, you know, typically happens. 0:09:39.440000 --> 0:09:45.220000 You know, it doesn't really happen on the sources of, you know, where 0:09:45.220000 --> 0:09:51.260000 the logs are coming from. 0:09:51.260000 --> 0:09:53.500000 Logstash, so on and so forth. 0:09:53.500000 --> 0:09:54.660000 And that's where it's done. 0:09:54.660000 --> 0:10:00.580000 Right now with the heavy ford and the Splunk heavy forda, you can actually 0:10:00.580000 --> 0:10:07.860000 configure the logs or data to be passed and indexed, you know, directly 0:10:07.860000 --> 0:10:11.900000 from the source or, you know, before it's actually sent to the indexer. 0:10:11.900000 --> 0:10:13.980000 So, quite useful. 0:10:13.980000 --> 0:10:16.900000 Then we have indexing, which is the next step. 0:10:16.900000 --> 0:10:20.300000 Of course, if you use the heavy forda, then it's not really something 0:10:20.300000 --> 0:10:21.340000 that you would do. 0:10:21.340000 --> 0:10:27.400000 But, you know, indexing is still performed, regardless of where it's actually 0:10:27.400000 --> 0:10:32.020000 performed. So, once the data is received, Splunk passes it and stores 0:10:32.020000 --> 0:10:36.800000 it in indexes. So, passing in the context of Splunk, you know, is where 0:10:36.800000 --> 0:10:41.880000 Splunk breaks down raw data into events, applies timestamps, and extracts 0:10:41.880000 --> 0:10:43.660000 key value pairs. 0:10:43.660000 --> 0:10:47.900000 Indexing is where pass data is stored in time series indexes for fast 0:10:47.900000 --> 0:10:52.020000 retrieval. And hopefully you can start to see the similarities between 0:10:52.020000 --> 0:10:55.420000 Splunk and the Elastic Stack. 0:10:55.420000 --> 0:10:59.260000 So, an example here would be, you know, single firewall log becomes a 0:10:59.260000 --> 0:11:03.900000 searchable event with a timestamp source, IP destination, IP action taken, 0:11:03.900000 --> 0:11:07.800000 etc. And then you have search and visualization. 0:11:07.800000 --> 0:11:12.240000 Now, unlike the Elastic Stack, more specifically with Kibana, you have 0:11:12.240000 --> 0:11:14.640000 the Kibana query language. 0:11:14.640000 --> 0:11:19.240000 With Splunk, as you probably would have guessed, you have SPL, which is 0:11:19.240000 --> 0:11:21.000000 the search processing language. 0:11:21.000000 --> 0:11:26.420000 So, again, similar to KQL, you have the ability to, you know, write custom 0:11:26.420000 --> 0:11:29.360000 queries to filter, correlate and analyze data. 0:11:29.360000 --> 0:11:33.120000 And an example would be, and you can see the similarities here again, 0:11:33.120000 --> 0:11:37.900000 index is equal to, in this case, as an example, firewall, the action equals 0:11:37.900000 --> 0:11:41.680000 blocked, and you can start using logical operators like OR. 0:11:41.680000 --> 0:11:45.100000 So, OR stats, count by source IP. 0:11:45.100000 --> 0:11:45.960000 Again, very, very similar. 0:11:45.960000 --> 0:11:54.100000 And that's why I told you that across all seems, or most of them, they 0:11:54.100000 --> 0:12:01.520000 share quite a few components or aspects as it were. 0:12:01.520000 --> 0:12:07.000000 And in certain cases, you know, you have to learn a new query language, 0:12:07.000000 --> 0:12:10.840000 or in this case, a processing language, but they're fairly similar with 0:12:10.840000 --> 0:12:12.040000 regards to their logic. 0:12:12.040000 --> 0:12:16.080000 In any case, you also have dashboards similar to Kibana. 0:12:16.080000 --> 0:12:20.220000 So, these provide real-time visuals using graphs, charts and tables. 0:12:20.220000 --> 0:12:24.060000 And, you know, as you can probably tell, this is very useful for monitoring 0:12:24.060000 --> 0:12:28.620000 system health, detecting anomalies and reporting. 0:12:28.620000 --> 0:12:31.220000 And then, of course, the alerting functionality. 0:12:31.220000 --> 0:12:35.300000 So, you have the ability to, you know, set up alerts in the form of setting 0:12:35.300000 --> 0:12:36.780000 thresholds to trigger alerts. 0:12:36.780000 --> 0:12:41.660000 So, for example, you can create an alert or a trigger for an alert to 0:12:41.660000 --> 0:12:47.740000 be created when filled logins are greater than 10 in five minutes as an 0:12:47.740000 --> 0:12:54.500000 example, right? So, that brings us now to the different versions of Splunk, 0:12:54.500000 --> 0:12:59.900000 which is sort of the core thing that I wanted to really go over and distinguish, 0:12:59.900000 --> 0:13:09.240000 because a lot of people, the database -based platform to one that now has 0:13:09.240000 --> 0:13:13.520000 a significant amount of its focus on security operations. 0:13:13.520000 --> 0:13:17.160000 Understanding this, you know, the differences is very, very important, 0:13:17.160000 --> 0:13:22.600000 because Splunk Enterprise and Enterprise Security are quite different 0:13:22.600000 --> 0:13:27.500000 in that. Enterprise Security is really the, what you'd call the Splunk 0:13:27.500000 --> 0:13:28.480000 theme, as it were. 0:13:28.480000 --> 0:13:33.580000 In any case, Splunk offers several editions of versions tailored to different 0:13:33.580000 --> 0:13:37.860000 use cases, organization sizes and deployment preferences. 0:13:37.860000 --> 0:13:41.220000 So, you have the most basic of them all, Splunk-free, which is a limited 0:13:41.220000 --> 0:13:43.720000 version of Splunk Enterprise, right? 0:13:43.720000 --> 0:13:48.640000 And the key features are single user access up to 500 megabytes of data 0:13:48.640000 --> 0:13:52.700000 indexing per day, no user authentication or role-based access, and it's 0:13:52.700000 --> 0:13:55.920000 best for small-scale testing, personal learning, i.e. 0:13:55.920000 --> 0:14:00.940000 you. So, that's the, you know, the most basic option. 0:14:00.940000 --> 0:14:04.140000 You then have Splunk Enterprise, which is the full featured on-premise 0:14:04.140000 --> 0:14:08.680000 solution. They also have a cloud version, although I'll not get into that. 0:14:08.680000 --> 0:14:13.680000 The key features here, you actually used Splunk Enterprise in the lab, 0:14:13.680000 --> 0:14:18.920000 where we are taking a look at collection, shipping and aggregation into 0:14:18.920000 --> 0:14:29.840000 Splunk. You know, your license, it supports clustering, scaling and distributed 0:14:29.840000 --> 0:14:31.800000 search, which is quite important. 0:14:31.800000 --> 0:14:36.780000 You also have RBAC or role-based access control, and supports all Splunk 0:14:36.780000 --> 0:14:38.540000 apps in premium solutions. 0:14:38.540000 --> 0:14:42.000000 And this is typically the best option for medium to large enterprises 0:14:42.000000 --> 0:14:44.140000 with complex environments. 0:14:44.140000 --> 0:14:49.460000 You then have Splunk Enterprise Security, or ES, as it's known or abbreviated 0:14:49.460000 --> 0:14:55.180000 as. So, Splunk Enterprise Security, or ES, is a premium app, or let's 0:14:55.180000 --> 0:14:56.560000 call it version. 0:14:56.560000 --> 0:15:03.860000 I don't know the best way of explaining the progression from one to the 0:15:03.860000 --> 0:15:06.780000 other in terms of, you know, additional features, et cetera. 0:15:06.780000 --> 0:15:12.140000 But just think of it as Splunk Enterprise with this, that has essentially 0:15:12.140000 --> 0:15:18.640000 been built or modified to have the, you know, functionality that you'd 0:15:18.640000 --> 0:15:19.500000 associate with a C. 0:15:19.500000 --> 0:15:24.620000 So, Splunk Enterprise Security is a premium app that transforms Splunk 0:15:24.620000 --> 0:15:27.280000 into a full featured CIM platform. 0:15:27.280000 --> 0:15:32.680000 And it's built specifically for security operations teams to detect, investigate 0:15:32.680000 --> 0:15:34.860000 and respond to threats effectively. 0:15:34.860000 --> 0:15:36.500000 You know, what a CIM is there for. 0:15:36.500000 --> 0:15:42.100000 And this sort of explains, you know, using an image, what it, how it works, 0:15:42.100000 --> 0:15:46.300000 so data sources, and then the functionality you'd associate with a CIM. 0:15:46.300000 --> 0:15:52.140000 But with Splunk Enterprise Security, there's a couple of, I wouldn't say 0:15:52.140000 --> 0:15:56.680000 additional features, but features that are, let's say, specific to Splunk. 0:15:56.680000 --> 0:16:05.040000 And in this case, specific to security operations, which are, A, you know, 0:16:05.040000 --> 0:16:07.340000 the security posture dashboards. 0:16:07.340000 --> 0:16:12.020000 So, it provides a high level overview of your organization security status. 0:16:12.020000 --> 0:16:16.460000 It includes panels for fail logins, malware detections, data exfiltration, 0:16:16.460000 --> 0:16:20.340000 data exfiltration attempts and more. 0:16:20.340000 --> 0:16:23.720000 And, you know, provides you the visual real time view of threats across 0:16:23.720000 --> 0:16:24.820000 different domains. 0:16:24.820000 --> 0:16:27.860000 So, there's things like this, which, you know, you can make a case for 0:16:27.860000 --> 0:16:30.840000 saying this. And that's not really a feature that's unique to Splunk, 0:16:30.840000 --> 0:16:32.580000 which, you know, you're right. 0:16:32.580000 --> 0:16:38.820000 But this is what they would coin as, you know, being the features of Enterprise 0:16:38.820000 --> 0:16:41.960000 Security. And we'll take a look at their website. 0:16:41.960000 --> 0:16:45.120000 Actually, it's probably a good idea once we've gone through this, so you 0:16:45.120000 --> 0:16:47.100000 can actually see it for yourself. 0:16:47.100000 --> 0:16:49.000000 You then have correlation searches. 0:16:49.000000 --> 0:16:52.400000 So, you know, helps detect suspicious patterns by correlating multiple 0:16:52.400000 --> 0:16:53.960000 log sources and events. 0:16:53.960000 --> 0:16:57.560000 Comes with prebuilt use cases, for example, brute force lateral movement, 0:16:57.560000 --> 0:16:58.800000 data exfiltration. 0:16:58.800000 --> 0:17:02.380000 And analysts can create custom rules tailored to the environment or their 0:17:02.380000 --> 0:17:05.460000 requirements. You then have risk-based alerting. 0:17:05.460000 --> 0:17:08.520000 And this is supposed to be the fourth one. 0:17:08.520000 --> 0:17:10.160000 The fourth is threat intelligence. 0:17:10.160000 --> 0:17:13.200000 Regardless, risk-based alerting is something that I would say is quite 0:17:13.200000 --> 0:17:15.880000 unique to Splunk. 0:17:15.880000 --> 0:17:18.360000 It's usually referred to as RBAs. 0:17:18.360000 --> 0:17:19.620000 It's abbreviated form. 0:17:19.620000 --> 0:17:23.600000 But the way this works is it assigns risk scores to assets and users based 0:17:23.600000 --> 0:17:28.900000 on activity. And reduces alert fatigue by prioritizing high risk behavior. 0:17:28.900000 --> 0:17:32.940000 So, what this ends up leading to is, you know, it enables context-aware 0:17:32.940000 --> 0:17:37.020000 investigations. You then have threat intelligence framework. 0:17:37.020000 --> 0:17:43.640000 When I say that it's essentially built in, you know, threat intelligence 0:17:43.640000 --> 0:17:45.500000 framework is built into it. 0:17:45.500000 --> 0:17:49.960000 So, it ingests and normalizes threat feeds, think of Stix, taxi. 0:17:49.960000 --> 0:17:51.240000 You're not familiar with this. 0:17:51.240000 --> 0:17:56.660000 Don't worry. We have a full course that's going to come after this course. 0:17:56.660000 --> 0:17:59.740000 It's going to be focused on threat intelligence and threat hunting. 0:17:59.740000 --> 0:18:03.140000 So, this is where all of this stuff will start making sense. 0:18:03.140000 --> 0:18:05.920000 So, mis-virus total, et cetera. 0:18:05.920000 --> 0:18:09.580000 And, you know, it matches incoming data against known IOCs. 0:18:09.580000 --> 0:18:12.360000 You know, examples would be IPs, domains, et cetera. 0:18:12.360000 --> 0:18:15.780000 And it automates threat enrichment and triage, which is actually quite 0:18:15.780000 --> 0:18:21.420000 useful. You then have the instant review and workflows, which is also 0:18:21.420000 --> 0:18:22.660000 very, very useful. 0:18:22.660000 --> 0:18:25.860000 So, it provides you the central dashboard to triage, assign, and resolve 0:18:25.860000 --> 0:18:26.940000 security incidents. 0:18:26.940000 --> 0:18:30.520000 It pretty much provides you with case management functionality. 0:18:30.520000 --> 0:18:34.160000 Very, very similar to what you would have with the Hive as we explored 0:18:34.160000 --> 0:18:38.140000 in the previous course, as an incident management platform or instant 0:18:38.140000 --> 0:18:40.420000 handling platform as it were. 0:18:40.420000 --> 0:18:44.240000 And this then allows or gives analysts the ability to investigate events, 0:18:44.240000 --> 0:18:47.220000 add comments, and escalate cases. 0:18:47.220000 --> 0:18:51.240000 And as a result, this streamlined security operations and enables, obviously, 0:18:51.240000 --> 0:18:53.560000 better team collaboration. 0:18:53.560000 --> 0:18:56.780000 And then, of course, you have another cool feature, which is the MIGHT 0:18:56.780000 --> 0:19:02.020000 ATTACK integration, very, very similar to what was or was zoo offers. 0:19:02.020000 --> 0:19:07.040000 So, you know, allows you to map detections and alerts to, you know, attack 0:19:07.040000 --> 0:19:11.080000 tactics and technique IDs, I should say, primarily that's what you're 0:19:11.080000 --> 0:19:18.500000 looking for. And this, as a result, helps analysts understand attack progression, 0:19:18.500000 --> 0:19:23.340000 attack paths, and gaps in coverage. 0:19:23.340000 --> 0:19:27.140000 So, with that being said, that brings us to the end of this video. 0:19:27.140000 --> 0:19:30.780000 Before we end the video, I'm just going to switch over into Splunk's website, 0:19:30.780000 --> 0:19:33.800000 so I can clarify a couple of things, because, again, if you went to the 0:19:33.800000 --> 0:19:37.380000 website, you probably will be a little bit confused based on what I said 0:19:37.380000 --> 0:19:41.600000 at the beginning of this video and sort of tracing back to the origins 0:19:41.600000 --> 0:19:45.620000 of Splunk and what the platform was to begin with. 0:19:45.620000 --> 0:19:49.340000 Now, if you go to the website, you know, you probably think that it is 0:19:49.340000 --> 0:19:51.880000 a seam, but that wasn't always the case. 0:19:51.880000 --> 0:19:56.940000 In any case, let me switch over and we can go through a couple of important 0:19:56.940000 --> 0:20:00.520000 nuances that can really only be visualized. 0:20:00.520000 --> 0:20:03.140000 So, I'll see you in a couple of seconds. 0:20:03.140000 --> 0:20:08.860000 All right, so I'm currently on the Splunk website, and you can see that 0:20:08.860000 --> 0:20:11.440000 it's now a Cisco company. 0:20:11.440000 --> 0:20:17.580000 They have products, solutions, Y Splunk, of course, resources. 0:20:17.580000 --> 0:20:19.180000 By the way, great resources. 0:20:19.180000 --> 0:20:21.400000 Take a look at their documentation. 0:20:21.400000 --> 0:20:24.260000 Their training and certifications are also great. 0:20:24.260000 --> 0:20:29.080000 Under the product, you have security, observability, and platform. 0:20:29.080000 --> 0:20:34.140000 These being the three primary categories of offerings or products that 0:20:34.140000 --> 0:20:41.380000 they offer, still all built on the same Splunk base of vanilla as it were. 0:20:41.380000 --> 0:20:44.100000 So, security, this way you have enterprise security. 0:20:44.100000 --> 0:20:48.900000 There's also asset and risk intelligence and saw and the attack analyzer, 0:20:48.900000 --> 0:20:53.460000 et cetera. And then under observability, as its name suggests, you're 0:20:53.460000 --> 0:20:58.800000 going to have observability cloud, IT serves intelligence and app dynamics. 0:20:58.800000 --> 0:21:02.340000 And then platform, this is sort of where they started. 0:21:02.340000 --> 0:21:08.020000 If I can just navigate there, that's where you have the Splunk platform. 0:21:08.020000 --> 0:21:13.240000 Now, of course, there's a huge focus on security. 0:21:13.240000 --> 0:21:18.140000 So, you can see it says the extensible data platform powers unified security, 0:21:18.140000 --> 0:21:22.160000 full stack, observability, and limitless custom applications, which is 0:21:22.160000 --> 0:21:25.620000 sort of what it was to begin with. 0:21:25.620000 --> 0:21:29.880000 So, this pretty much encapsulates what I was saying. 0:21:29.880000 --> 0:21:34.080000 So, data accessibility, so access and search data from any source and 0:21:34.080000 --> 0:21:36.920000 across any device, business insights. 0:21:36.920000 --> 0:21:41.360000 So, share data driven insights across your enterprise, usability, and 0:21:41.360000 --> 0:21:45.160000 collaboration. So, remove data silos in your organization to work smart 0:21:45.160000 --> 0:21:48.760000 across all of your user groups. 0:21:48.760000 --> 0:21:52.580000 In terms of the platform, there's the Splunk cloud, right, which is self 0:21:52.580000 --> 0:21:57.180000 -explanatory. This cloud powered insights for petabyte-scale data analytics 0:21:57.180000 --> 0:22:00.420000 across the hybrid cloud with Splunk as a service. 0:22:00.420000 --> 0:22:02.860000 Okay. And then Splunk Enterprise. 0:22:02.860000 --> 0:22:07.720000 So, turn data into doing in your private cloud or on your premises. 0:22:07.720000 --> 0:22:14.580000 This is what we used, if you remember, in the lab, the log shipping lab. 0:22:14.580000 --> 0:22:21.200000 And you can see Solve it with Splunk, search and visualization, streaming 0:22:21.200000 --> 0:22:26.320000 here, scalable indexed, and then related categories, of course, you now 0:22:26.320000 --> 0:22:32.180000 have the ever more popular use case, which is around security. 0:22:32.180000 --> 0:22:36.660000 So, this is where a lot of people get confused, especially if you have 0:22:36.660000 --> 0:22:39.800000 known about Splunk for a decade at this point. 0:22:39.800000 --> 0:22:43.880000 It actually confused me when this switch happened. 0:22:43.880000 --> 0:22:47.440000 In any case, you can learn more about Splunk Enterprise. 0:22:47.440000 --> 0:22:50.820000 And you can see in this case, it's very specific. 0:22:50.820000 --> 0:22:53.640000 Sorry, it's not specific to any use case. 0:22:53.640000 --> 0:22:58.760000 It says search, analysis, and visualization for actionable insights from 0:22:58.760000 --> 0:23:00.380000 all of your data. 0:23:00.380000 --> 0:23:04.480000 Okay. So, this is, in this case, it's not really a theme. 0:23:04.480000 --> 0:23:07.400000 Now, of course, you can customize it to operate like a theme. 0:23:07.400000 --> 0:23:10.620000 And you can see all the D log sources or data sources. 0:23:10.620000 --> 0:23:15.700000 So, you have events, logs, metrics, traces, and then manage search, federate, 0:23:15.700000 --> 0:23:19.880000 automate. In here, you have third party tools that can be integrated, 0:23:19.880000 --> 0:23:24.140000 custom and third party apps or services, and then APIs, integrations, 0:23:24.140000 --> 0:23:29.820000 models, visualizations, and they now have, you know, detect, investigate, 0:23:29.820000 --> 0:23:34.880000 respond, which is powered by Splunk AI, which is sort of the foundation 0:23:34.880000 --> 0:23:37.020000 for security observability. 0:23:37.020000 --> 0:23:43.200000 In any case, the key, you know, as I said, historically speaking, Splunk 0:23:43.200000 --> 0:23:48.100000 was all about, you know, providing you the platform to ingest data, search 0:23:48.100000 --> 0:23:52.400000 your data, analyze your data, visualize your data, whatever that data 0:23:52.400000 --> 0:23:58.020000 may be. And, you know, you can actually take a look at the other features 0:23:58.020000 --> 0:24:03.100000 here. But then, of course, we have Splunk security, right, which is now 0:24:03.100000 --> 0:24:05.680000 very, very specific to security operations. 0:24:05.680000 --> 0:24:11.900000 So, you can see the tagline here is the power, power, the sock of the 0:24:11.900000 --> 0:24:16.020000 future, strengthen digital resilience by modernizing your sock with unified 0:24:16.020000 --> 0:24:21.080000 threat detection, investigation, and response, which is exactly what we 0:24:21.080000 --> 0:24:28.040000 are doing here. So, you have, you can see there's detection. 0:24:28.040000 --> 0:24:31.380000 There's, you know, they say unify security operations, which means you, 0:24:31.380000 --> 0:24:34.220000 you know, pretty much have everything in one platform. 0:24:34.220000 --> 0:24:39.500000 And, yeah, there's sort of a breakdown of all these features. 0:24:39.500000 --> 0:24:43.800000 So, Splunk platform powered by API, the Splunk Enterprise Security, which 0:24:43.800000 --> 0:24:45.420000 is a seem more security analytics. 0:24:45.420000 --> 0:24:52.200000 That comprises of Splunk asset and risk intelligence, which is, you know, 0:24:52.200000 --> 0:24:55.580000 continuous asset discovery and management, Splunk attack analyzer, which 0:24:55.580000 --> 0:24:59.020000 is a threat analysis tool or capability. 0:24:59.020000 --> 0:25:06.720000 Splunk saw, which is security automation, orchestration, etc. 0:25:06.720000 --> 0:25:11.160000 And then Splunk UBA, which I mentioned in the slides, which is user behavior 0:25:11.160000 --> 0:25:16.060000 analytics. And that's the Splunk security portfolio, as you can see there. 0:25:16.060000 --> 0:25:20.280000 And then all of them combined gives you the unified threat detection, 0:25:20.280000 --> 0:25:23.620000 investigation, and response, right? 0:25:23.620000 --> 0:25:28.680000 And that's really, you know, this is what I wanted to point out. 0:25:28.680000 --> 0:25:32.880000 So, Splunk Enterprise Security is what is actually referred to as the 0:25:32.880000 --> 0:25:38.680000 seem. Then they have the saw, UBA, as I mentioned, and then the attack 0:25:38.680000 --> 0:25:41.520000 analyzer, which is actually a great tool. 0:25:41.520000 --> 0:25:47.720000 I can't really complain about that, but this is what is, you know, this 0:25:47.720000 --> 0:25:50.680000 is the seem from Splunk. 0:25:50.680000 --> 0:25:55.660000 And it's very important that I pointed this out because if I didn't, and 0:25:55.660000 --> 0:26:01.120000 again, you sort of had, you, if you're aware of what Splunk was for, you 0:26:01.120000 --> 0:26:04.060000 know, a couple of years, then you would have confused it with the standard 0:26:04.060000 --> 0:26:07.680000 enterprise, as opposed to enterprise security. 0:26:07.680000 --> 0:26:12.320000 In any case, that is all that I wanted to showcase here. 0:26:12.320000 --> 0:26:14.680000 All right, so hopefully that made sense. 0:26:14.680000 --> 0:26:21.060000 Now that we have the seem section out of the way, we're now going to be, 0:26:21.060000 --> 0:26:26.980000 you know, digging or starting to get our hands wet in terms of the focus 0:26:26.980000 --> 0:26:32.780000 of this course, which is detection and analysis, but specifically analysis, 0:26:32.780000 --> 0:26:35.620000 because that's really the important aspect for incident response. 0:26:35.620000 --> 0:26:41.400000 But what I've been doing or the way I envisaged this course in terms of 0:26:41.400000 --> 0:26:46.660000 its structure was to start off with, you know, where the detection in 0:26:46.660000 --> 0:26:49.000000 all where the data comes from. 0:26:49.000000 --> 0:26:57.520000 So logs, the tool used to, you know, detect, you know, I wouldn't say 0:26:57.520000 --> 0:26:59.240000 alerts, but detect incidents. 0:26:59.240000 --> 0:27:03.280000 And now that you're starting to understand that and, you know, you're 0:27:03.280000 --> 0:27:09.360000 sort of getting, you're getting familiarized with the tools used in detection, 0:27:09.360000 --> 0:27:14.300000 we can start turning our attention to detection, engineering and triage, 0:27:14.300000 --> 0:27:20.180000 which is where we are sort of now, you know, moving from just basic, you 0:27:20.180000 --> 0:27:24.140000 know, what you'd consider a SOC tier one analyst based operations. 0:27:24.140000 --> 0:27:31.100000 So, you know, detecting stuff, writing, writing rules, etc. 0:27:31.100000 --> 0:27:36.560000 We're now going to get, as I said, into detection, engineering, the triage 0:27:36.560000 --> 0:27:40.900000 process, and then that'll bring us to analysis, which is typically where 0:27:40.900000 --> 0:27:45.060000 the incident responder comes into play where it's already, an incident 0:27:45.060000 --> 0:27:48.960000 has already been escalated to them or in this case to you. 0:27:48.960000 --> 0:27:52.380000 And you know, pretty much dive into the analysis, whether it be endpoint 0:27:52.380000 --> 0:27:54.660000 analysis or network analysis. 0:27:54.660000 --> 0:27:58.900000 That doesn't mean that we're moving away from using the CIM or log analysis 0:27:58.900000 --> 0:28:00.780000 or anything of the sort. 0:28:00.780000 --> 0:28:04.900000 You know, it just means that when we get to that section, although sections 0:28:04.900000 --> 0:28:09.720000 of the course is going to be very specific to what you'd consider incident 0:28:09.720000 --> 0:28:14.980000 response to be. But you'll see the value of everything that we've covered 0:28:14.980000 --> 0:28:18.440000 with regard to detection, logging, etc. 0:28:18.440000 --> 0:28:22.260000 When we get to those stages, because you'll sort of have a unified or 0:28:22.260000 --> 0:28:27.420000 holistic, I'm using Splunk's language now, you have a unified understanding 0:28:27.420000 --> 0:28:36.760000 of, you know, the detection process and how that works and how it can 0:28:36.760000 --> 0:28:41.100000 be improved. And where the issues are coming from. 0:28:41.100000 --> 0:28:44.880000 And the reason that's important is because, again, you want to reduce 0:28:44.880000 --> 0:28:51.200000 alert fatigue and you only want to ensure systematically that only legitimate 0:28:51.200000 --> 0:28:54.820000 incidents are escalated to the incident responders. 0:28:54.820000 --> 0:28:58.800000 So in any case, with that being said, that's going to be it for this video. 0:28:58.800000 --> 0:29:01.040000 And I will be seeing you in the next video.