splunk

Note from Splunk User Behavior Analytics (eLearning)

Reference link

• Module 1
  • UBA Documentation

記錄 Splunk Infrastructure Overview elearning 的一些資料

Reference Notes

• Module 2
  • Hardware Requirements
  • Architecting & Deploying Course
  • Run Splunk as Non-root User
  • Choosing a Windows User
• Module 3
  • Ulimit Info
  • Transparent Huge Pages Info
  • Install Windows Via CLI
  • Https in Splunk Web
• Module 4
  • Components & The Data Pipeline
  • Splunk Admin Course
  • Splunk Admin Manual
• Module 5
  • Archiving Data Info
  • Restoring Archived Data
  • indexes.conf Options
• Module 6
  • Authentication Methods
• Module 7
  • Planing a Deployment
  • Heavy Forwarder Info.
  • Securing Forwarder Data
  • SplunkBase
  • App Developer Courses
• Module 8
  • DMC Manual

列一下目前知道的 splunk knowledge object

Splunk knowledge objects (SKOs)

• Macros
  • A parameterized portion of a search such as an eval statement or a search term that can be reused in multiple places, including saved and ad hoc searches, and which is used in a manner similar to a search command. Search macros can contain arguments, but they are not required.
  • Macros are configured through the Advanced Configuration section of the GUI, or via the macros.conf file located within the App.
• Event types
  • A type of knowledge object that enables you to categorize and label all the indexed events that match a specified search string. An event type has a name and an associated search.
  • Event types are configured through the Advanced Configuration section of the GUI, or via the eventtypes.conf file located within the App
• Tags
  • A knowledge object that enables you to efficiently search for events that contain particular field values. You can assign one or more tags to any field/value combination, including event types, hosts, sources, and source types.
  • They offer a very granular approach to searching data; tags are created through the GUI, or are present within tags.conf.
• Saved searches
  • A search a user has made available for later use. Searches can be saved as reports, alerts, or dashboard panels.
  • Saved searches can be created through the GUI, or by editing savedsearches.conf.
• Dashboards
  • A type of view associated with an App. A dashboard contains one or more searches that display data in visualizations. Panels in the dashboard contain the visualizations.
  • Dashboards are critical to Apps, as they show all the data visualizations that are relevant to an App. Without dashboards, your App is an add-on. Dashboards have a specific place within the App
• Lookups
  • A knowledge object that enables the addition of fields and related values to search results based on field matching with a CSV table or a Python script. For example, you can use a lookup to perform DNS or reverse DNS lookups on IP addresses or host names in your data.
  • Lookups help to enrich your indexed data with static data or state data
  • Lookups are in the lookups folder of the App, and are generally CSV files.
• Configurations
  • A file (also referred to as a conf file) that contains Splunk configuration information. Splunk writes configuration settings into configuration files. Configuration files are stored in a number of directories, including $SPLUNK_HOME/etc/system/default (these are preconfigured and not to be edited), $SPLUNK_HOME/etc/system/local, and $SPLUNK_HOME/etc/apps/. You can configure Splunk settings and processes by editing configuration file stanzas.
  • Configuration files are the meat and potatoes of your application. They decide how all of your SKOs get defined, how fields are extracted, and more. Almost everything that needs to be done can be done within a configuration file.

Object permissions

• Object permissions are an integral part of securing Apps and their knowledge objects
• Splunk permissions are role-based, meaning that a user needs a specific role (either assigned by Splunk or via external authentication and authorization systems) to read or write the knowledge object.
• Permissions are controlled within the default.meta and local.meta files in your metadata folder in the App
• The configuration structure
  [<object_type>/<object_name>] access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]

splunk developer site

• https://dev.splunk.com/

create Splunk App

• Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise
• Quick Start tutorial: Create Your First App
• Share Your Splunk Apps, Templates, Plugins
• Develop Splunk apps for Splunk Cloud or Splunk Enterprise ** 重要

Splunkbase

• Splunkbase for the hundreds of apps and add-ons

Splunk app & add-on

• Lifecycle of a Splunk app for Splunk Cloud or Splunk Enterprise
• Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise ** 必讀
  • Add navigation to an app in Splunk Cloud or Splunk Enterprise
• Tutorial: Create a Custom Splunk View Tutorial for the Splunk Developer Program for Splunk Enterprise * 有關 custom visualizations 的教學
• Apps and add-ons
• Developing Views and Apps for Splunk Web 官方文件
  • 說明何者為 Splunk app & Splunk add-on
  • What is a Splunk app?
  • What is a Splunk add-on?

Splunk AppInspect

• Validate quality of apps or add-ons for Splunk Cloud or Splunk Enterprise with Splunk AppInspect
• Install Splunk AppInspect
  • 在 Mac 上安裝時，會發現有些 dev library 沒有安裝，將需要的 library list 如下
    • $export CPATH=xcrun –show-sdk-path/usr/include
    • $brew install libjpeg
    • $brew install libmagic
• Use the Splunk AppInspect CLI tool

Splunk Develop

• Splunk Developer Program
  • splunk dev 官網
• App deployment overview

跟 syslog 相關的

• Best Practice For Configuring Syslog Input
• Splunk Success with Syslog
• Trend Micro Deep Security for Splunk * 可以由這個來看看
  • Splunk for Deep Security - github page

pack Splunk App uisng Packing Toolkit

• Package apps for Splunk Cloud or Splunk Enterprise using the Splunk Packaging Toolkit

App Design Patterns

• App Design Patterns - Creating Indexes

Splunk Syntax Highlight

• yorokobi/vim-splunk - Syntax highlighting for Splunk .conf files

可以在進階看有關 Splunk App 的部分

• Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise 看過這份後，可以針對下列的文章再來讀讀
• Use macros to avoid index dependency
• Searches power dashboards and forms in the Dashboards and Visualizations manual.
• Use drilldown for dashboard interactivity in the Dashboards and Visualizations manual.
• Visualization reference in the Dashboards and Visualizations manual.

Restart Splunk Enterprise & refresh Splunk Web UI 的方式

• Restart Splunk Enterprise:
  1. In Splunk Web, click Settings, then Server Controls, then Restart Splunk.
  2. When you log back in, navigate to your app. The navigation will be updated and your dashboard will be open by default.
• Force a refresh of Splunk Web UI:
  • Navigate to http://localhost:8000/en-US/_bump, click Bump version to flush the client cache. If you make changes to client-side JavaScript, CSS, or static resources, this command forces those assets to be updated.
  • Navigate to http://localhost:8000/en-US/debug/refresh, click Refresh to refresh almost all Splunk Enterprise knowledge objects. To refresh only views, navigation, or saved searches, you could append ?entity=data/ui/views, ?entity=data/ui/nav, or ?entity=saved/searches to the end of the URL.
• Understand asset caching and state changes in Splunk Enterprise

有關 splunk conf

• Configuration file structure
• Get started with Search 在 splunk 中，應該是所有的 report/chart 都是透過 search 來執行的
• app.conf

Run using docker

• Deploy and run Splunk Enterprise inside a Docker container
  • docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' splunk/splunk:latest
• docker-splunk github.io

parsing CEF format

• Technology Add-on for ArcSight CEF data inputs
  • https://github.com/SecretVisons/Splunk

Call to external Restful API

• Webtools Add-on
  • source code - https://github.com/bentleymi/ta-webtools/

Document

• Courses for App Developers
• What is a Splunk app?

相關的 conference

• Splunk User Conference

自動產生 event 的程式

• Eventgen
• Splunk Event Generator: Eventgen

可參考的 app install & 設定文件

• TippingPoint Splunk Getting Started Guide

刪除 index data 的方式

• Remove indexes and indexed data

Reference Link

• Module 1
  • Splunk Documentationa
  • Splunk Education Courses
• Module 3
  • Splunkbase
• Module 4
  • Use forwarders to get data in
  • Create Custom Alert Actions
• Module 5
  • Workflow Actions
  • Splunk Fundamentals 2
• Module 10
  • Accelerate Reports
  • Advanced Dashboards and Visualizations Course
• Module 11
  • Splunk Datasets Add-on
• Module 12
  • Configure External Lookups
  • Configure KV Store Lookups
• Module 13
  • Set Up Alert Actions
  • Alert Actions

Reference Term

• SIEM(Security Information Event Management)資安事件管理平台解決方案