Upload File

triggers and - splunk

17
© 2019 SPLUNK INC. © 2019 SPLUNK INC. Triggers and Alerts in Splunk Cloud Services. Miranda Luna & Declan Shanaghy Developer Platform | Splunk

Upload: others

Post on 23-Mar-2022

12 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Triggers and - Splunk

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

Triggers and Alerts in Splunk Cloud Services.

Miranda Luna & Declan ShanaghyDeveloper Platform | Splunk

.conf19 SPEAKERS: Please use this slide as your title slide.Add your headshot to the circle below by clicking the icon in the center.

Page 2: Triggers and - Splunk

© 2019 SPLUNK INC.

Product Management | Splunk Developer Platform

Miranda LunaArchitect | Splunk Developer Platform

Declan Shanaghy

Use this if there will be two speakers for your session.

Page 3: Triggers and - Splunk

During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein.

In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.

Forward-LookingStatements

© 2019 SPLUNK INC.

Page 4: Triggers and - Splunk

© 2019 SPLUNK INC.

Triggers & Alerts in SCS vs Enterprise Scheduled Searches

• Scheduled search for all scenarios, including realtime (poll-based alerting)

• Consumes resources from the instances on which it runs

• Searches and actions are tightly coupled

• Install apps from Splunkbase to expand the out of the box action set

• Scheduled search for some scenarios, DSP pipelines for others (poll- and event-based alerting)

• Consumes resources from Splunk Cloud Services

• Searches and actions are decoupled

• Admin-defined action set

Page 5: Triggers and - Splunk

© 2019 SPLUNK INC.

Vision

Conceptually - Data oriented orchestration framework• Look for signals in your data• Take Action when the signals appear• Integrate many different kinds of Actions

Architecturally - Decouple Triggers from Alerts• Triggers fire within the platform• You define triggers on data insights• Attach Actions to Triggers

Conceptually & Architecturally

Page 6: Triggers and - Splunk

© 2019 SPLUNK INC.

Conditions

Use Cases• Notice when…

– pods thrash memory– a new member joins the tenant– user shares a workbook

• React when… – there are repeated login failures– a change needs to be rolled back– a service needs to be restarted

Observation of state

conditions

actions

trigger

Page 7: Triggers and - Splunk

© 2019 SPLUNK INC.

Triggers

•Name of service thrashing memory•How many times it has happened

•Who joined the tenant•Who added them

•The context of the investigation•A link to the investigation

Produced when a condition is met

conditions

actions

trigger

Page 8: Triggers and - Splunk

© 2019 SPLUNK INC.

Actions

•Open a VictorOps incident•Message a Slack channel or user

•Customizable webhook– Create a ServiceNow ticket– Run a Phantom playbook

•Email

What should be done about it

conditions

actions

trigger

Page 9: Triggers and - Splunk

© 2019 SPLUNK INC.

Architectural Overview

Trigger Producers• Recurring Search• Identity Service• Apps

Trigger Consumers• Action Service

Page 10: Triggers and - Splunk

© 2019 SPLUNK INC.

Monitoring your Data

Page 11: Triggers and - Splunk

© 2019 SPLUNK INC.

New Member Joins Tenant

•Triggers Produced by the Platform

•Actions defined by an app

•One Time Setup– Create webhook action

•Upon Trigger– Your webhook is called

Page 12: Triggers and - Splunk

© 2019 SPLUNK INC.

Invitation to collaborate

•Triggers produced by an app•Actions defined produced by an app•One Time Setup– Create message action

•When invited to collaborate– Message is stored

•Upon User B Login– Messages are shown

Page 13: Triggers and - Splunk

© 2019 SPLUNK INC.

Demo

Page 14: Triggers and - Splunk

© 2019 SPLUNK INC.

Priorities for SCS Triggers & AlertsToday & Tomorrow

Available Today Next Priorities

• Poll-based triggers (recurring searches)• Numeric condition checks• Simultaneous Actions• Generic Webhook• Webhook Template for VictorOps• Webhook Template for Slack

• Event-based triggers (DSP pipelines)• Sequential Actions• Admin action configuration • First class VictorOps & Slack integrations• Webhook template for Phantom• Webhook template ServiceNow

Page 15: Triggers and - Splunk

© 2019 SPLUNK INC.

Triggers &. Alerts Usage & Feedback Survey<to link once finalized>

BoothsFoundations & Platform > Splunk InvestigateDeveloper > Splunk Cloud Services: Under the Hood

Email<to add>

Slack<to add>

Docs<to add link when finalized>

Reaching the team

We want to hear from you!

Page 16: Triggers and - Splunk

© 2019 SPLUNK INC.

Q&A

Page 17: Triggers and - Splunk

RATE THIS SESSIONGo to the .conf19 mobile app to

© 2019 SPLUNK INC.

You!

Thank


SPLUNK Capabilities Overview - GTRI · Overview GTRI is the only ELITE Splunk integrator with certified Splunk architects and engineers on staff. In addition to ... SPLUNK-Overview

Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Splunk Deployment

Splunk conf2014 - Onboarding Data Into Splunk

Splunk For IT Operational Intelligenceuploads.integrity360.com/1425903243-Splunk-for-IT-Operations.pdf · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper

Splunk Enterprise Security - zc.proact.lvzc.proact.lv/wp-content/uploads/2017/03/Splunk Enterprise Security.pdf · Risk-Based Analytics Visualize and Discover Relationships ... Splunk

Splunk - Splunk for Industrial Data and the Internet of Things

Splunk conf2014 - Splunk for Data Science

THE SPLUNK GUIDE TO OPERATIONAL …...Splunk Guide to Operational Intelligence 2 The Splunk Approach Splunk Enterprise is the first enterprise-class platform that collects and indexes

Splunk for Industrial Data and the IoT Solution Guidelanding.centracomm.net › hubfs › _Downloadable_Assets › Splunk › ... · 2017-10-07 · SPLUNK® FOR INDUSTRIAL DATA AND

Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight

Triggers - Friends To Handle With CareIntroduction Triggers Security Manage Triggers Use Cases And Pitfalls Triggers And Other Stories Recommendations Triggers - Friends To Handle

Monitoring Docker Containers with Splunk - Splunk .conf · Splunk and Docker – At A Glance Visibility in your Container Environments Delivering Splunk as Containers Monitoring for

CANARIE free eLearning registration 20170331...• Searching and Reporting with Splunk (eLearning) • Creating Splunk Knowledge Objects (eLearning) • Splunk Infrastructure Overview

SplunkingYour Mobile Apps - .conf19 | Splunk · Introducing Splunk for Mobile Intelligence (Splunk MINT) Deploying Splunk MINT – Intro to SDKs – Getting Started Using Splunk MINT

SPLUNK® ENTERPRISE - CDWwebobjects.cdw.com/.../Splunk/Product-Brief-Splunk-Enterprise-The... · Splunk Enterprise collects data from any source, including logs, clickstreams, sensors,

Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storage with Splunk

Netfilter Iptables for Splunk Documentation - Read … · Netfilter Iptables for Splunk Documentation, Release 0 Splunk Answers Splunk has a strong community of active users and

Rivium Splunk Windows · o Splunk Enterprise Security * o uberAgent* o Splunk App for Web Analytics Common Splunk Apps & Add-ons 15 SplunkingWIndows o Splunk Add-on for Microsoft

Splunk and node

Lenovo Network Advisor for Splunk · 6 Lenovo Network Advisor for Splunk Deployment and User Guide Splunk Components A Splunk solution consists of the following components: Indexer

Tenable and Splunk Integration · Splunk Splunkreceivesvulnerabilitydatacollectedby SecurityCenter Nessus NessusHost Scans,Nes-susPlugins Splunk SplunkreceivesvulnerabilitydatacollectedbyNes-

Fortscale Splunk Integrationinfo.fortscale.com/hubfs/UEBA Content/Fortscale Splunk Integration.pdf · Fortscale Splunk Integration ... Fortscale digests access and authentication

FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

Splunk and SentinelOne Integration

Splunk® for Customer Experience Analyticsdocs.media.bitpipe.com/io_12x/io_124234/item_1154547/splunk-for... · Many customers already use Splunk today for application delivery and

NUTANIX and SPLUNK

© 2019 SPLUNK INC. and ELK Let's Chat About Splunk

Splunk Developer & Admin Certification Training...This Splunk course also includes various topics of Splunk, such as installation and configuration, Splunk Syslog, Syslog Server, log

Splunk For IT Operational Intelligence · • Splunk Apps –Splunk App for VMware –Splunk Apps for Citrix & Hyper V –Splunk App for Microsoft Exchange –Splunk App for Active

SNMP and splunk

Admission Control using Splunk Enterprise Deployment Guide€¦ · Configuring Splunk Enterprise ... For more information on Splunk configuration, see Splunk documentation. Troubleshooting

Referent / Redner Benjamin Tiggemann · 2015-07-08 · Splunk for Exchange Splunk for Enterprise Security* Splunk for Vmware Splunk for PCI Compliance* Splunk for Windows Splunk for

Program Overview - Splunk...mission-critical services. None. Splunk Enterprise System Administration Splunk Enterprise Data Administration Splunk Cloud Administration Implementing

Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Splunk Detect Employee Fraud using - UnderDefense · 2018-10-25 · Splunk, Splunk DB Connect, Oracle DB, Splunk CIM Key Benefits Understand employee and entity behavior—and its