OVERVIEW
In the field of cybersecurity/data science, splunk has its own place in history, due to its advanced features and technology, it is generally used for monitoring and searching through big data, correlates information, and makes it possible to generate alerts, reports, and visualizations.
Below mentioned is the list of features in Splunk:
- Indexing
- Alerts
- Dashboard
- Pivot
- Reports
Indexing
In-general data indexing is a process or a method to optimize or to increase the performance or efficiency of the database. hence its rearrange data to quickly locate and access the data in a database.
SPLUNK uses the Indexing technique to achieve the availability of data, it usually converts unstructured data to structured data to make data more reliable. In-addition indexing techniques include
- Collect/Extract most common fields including host, source, source type
- Adding timestamp
- Applying masking for sensitive data
- Configuring character set encoding.
- Identifying line termination using line breaking rules
The indexing in Splunk plays a vital role in searching through big data due to optimization and quickly locating required data.
Also Read : Soc Interview Questions and Answers – CYBER SECURITY ANALYST
Splunk Alerts
Splunk Alerts is a real-time state for being watchful of possible danger. Hence its gets triggered when a predefined specific criterion gets meets, in Splunk alerts are further classified into two types scheduled alerts [Searches scheduled], real-time monitoring alerts [Searches continuously]
Let us consider an example: how we can create an alert for admin login failure more than 3 times
index=* user=” admin” action=” failure” [Hence splunk constantly search for the specific criteria, if any search result with the above mention criteria the alert gets triggered]
This specific feature in SPLUNK helps to update real-time monitoring.
Also Read: Free Automated Malware Analysis Sandboxes for Incident Response
Dashboards
A virtual design consists of a panel with a module such as a search box, chart, etc, Hence it gives the user more visibility of data. In general Splunk, the dashboard is typical gets classified into two major types
- Dynamic form-based dashboard
A dashboard format can get updated manually, this changes the data based on the current selection
- Static real-time dashboard
A set of panels with multiple modules.
PIVOT
A process of creating a dynamic report to a specific set of datasets with a drag-and-drop interface to design. Generally, it doesn’t work on SPL [Search Processing Language] its uses GUI to perform modifications, the preset includes
- Timerange
- X-Axis
- Y-Axis
- color
It generally helps to correlate information and create custom visualizations with simple clicks.
Also Read : What is the MITRE ATT&CK Framework? How Is It Useful
Reports
A document that gets triaged based on the predefined search queries, as similar to SPLUNK alerts it gets triggered when a predefined specific criterion is met. Let us consider a scenario where we need an entire failed/successful logins from the user admin
index=* user=”admin” | stats count by action
This query will return all success/failed login from user admin, later it can be saved in Splunk for generating a scheduling report.
Conclusion
The practical demonstration on how to implement all will be published soon stay tuned, Happy reading