Splunking_sysmon - Speaker Deck

Slide 1

Slide 1 text

Slide 2

Slide 2 text

© 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Forward-Looking Statements

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2017 SPLUNK INC. S Nc PhfofY pz u Ra s lj_ nir H 7 7 : 9EC 7 9 S NdbPp Ts ek /1 -2 w u y z H 9 E H 9E: 8 J 6 7 : S N 79 .79 H E 5EJ 0 E 3 H 7 H 3 HCE H H79E 9 9EC 78 H 7 E H 6J E7: 7 79 6 79 H6E 6 EJ 6 E 6 6H H 7 H6H HCE :

Slide 7

Slide 7 text

Slide 8

Slide 8 text

© 2017 SPLUNK INC. 1 O EG l 1- r mcnr C IT r IT e n G r s r r o s r P e y r G s / / D S U O EG O EG 7IGA 1- 7IGA 1- y c a ) t t W _ xm 9 M o xm p Y W ¥h m a SD N p W 7 KC C C x m y W n W t r t t a n s KEH S t n s w m 2. 36 3 4 015.U02. 02. 02. .9 U02 02. 36 3 4 015. D U02 9 02. 36 3 4 015. O K E G KIGD K NU0234 O K E LII K G KIGD K S uc - 69- 8 69- S e S t Y tuc 1-

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

© 2017 SPLUNK INC. sysmon Splunk server - Windows DLP AntiVirus ActiveDirectory FW Internet sysmon sysmon PC2 PC1 1. Windows PCMSsysmon 2. Windows PCsplunk (Universal Forwarder) 3. splunkApp(Microsoft Sysmon Add-on) IDS/Sandbox etc

Slide 16

Slide 16 text

© 2017 SPLUNK INC. l Splunk#Deployment Server$50UF(Universal Forwarder) !'%splunk" & http://docs.splunk.com/Documentation/Splunk/6.6.3/Updating/Planadeployment#Deployment_server_system_requirement s 1. splunk • Microsoft Sysmon Add-on(+8.297 • UF# 6929997( • Splunk-93!4)+7( • (Splunk+8.2974,70)¥etc¥deployment-apps¥windows¥local¥inputs.conf [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest • (Splunk+8.2974,70)¥etc¥deployment-apps¥windows¥local¥outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 172.xx.xx.xx:9997 [tcpout-server://172.xx.xx.xx:9997] /12*15_1/2

Slide 17

Slide 17 text

© 2017 SPLUNK INC. 1. "WindowsWJ] • sysmon9MC]\^P • sysmon8!<%;2?config(sysmonconfig-export.xml)@MC]\^P/)sysmon.exe60SE[M8& https://github.com/SwiftOnSecurity/sysmon-config • HW]PT\]O@# • "9windowsWJ]8sysmon@B]KO^[ Sysmon.exe -accepteula -i sysmonconfig-export.xml -l -n 3. • BU]ORX^A84)ATZG^JY] & I^RK - Windows - sysmon-,?.6 • +4Universal Forwarder@HW]PT\]TO5B]KO^[ msiexec.exe /i splunkforwarder-6.4.9-493044ecc65a-x86-release DEPLOYMENT_SERVER=“(SplunkI^Q or IP):8089" AGREETOLICENSE=Yes /quiet windows7 32bit@/3forwarder9Ver5$/4+?3=)win109 :forwarder@ 1?*> • Splunk'8\FB]/4\F- +4+?.6@ +4+7+ :D]PVB]O9windows# LNOANT(_2/2

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

© 2017 SPLUNK INC. Deployment ServerWohqboÈ 0hq` 034 * Deployment ServerrDSs pUF/IndexerGEApp2 routputs.confKinputs.confs pUFEXqdZ.% pUFE'E$- UF→DSu8089" Indexer→DS:8089" 60& (default)34 EhqloU DSXqcF5000UF;ADt ,C>I6DD10,000 O ) Z_q\Z)I ESZ\i]^YjgqaE J,7 Universal Forwarder(UF) psysmonRfoÒIndexerG/ UF→indexer:9997" rRfo`# D 1s IndexerGE0`keQ^TXR [DN=?nqSmD indexerO(?MVqZJ,78 hRoù Deployment ServerEODLP+CB@!@:MF5@F9LH=P7 1vpp30 34EhqloURo\qcm@5000clientE _ZÒ https://answers.splunk.com/answers/494417/deployment-server-best-practices-for-scaling.html

Slide 22

Slide 22 text

© 2017 SPLUNK INC. UF"/SSL SSL Splunk Native • -&'0 • outputs.conf • ,/.1) • compressed • ) "Indexer" inputs.conf! compressed=true %$ • -&'0 • outputs.conf (server.conf ! true! %) • ,/.1) • useClientSSLCompression • *-(0+# " !