Meet ES Helper

ES Helper is the purpose-built tool for getting Splunk Enterprise Security over the hump and actionable for Security Teams. Enterprise Security is a complex tool that takes all kinds of data to create its interesting visuals and track its notable events, but due to its complexity it can be off-putting to new or inexperienced Splunk Admins. ES Helper is here to bridge the gap and help those get a head start on utilizing an amazing security tool. 

Where are we at?

Every action plan needs a starting place, and ES Helper figures that out for you with automation. With a set of interesting and complex searches, the Atlas Element analyzes your ES Deployment and gives out the ES Utilization Score.

This score immediately tells Splunk and ES Owners where they ‘are’ with their deployment, and what room they have to grow. This is supremely beneficial for tracking growth of the platform and analyzing how well you are utilizing your investment into security and simplifies the complex workflows of ES into a digestible format.

What’s next?

After gaining perspective on the status of the Enterprise Security deployment with the ES Utilization Score, the next logical question is to ask how to improve it. ES Helper is right there with you with the ES Datamodel Report. This Report shows how much data is being ingested into Enterprise Security, and furthermore, layers a priority lens over it for context.

The Priority labels are derived from Team Atlas’s investigation in how Splunk ES utilizes the data, the importance of the tied outcomes from the data, and how much bang for the data buck each data point gives Security Analysts. Using this Priority, and the investigation into how filled the datamodels are, Splunk Admins can quickly identify which datamodel should be buffed up with more data to improve data coverage in Enterprise Security.

Lucky for the Admins, selecting the datamodel in Atlas ES Helper quickly identifies any recommended sourcetypes to fill out the datamodel with actionable data.

This workflow enables Admins to go from zero to hero with ES with a clear line of sight on next steps for improving their security monitoring and posture!

What’s Changed?

After updating a datamodel with a whole slew of additional data sources. An Admin may ask what impact they actually had. With ES Helper, Admins can utilize our analysis to get quick results on which dashboards and searches changed, enabling a quick validation check and reward for hard work!

Conclusion

ES Helper speed up a technical and slow process of improving an Enterprise Security deployment. By fast tracking a Splunk Admin’s ability to analyze their environment, identify new data sources, and track changes, Splunk Admins can quickly improve and track their improvement to their Security CIM. This effort is even more improved by bringing Expertise on Demand into the mix, who will further enable Admins to meet their security needs ahead of schedule!

Meet Data Utilization

Data Utilization is an excellent companion Element to Data Management. While Data Management is focused on tracking ingests with metadata and awareness alerts, Data Utilization is centered on using automation to help Admins and Users track how Users, Scheduled Searches, and Dashboards are utilization data being ingested into Splunk.

How is this being used again?

Data Utilization helps Admins quickly identify how data is being used across their environment by users. By tracking how ad-hoc searches and scheduled searches are searching across all data, Data Utilization can highlight active data streams. Furthermore, Data Utilization investigates dashboards that have been used lately, and investigates what data is being utilized on each dashboard load. All of this comes together into an easy-to-understand report.

Admins can change the filter for the search, splitting the data by either index, for high level investigations, index-sourcetype, for normal baselines, and index-sourcetype-source to identify individual data points that slipped the cracks. Admins can select any one of these findings to learn more about its utilization.

Using Data Utilization, Admins can quickly identify who is searching a sourcetype, using what scheduled searches, and on what dashboards, and when! Admins can also inspect the SPL associated with each of these three options!

Make way for the new!

Data Utilization also offers a powerful perspective for Splunk Owners. By analyzing how data is being utilized, Admins can quickly identify any depreciated data streams that could be removed from Splunk. The benefits for this are evident, as it can make room for other ingests for more important use cases, or bring a deployment down below their license level, reducing Splunk operating costs. Another benefit is the reduction in technical debt, as Splunk Admins can now focus on data streams that matter for their users!

Conclusion

Data Utilization is a powerful tool, enabling Splunk Admins to quickly come to terms how their environment is being used by both Users and Scheduled Searches, while empowering Admins to jumpstart discussions for prioritizing data streams. With Data Utilization, Admins can more easily reduce license utilization while increasing visibility. 

Starting Small in Splunk: Reports and Dashboards for Beginners!

So, you have your data ingesting into Splunk, some familiarly with Splunk’s Search Processing Language (SPL for short), but now you are wondering what’s next on your data journey. How do you go from the massive sandbox that is the Splunk platform, to a tailored experience that gets you to where you need to be fast? Through understanding reports and dashboarding, of course!  With these pivotal Splunk tools, you will design the best tools for you and your teammates for turning data into intelligence and action!

Now, before you become a Splunk hot-shot, its important to slow down and ensure that the work you are about to do is approved and in the correct location. If you are not the Splunk Admin of your environment, reach out to them and ensure that you have the OK to build reports and dashboards on the system, otherwise known as ‘knowledge objects. Splunk Admins may have processes or locations for you build your beautiful creations, so its important to check first!

Speaking of locations, before we create these helpful knowledge objects, ensure that you are on the correct application. If you Admin did not direct you to one, select the Splunk Enterprise logo in the top right to see a list of applications. 

Selecting this header will take you to the Home page, showing all installed or custom Splunk Apps on the left!

Refer to any app your Splunk Admin directed you to for your mission or find the app that aligns most with your use cases and select it. You may even want to ask or research into looking into your own Application!

You shouldn’t be scared or overwhelmed on what an ‘Application’ is. Think of it more as a folder of cool dashboards and custom reports and less of something you would find on your phone. They help with separating your knowledge objects into logical buckets for consumption.

Alright, so after clicking down into your Splunk Application of choice, you are in the right place, and now it’s the right time to learn about reports! Reports are searches that you really like and want to save for later. For example, if you spent all morning learning SPL and designed a search that counted the amount of foreign IP pings on your website, or a search that tracks the amount of money billed on projects!

To create a report, you first need a search, so create a search that you find helpful with your data. Make sure you get the date time right! Here is my sample search that finds events with more than 2000 count in the ‘score’ field.

Now massage that search. Make the visual at the bottom match what you want. Do you want it to be a table? Or a timeline? Whatever looks best to you, make it so!

Finally, hit that big ‘Save As’ button in the top right! Select Save as Report…

And give it a name and description! You should save these, and then click view to see your custom report dashboard.

You can continue to edit and refine the search through the edit menu or change the time range to whatever you need currently. To find this report later, go to Settings in the top right and select Searches, reports, and alerts. Yours should then appear in the nice list!

And that’s it! Now if you have a great search tracking some fantastic outcome, save it as a report and you can come back to it or share it as the data updates! But what if you have multiple searches and reports that play off each other? Well then, it’s time to build a dashboard!

Dashboards in Splunk are a collection of useful Splunk searches and visualizations that enable users to quickly get a pulse on their data and determine outcomes from live findings. Dashboards are essential to creating clean reports that automatically update as data flows into Splunk. To make a dashboard, start just like how we started with a report, but instead of saving a Search as a Report, save it as a dashboard panel!

Now the modal that pops up may be overwhelming, but don’t worry! Just tackle it piece by piece and you got this!

  • Dashboard Selection
    • Select New if you are making a new dashboard!
    • Select Existing and search for your previous dashboard if you are adding to an existing one!
  • Dashboard Title
    • If it’s a new dashboard, give it a name, like “Firewall security” or “Finance Statements”
  • Dashboard ID & Description
    • Feel free to keep these as they are
  • Dashboard Permissions
    • If you plan on sharing this dashboard with others (or having them review its content), click ‘Shared in App’!
  • Panel Title
    • Give the search a name, it wil appear on the dashboard
  • Everything else
    • Ignore for now! We can change it later!

And hit save! Then you should select ‘View Dashboard’ to see it in action.

Boom, dashboard made, but a bit bare! Want to add more to it? Slam that Edit button in the top right and start adding searches using the ‘Add Panel’ button. I would recommend adding statistic tables first, since you can always change your visualizations later.

2 pieces of advice! Your dashboard is extremely malleable, so don’t be afraid to throw broken or simple visualizations things on it for the time being and fix it using the open search button or change visualization button later!

And second, hit that Save button in the top right often! If you leave the dashboard mid-edit, it will not save your work! 

Splunk is a powerful tool, and once Users get a familiarity with SPL, Reports, and Dashboards, they are extremely dangerous! If the data is there, then dashboards can be whipped up in a matter of minutes, and once manual processes are now automated with live data instantly! Good work getting through this guide and check out the others for other topics or advanced mechanics, and most importantly, enjoy your Splunking!