Enterprise Security Demo Script

Dimitri McKay | Staff Security Architect

Elyssa Christensen | Senior PMM Security

Christopher Arrasmith | Technical Product Marketing Manager, Security

Kyle Champlin | Principal Product Manager, Security

Splunk Security Solutions Marketing

October 2019

Version 1.2
Demo Purpose: This Demo is designed to highlight the specific value of ES as a stand-alone solution while also
mentioning where it fits in the larger Security Operations Suite ecosystem.

System Access: To ensure proper URLs all shared demos should be accessed through the main landing page of
Splunk Oxygen available at https://www.splunkoxygen.com using your individual Oxygen AD credentials (separate from Splunk
AD)

Steps Prior to Demo:

Enterprise Security:

● Ensure you have one of the Potential Ransomware Infections loaded or create one of your own based on data present
around the time of your demo and pre-load.
● Check Key Security Indicators on Posture Page so you know what to expect (up or down for Total Infections, Risk, etc)
and can modify your talk track as-needed based on the data at time of demo.
● Go into the Use Case Library (Configure → Content → Use Case Library). Ensure Web Fraud Detection Analytic Story is
not Bookmarked.
● Type and copy the word ‘ransomware’ in the search filter on the top right so that you will have it ready to paste into the
Text Box on the top right later during the demo.

General Note:
Be familiar with the high level messaging of the new features we are highlighting while also being prepared to deliver a full
Enterprise Security Demo for customers who are new and considering ES as their SIEM Solution. The order starts with the
latest full script. Vignettes for new features that have not been built into the latest core script flow are provided to highlight new
features and are available in order of release at the bottom of the script.

1
Primary Enterprise Value Demo

CLICPATH SAY DISPLAY

Splunk Home Running an effective Security Operations Center is difficult. And without
the right tools it’s nearly impossible. 1/3rd of all breaches are detected by
3rd parties and 97% of all breaches take place using stolen
credentials…meaning that despite significant investments, organizations
are still struggling to address the real-time threats that impact their
business.

During this demo I’m going to show you how Splunk’s Security
Operations Suite enables organizations to detect, investigate, and
respond in real-time to threats, attacks and other abnormal activity. And
how with Splunk’s advanced analytics, customers realize accelerated
threat detection and faster incident response across their entire security
ecosystem.

Let’s start with a high level view into the health of our overall Security
Posture and then we’ll go through what the process looks like to solve a
specific type of threat. In looking at my overall posture, across the top I
can see Key Security Indicators, or KPIs, that tell me if we’re improving
or getting worse for each for each KPI over time.

SECURITY POSTURE PAGE

→ Security Posture These KPIs can tell the analyst at-a-glance information about what’s
taking place throughout the entire organization. Here, for example, you
see we have a decrease in our Total Infections, but our overall
Aggregated risk is increasing.

2
KPI → Scroll to show These selected KPIs are just a small subset of the KPI’s splunk provides
depth -->Close out-of-box across key domains like Access, Identity Network, and Risk.
So each organization, and different teams within the SOC may select the
KPIs that make the most sense based on their role to ensure their view
provides the most meaningful at-a-glance update on their overall
posture.

On the left, we see a list of “Top Notable Events” prioritized by

frequency, along with a Sparkline. Sparklines are fantastic for helping an
analyst identify whether an event is a one-off or if it’s a constant. Let’s
use “Excessive Failed Logins” as an example. These spikes might be
users fat-fingering their passwords at 9am, but what if that’s at 3am? Or,
what if it was a constant authentication failure every 30 seconds for
several hours? That might look more like a heartbeat. And might be
indicative of either a scripted attack or more likely, cached incorrect
passwords.

The average Security Analyst is only able to close between 7 and 8

cases per day. he biggest challenges facing organizations today, is not
just prioritization and speed to resolution, but having the flexibility and
visibility to quickly and thoroughly investigate each threat to ensure
accuracy and reduce risk. Splunk accomplishes this by centralizing all
machine data for forensics, making it easy for investigators to prioritize,
and analyze the data in a variety of ways, while also providing
prescriptive content and automation.
On the bottom right, I can see the Hosts creating the highest count of
Notable Events.

INCIDENT REVIEW VALUE

3
Top Notable Event
Occurrence by Host-- By clicking on the IP address, Splunk automatically takes me to an
> 10.11.36.20 Incident Review dashboard. The Incident Review Dashboard is a key
(Incident Review) area for Security Analysts where they can begin the investigation, as well
as begin escalation and remediation processes. PUT BACK
EXPANSION

CLICKPATH DISPLAY
TYPES OF NOTABLES

Hover- UBA –
Lateral Movement Now, in looking at the list of Notable events, these Notable events may
becoming from a variety of sources to provide a single comprehensive view.
Beyond baseline notable events provided with Enterprise Security, like Host
Sending Excessive Email, or Multiple Notable Events Associated with an Asset, I
can also see events coming from User Behavior Analytics (or UBA) as well as
events that start with ESCU, which stands for ES Content Updates.

I’ll talk more about the value of UBA and ESCU Notable Events in just a
moment, but first I wanted to talk about how customers can also create new
Notable events based on their unique environment, and, although they can be
very simple, I wanted to show you how flexible splunk is to empower
organization with the ability create very sophisticated, advanced Notable
events when needed.

CLICKPATH DISPLAY
SEQUENCED EVENTS

In the Incident Review list of Notable Events, we have one here

indicating a Phishing Attack Detected on a Compromised Host. Now, the
icon for this particular notable event looks a bit different. And that’s
because this is actually a Notable Event based on Event Sequencing. A
sequenced event is a series of consecutive anomalies that collectively
indicate a very high probability of a specific threat..

4
(far left)--> Down
Arrow on “ Phishing Let’s take a closer look at this Sequenced Event. Detecting a Phishing
Attack Detected on attack requires understanding a lot more than just one individual
Compromised Host” anomaly...it involves understanding a much larger pattern of behavior.

In drilling down and looking further into this Notable Event, we can see
that Splunk has automatically identified consecutive anomalies that
collectively indicate a Phishing Attack.

It started with noticing an email attachment with lots of spaces, but at

almost the exact same time, Splunk noticed there was a rare process
kicked off, followed by DNS activity, and then Web Traffic to a Dynamic
DNS Host. Now I can also see that Splunk UBA has leveraged Machine
Learning to detect an algorithmically generated Domain Name, followed
by Lateral Movement
Now….individually, any of these anomalies may simply be Normal
Behavior. Sometimes rare processes need to be kicked off. Or a user
may generate Web Traffic to a DNS Host.
SOC teams are constantly being challenged with how to be as efficient
as possible with their time. Leveraging Splunk, they can not only define
individual notable events, but can easily define patterns of Notable
events that occur in a specific Sequence so they are automatically
notified if that pattern ever shows up again. Splunk’s ability to notify
analysts about these patterns in events significantly enhances a security
teams visibility and responsiveness, with focused threat detection and by
accelerating incident investigation.

5
 CLICKPATH DISPLAY
UBA

Incident Review
Let’s talk a little more about how Splunk UBA is generating notable
events like the one we have here for Lateral Movement and just saw also
assisted in recognizing a Phishing attack. UBA uses machine learning to
profile each identity and asset’s “normal” behavior, and then looks for
any unusual behavior patterns across users and devices------beyond
anything humans could have designed rules for, it’s really searching for
the unknowns, because It’s impossible to build rules that monitor for the
thousands of actions a bad actor can take in the process of getting or
abusing a user credential. Once UBA has identified anomalies, it uses
machine learning again to make a second pass and look for unusual
patterns in the captured anomalies that indicate a High Fidelity Threat.
Those threats are then automatically sent here so analysts can leverage
the information in their overall analysis.

CLICKPATH DISPLAY

Hover – ESCU – Any

Title Many of the other events we’re seeing here are surfaced because of
correlations provided from the ES Content Update. This content is
created by Splunk’s dedicated Security Research Team that proactively
monitors and designs content to stay on top of the latest security risks.
Their research is released about every two weeks and provides
additional correlations based on emerging threats. If we go into the Use
Case Library, we can see how the content helps address both common
and emerging threats.

CLICKPATH DISPLAY
USE CASE LIBRARY

6
Configure → Content With over 50 use cases, the Library helps analysts strengthen their
security posture with ready-to-use content that’s relevant to them. As an
→ Use Case Library example, the Use Case Library already includes pre-packaged content
(scroll to show depth) for detecting signs of malicious Phishing Payloads, protecting against
communication to fake websites generate by the EvilGinx2 toolkit, , and
content to protect against the Orangeworm Attack Group, a group that
frequently targets the healthcare industry.

Framework Mapping In this case, I’m interested in Ransomware; now I could filter down by
→ DropDown Arrow Malware, or review Use Cases based on a Specific Framework such as
the CIS Top 20, the Kill Chain Phases, or Mitre ATT&CK Chain.
→ Scroll

Top Far Right enter I can also simply search by keyword. When I filter by Ransomware, I
‘Ransomware’ to can see how this can help my organization investigate a variety of use
filter Use Cases. cases. I’m going to bookmark Web Fraud Detection so I can revisit that
use case later, as that’s another important use case for my organization.

Bookmark Web
Fraud Detection Use
Case

Click Ransomware Right now, I want to focus on the Malware Use Case associated to the
Analytic Story. Ransomware Analytic Story. Across the top I can get a wealth of
information about the purpose and value, while also understanding at a
glance exactly which phases of each Framework this will help address,
along with the most common data sources.

7
Scroll Down. Expand If we scroll down, we can leverage the content at a more granular level--
and Tab Through understanding every correlation, what the search looks like, how to
Detection, implement it, and more. We’ve aligned everything into logical categories
Investigative, so you can understand how this content aids in Detection, Investigation,
Contextual, and the Context, and ongoing Support of the Ransomware Use Case.
Support
By leveraging this content, your team can focus more of their valuable
time doing higher value tasks with the confidence that Splunk is
proactively doing Research and Development on an ongoing basis.

Let’s take a closer look at how just one of the Notable events generated
from the Ransomware Use Case Content can be analyzed in more detail
and enable investigators to quickly understand the full context to reduce
their investigation and remediation time.

CLICKPATH DISPLAY
ESCU RANSOMWARE NOTABLE EVENT ANALYSIS

Click on Incident
Let’s go back to the Incident Review page, and take a look at one of the
Review Page → fill in Notable events surfaced by the ES Content Update for Ransomware.
Common
Ransomware Notes
→ Submit

Expand ESCU -
Ransomware Notice I can see who owns this IP, where it’s located, and a wealth of
Notable Event other information. I can also see on the right, a number of automated
(may be on pg. 2) actions that have already been executed. Splunk provides an Adaptive
Response framework that enables issuing commands to an external
system for further actioning, such as the Phantom SOAR platform.
I can also see the recommended next steps.

8
To the right of Value
But let’s go back over here on the left, and take a look at just a few of the
10.11.36.20 (Risk) →
ways we can pivot to continue this investigation. We have a number of
Action Dropdown actions we might take. Within the context of this IP, we can pivot to
dashboards in Splunk, and also off to third-party resources. If we want to
see what the IDS says about this device, either as a source, destination,
or both, we can do that. If we want to see what traffic has taken place or
what updates have been installed or are available for this device, that’s
another easy way to pivot our analysis and get a more holistic picture of
the situation.
This ability to pivot across sources and across perspectives provides
faster context and visibility that leads to more tickets closed, and with
more accuracy. Let’s go down just one of these paths to see how this
would be carried out, by going into the Asset Investigator to continue our
investigation.

ASSET INVESTIGATOR

Source → Action →
From here, we’re using swimlanes to identify all of the notable events
Asset Investigator- from each source that have taken place within a specific time frame,
(pause) 🡪 any Dark shaded based on the volume of Notable Events.
Blue Authentication
Bar We’re tracking successful and failed authentication to and from this
device, changes to configuration files, application installations, and
registry changes. We’re also tracking communication to known bad
actors via threat data, what attacks the IDS has identified to this device,
and what malware outbreaks have occurred.

Select UBA Anomaly But at a high level I can also visually find patterns in the data, such as
this clustering of Notables across sources occurring after an account
→Drag select group → takeover, and simply highlight them to define a new notable event in the
Bell on right (hover) future.

Now that we’ve taken a look at just one of the ways we can pivot and

9
until ‘Create Notable’ analyze a Notable event and also define a new notable event, let’s talk
about how Notable Events can be turned into specific investigations.
appears (do not
create a new Notable
event)

SECURITY DOMAIN

Security Domains There is a wealth of other prescriptive content provided throughout

→ Access → (hover) Enterprise Security designed to expedite the investigation monitoring,
analysis, and actions needed to secure the business
Access Tracker
Here, under security domains, we have a comprehensive set of best
practice dashboards. As an example, Access Dashboards track all
manor of logins from any number of authentication mediums you may
have. Almost all breaches involve valid credentials and here is where
an analyst can go to see all of the activity used with any valid
credentials.

Back → Endpoint -- Breaches begin with Endpoints. Here, under Endpoints, we can see not
only Malware outbreaks, but also the operational side of security which
(hover) Malware
tracks malware operations, anit-virus code versions, and virus updates,
Center, (hover)
as well as what updates are installed or available.
Malware
Operations (hover),
Update Center
(hover)

10
Back → Network → Here, under Intrusion Center, it’s exactly what you would expect. Now,
you probably have dashboards for each of these in the individual tools
(hover) Intrusion that feed this data. But the difference is, we can quickly pivot between
Center, them and correlate across these sources to to reduce the time to
remediate.

The second path we can take is proactive security. This is where

splunk goes from enabling faster reactive security, to proactively
reducing the risk in the first place.

Security So here we’ll give you a few examples of that. Now, splunk provides
Intelligence, (hover) content for Risk Analysis, Protocol Intelligence, Threat Intelligence and
Risk Analysis --> more. But let’s focus for a moment on the fact that we know breaches
(hover) Protocol require credentials. And how splunk can help organizations find
Intelligence, (hover) credential theft.
Threat Intelligence,
(hover)

SECURITY INTELLIGENCE CONTENT

Click → User Here we have a haversine algorithm which is a great way to do it.
Check this out. Here, we have a user who has authenticated from
Intelligence → this<location> , at this time, from<city> , locally. But they last
Access Anomalies. authenticated at this time, from <city>, and remotely. Now ,the distance
Hover first line over between these two locations, that user would have to be able to move at
key field (time, city, over 5,000 miles which would have required a speed that even
session, remote, superman probably couldn’t keep up with.
previous, distance,

11
speed etc) Let’s take a look at another part of our proactive security intelligence...

Security Here we can see a list of recently generated domains. So how would
Intelligence→ Web you feel about a domain that has only existed for 1 day, with a lot if
visits, and a pretty unusual site name that doesn’t really reflect any sort
Intelligence→ New of business or reasonable name that we can think of?!?
Domain Analysis.

Click on First Let’s click on that first Domain name, which automatically takes us into
Domain Listed a Web Search Page. From here, we can see that all of the activity has
been posts, with a Status 200, and we can also see the source
machines that are possibly reaching out to this host even without the
users’ knowledge.

So now that we’ve taken a look at just a few of the powerful ways an
analyst can investigate a specific asset, and some of the out of box
views that provide critical visibility and proactive protection to make
Security Operations significantly easier, let’s take a look at specifically
how to easy it is to create and manage an investigation in Splunk

CLICKPATH DISPLAY
CREATE/REVIEW INVESTIGATION

Going back to our Incident Review associated to this IP, if I wanted to

Incident Review Tab investigate one or more of these events, such as the Ransomware or
→ Load Investigation Lateral Movement notable, I could simply select them and create an
investigation. But in the interest of time, I’m going to open an existing
investigation.

12
 I’m going to start by looking at all of the Notables I’ve selected on a
This launches timeline so I can see the full scope of events associated to this
Workbench → go to investigation. I can see the Ransomware web traffic to a dynamic DNS
Host, a rare process that’s kicked off, followed by Lateral movement from
Timelines → bottom
the same host...essentially the entire Kill Chain.
left → +/- to Zoom as-
needed

From here, we can pivot to gather additional context, or we can take an

Click on Ransomware action. I can also add various artifacts as we progress. Those might be
Event → Details screenshots, notes, actions, or other artifacts that aid the investigative
process. On the right, I can see that a note has been added--letting me
know when the investigation started, that it’s the VP’s laptop, and who
the investigation team is.

Just in case there is some additional activity related to these artifacts.

I’m going to enable a live feed for any such activity.

Bottom Right → Bell

Down on the right, I’ve clicked on the bell, so moving forward, any new
Image → Turn On → activity which may pop up, I’ll find here. But were not done yet. Let’s
close/ok click into the investigation which we’ve started. And add some additional
artifacts

Let’s explore more about this specific asset. Within Network data I see
→ Workbench → emails from a potentially malicious external user to this destination, if I
continue my review in traffic analysis, I see spikes of allowed activity,
Assets → 10.11.36.20
and looking further at my threat intelligence, I see communication with a
→ Explore → Go known bad actor. I think it’s safe to say, this system has certainly been
compromised.
through Tabs →

13
Network Data →
Custom: Traffic
Analysis → Custom:
Threat Match →

CLOSE/VALUE

Top Right → Edit →

In the top right, we can simply update the status and Close this
Status → (hover) investigation.
Close → Cancel (if you
actually select Close it’s
going to pop up with
alerts you don’t want)

So that’s really coming full circle. Splunk’s Security Operations Suite

enables organizations to detect, investigate, and respond in real-time
to threats, attacks, and other abnormal activity. And with Splunk’s
advanced analytics, combined with its automation and orchestration
capabilities, customers realize accelerated threat detection and faster
incident response across their entire security ecosystem.

Prior Release Vignettes

Phantom Vignette:
14
Steps Prior in Phantom:

Ensure you have Phantom open on a separate Tab. Go to Phantom → Playbooks and load the Ransomware Playbook. On
the notice of missing assets select the X on the far top right of the Pop Up.

PHANTOM

Click on the Phantom

Phantom’s extensible automation and orchestration capabilities help
Browser Tab →
integrate your team, processes, and tools together. You can automate
Review the Phantom tasks, orchestrate workflows, and support a broad range of SOC
Ransomware functions. Phantom comes with pre-built playbooks including one for
Playbook already Ransomware investigation and containment. Playbooks represent the
loaded series of steps within a repeatable process that allow automation of
previously manual tasks.
The Ransomware playbook includes steps like detonating a file, hunting
down other copies of a file on the network, quarantining devices, and
preventing future infections by blocking the originating IP or file based on
its hash values. We can run the Ransomware playbook to automate not
only steps during the investigation, but the response to this attack,
reducing the manual workload and ensuring analysts can focus on their
most mission-critical decisions.

The Playbook works with apps that provide the integrations between
Phantom and the other security technologies in your environment. Each
App is designed to enable Phantom to authenticate and take action on
these other technologies or services leveraging their APIs.

Top Left → Apps →

And finally, another key part of Phantom is the visibility into the ROI
Home provided with automation. On my main Home page, Phantom is using
an average analyst’s salary and calculating the time saved for each

15
 automation, enabling me to see the real dollars saved across all of the
orchestration and automation being provided.

Auditing/Legal Vignette:

POST INVESTIGATION AUDITING/LEGAL

Just in case there is some additional activity related to these

artifacts. I’m going to enable a live feed for any such activity.

Bottom Right → Bell

Image Down on the right, I’ve clicked on the bell, so moving forward, any
new activity which may pop up, I’ll find here.
Turn on

close/ok

Far right → Action

History → Select And from an auditing/legal perspective, I can easily review and
action history type → provide reports regarding all of the activity that took place during
“Search Run” → the investigation by accessing the Action History. From here I can
Search →Checkbox review every step of the investigative process such as the
next to search → Dashboards viewed, searches run, or Event Status changes and of
(hover) Add to course, if desired, I can select those activities and add them to my
Investigation. investigation timeline.

16
Steps Prior to Demo Focused on New 6.0 Features:

● It is recommended you open multiple browser tabs to ease navigation of the new features during the demo, however the
clickpath is also provided in case needed.

Asset & Identity Management Framework Enhancements

● Asset & Identity Management Page (ES Home → Configure→ Data Enrichment→ Asset & Identity Management
● ES content management page (https://sec-keynote-es-01.splunkoxygen.com:8000/en-
US/app/SplunkEnterpriseSecuritySuite/ess_content_management (look for in portal but can’t validate at time of publishing)

Machine Learning Toolkit Integration:

● Machine Learning Audit Page: (ES Navigation Bar → Audit→ Machine Learning Audit)
● Machine Learning Toolkit Page: (App → Machine Learning Toolkit → Nav Bar)

Centralized Investigation View

● Investigation View Enhancements: (Audit → Investigation Audit)

17
 6.0 Feature Vignettes

6.0 Asset & Identity Framework Updates Vignette:

Asset & Identify Management Page

ES Home →
Configure→ Data The Assets & Identities framework in ES provides analysts the
Enrichment→ Asset ability to enrich their security data with specific pieces of
& Identity contextual information. Historically, this has been a fixed set of
Management
fields that are shipped as a set of out-of-box lookups. With ES 6.0,
we expanded that capability to not only improve the scalability
and predictability, but of greatest value, we’ve made the
Framework extensible to provide customers more flexibility, and
control.

→ Asset Settings tab

With this latest advancement, we’ve consolidated a series of
views that were previously located in a variety of places
throughout ES, making it simpler and easier to manage your A&I
datasets.

→
bcmotors_charge_st For Demo purposes, we’ve added a few fields to give you an
ation or → idea of how you can extend the Framework to meet your
is_cloud_asset specific needs

18
→ Cancel → Identity
Settings When you add fields to the lookup in ES 6.0, you can now
also specify if you want this field to be multivalue, as well as
as apply tags which are additional values you may want to
leverage as you’re looking up the key fields. These tags are
specific to the Framework so that it doesn’t overlap or create
confusion if users are using traditional Tags on searchable
fields in Enterprise Security

Similar to our previous page, we have a default list of fields

as well as a new one we added for this demo like
"charge_station_attendant". You can click this field, and
show similar settings to the asset fields, such as multivalue
and tag. For lookup definitions you can extend up to 20
additional fields to the out of the box fields.

→ Search Preview
This page provides an overview of the searches that are
used by the backend merge process. These searches run
automatically whenever the feeder-lookups from the
Asset/Identify Lookup Configuration are updated. One of the
added benefits, is you can leverage these searches to
experiment with the merge process or if needed for
troubleshooting as well.

19
→ Data
Onboarding→ With ES 6.0, we have started to build "wizards" for
Cancel onboarding widely-used sources of Asset & Identity data. In
this case, we are integrating with the "Splunk Supporting
Add-on for Active Directory", which is installed on this demo
ES search head. This wizard is intended to provide a more
straight-forward way to build search-driven lookups; in which
you can create the lookup definition as well as the SPL that
drives the lookup from a single set of modals, on a single
page.

Asset Lookup
Configuration Tab -- As an example, if we look at this model, this lookup was
ldapperdan_asset created via the previous "Create LDAP Configuration" button,
row → Cancel and now allows us to easily plug this into our A&I framework.

→ link under Source

Column →
ldapperdan_asset

20
6.0 MLTK Integration Vignette:

Machine Learning Toolkit Introduction

With ES 6.0, we have packaged and integrated the Splunk

Machine Learning Toolkit (MLTK). Both the MLTK and Python for
Scientific Computing (PfSC) packages are now bundled with the
ES installed, making MLTK a first-class experience within ES. In
general MLTK uses less CPU and memory compared with previous
capabilities. It does createa slight impact on search time but that
is something we will be improving and enhancing with upcoming
releases.

One of the key benefits of integrating MLTK was the replacement

of Extreme Search. Integration with MLTK transitions Enterprise
Security to using the Probability Density Function (or Density
Function for short!). Using the Density Function you have more
flexibility. As an example you can fit your models to 1 of 3

21
 distribution types: normal, exponential or guassian. And you can
change that distribution type in the future if your needs change.

** Look in Conf19 ES now ships with a collection of out-of-box searches that

Portal Instance but leverage the MLTK density function and provide a much more
can’t validate at time of sophisticated and robust replacement for the existing ‘context gen’
publishing: searches used by Extreme Search. The associated correlation
searches will now leverage the MLTK models, however to make it
Navigate to the ES
easier for customers to migrate, by default we still enable your
content management
context-gen searches to that you can easily migrate to the ne
page (https://sec-
MLTK-based use cases when it makes sense for your specific
keynote-es-
environment
01.splunkoxygen.com:8
000/en-
US/app/SplunkEnterpris
eSecuritySuite/ess_cont
ent_management), and
in the search bar, type
"model gen"

Machine Learning Audit

ES Navigation Bar →
Audit→ Machine With 6.0, you’ll also be able to easily do a quick review both the
Learning Audit→ use of both MLTK as well as Extreme Search in the context of your
scroll for Extreme deployment. So here we can see the overall number of MLTK
Search content
errors seen in the environment, the number of saved searches
deployed → List of
Model Generating that leverage various MLTK algorithms, as well as Extreme Search
Searches → Job content that's been deployed.
Manager

22
 If you click the "List of Model Generating Searches", this will take
you to the Splunk Job Manager page, where you can view the
various statuses of your model gen searches, including the search
job details.

Managing ML Models

App → Machine
Learning Toolkit → This shows all the various models that are in use within your
Nav Bar Splunk ES deployment, inclusive of the sample models that ship
with MLTK, or other models that have been created. Model files
are stored as "lookup" files, in order to assist with replication for
use in "streaming apply" of models.

*Extra Note*
For customers that have custom Extreme Search (XS) content,
Splunk will be supporting XS for the next year (through October
2020). We will be providing documentation on how to migrate XS
content to MLTK, however, if customers wish to leverage their
existing XS investment, and preserve the models/context files,
they can purchase "Extreme Vigilance" and "Extreme Rules" from
Scianta Analytics, which allows them to convert and migrate their
XS content.

6.0 Investigation Vignette:

Investigation Visibility

23
Audit → Investigation
Audit We are constantly gathering feedback and input from our
customers. One of our new added enhancements came directly
from that feedback in the form of an Overview Page for ES
Investigations. We’ve found that most customers wanted to build
and customize their own dashboards to fit their specific needs. So
with this release, we also provide better visibility into
investigations by providing a custom REST endpoint and some
example dashboards to help build some basic metrics so
customers can leverage the out of box examples and build their
own simply using the | rest command. . In general most
customers tend to build and customize their own dashboards to fit
their needs, based on out of the box examples. With the new
"Investigations" feature, they can do this simply via "| rest"
command.

24
25