Please find the Questions and Answers from our session below: Q: What are the steps I would take to implement RBA? A: This is all clearly laid out in the Splunk Guide for RBA! --- Q: Any advice on best approach in implementing a multi-tenant RBA framework? A:  Multi-tenancy is always complex, and I'm not sure what aspects of it your particular organization is dealing with because sometimes the solution is a bit different. 1) If you don't have to worry about separating out the data in the risk index for individual tenants so they can't see another tenant's data, FANTASTIC. This is just a matter of planning to keep data separate with something simple like a tag or even just | eval tenant="tenant_a" on the searches for that tenant, | eval tenant="tenant_b" for others and so on. Then if you add that to your risk DM, you can just tell your relevant RIRs for that tenant to look for that field. 2) If you only have to worry about *masking* the data, this is a bit easier than the final method. One thing I've seen a customer do is basically eval risk_object=md5(risk_object) so it's converted to a hash when stored in the risk DM that everyone needs access to. That way things will still be aggregated to the correct object, and then each tenant can keep a hash translation in an index only they have access to, and then they can correctly search their own data for drilldowns and so on. 3) If you do have to separate access to information, then you'll likely be able to leverage the macro-based version of RBA that a lot of used to use in the day. This basically leverages the | collect command to bring events into the risk index, but in your case you will be collecting to different indexes with their own RBAC. You can see the various evals basically doing the equivalent of risk factors, but if you craft your own macro properly and include all the fields that are generally expected when utilizing the risk ARA, it will work fine when plugged into the risk DM. For example, this will generate the MITRE annotations based on a MITRE technique field that has each technique in a newline (it gets made into MV, then split out, then JSON'd): | rex mode=sed field=mitre_technique "s/\n/,/g" | eval annotations.mitre_attack = split(mitre_technique,",") | eval annotations.frameworks="mitre_attack" , annotations._all='annotations.mitre_attack' | makejson annotations.mitre_attack output=annotations | fields - mitre_technique If you have further questions, it would be worth asking around on the RBA Community Slack. Multiple people are utilizing either | collect or | sendalert for various reasons. --- Q: Why does the risk normalization object us a "mvindex" approach instead of allowing users to more customize which field value is used? A:  The field used for a risk object should not be MV: the risk ARA creates a risk event for each defined risk object for ease of use querying the risk index without the overlap of additional objects (this can become annoying with accounts like SYSTEM). To maintain the connection with additional objects, I suggest adding something like related_risk_object to the risk DM, with something like: if(risk_object_type="system",user,src) Or something more complex with a case statement if you'd like to keep that stored in the risk abstraction layer. --- Q: first alert is generated when user collects 100 points. We confirm it as False Positive. Then alert is generated every time user receives any additional points, for ex. %2B2pts., %2B5pts, generating lots of annoying alerts. How to solve it? A:  There are a few methods: 1) The truth table method on the Github - this creates a truth table of looking at previous notables, their closed status, and the new rules or score that has fired, so you can decide when it would create a new alert and when it would not. The second method will help with additional notables that appear on the back end of the dynamic window but not what you asked about in this question. 2) You could do something similar on a saved search that creates a lookup by looking at notables, their closed status, and based on the status, giving some sort of flag to the risk rules inside. Something like: `notable` | search eventtype=risk_notables | stats count by normalized_risk_object,risk_message,source | eval remove_risk=case(status="False Positive","true",status="Benign Positive","true",true(),null() | where remove_risk="true" | outputlookup remove_risk.csv Then in your Risk Incident Rules, you may have to juggle some stats commands (and break out source, risk message, and risk_object like I have in this example), but basically looking to insert: | lookup remove_risk.csv normalized_risk_object risk_message source OUTPUT remove_risk | eval risk_score = if(isnotnull(remove_risk),"0",risk_score) And then re-do your stats to aggregate the score like in the base search of the RIR. This will zero out the score of rules that have been marked as "False Positive" in the notable index for that risk object. 3) Lastly, I know some people use SOAR to create negative risk events in the risk index for that object, but you could also mimic the behavior of the "Ad-Hoc Risk Score" button in the Risk Analysis dashboard (or just use it outright). Basically you're just using the | collect command to store a new event in the risk index that has negative score. You could have analysts just use this button and insert a negative risk score, but it is an extra step and having things automated can be really nice. --- Q: How would you implement RBA in a cloud environment where multiple assets may share the same ip across multiple accounts? A:  I *assume* in this question that multiple assets sharing the same IP means they are on separate private IP spaces, and that's where we would want to be using CIM entity zones. Potentially you could create a macro with logic to reuse in your risk rules that determines zone by naming convention in src/dest/user fields, or maybe a saved search that generates a lookup to check against (which is basically just CIM entity zones from A&I, so if you can get that to work, do that!). And that's why ideally we want risk_object to be both user and system in every log source possible. The holy grail of A&I is getting system, IP, and user interlinked (which something like Splunk Asset Risk Intelligence really helps with), so if you don't have one or the other available in a log source your detections are on, you can enrich it to do so. It isn't entirely necessary either so don't let that stop you; the more coverage you build out on what you do have the better, and when you *can* interlink things, your cross coverage will improve. --- Q: Reduces analysts chasing the same ghost when implemented. Saw same reduction but more importantly, the overlapping work dropped and the hunting began a primary part of the soc rather than just alerts. A: I'm glad you called this out as another potential benefit of RBA. Yes, when everything investigated is not just a single event but connected events, you naturally remove some of that overlapping redundant work and analysis. And yes, then you have more time for really high-value security stuff like maturation of technology/operations and threat hunting! Plus you have the risk index for threat hunting which is fantastic. --- Q: do we see any impacts to existing RBA risk rules and risk incident rules when ES is upgraded to 8.0? A:  Everything should just work when ported over to ES8, however there are a few things to be aware of: All EBDs require a risk_object + risk_score when saving for the first time in ES8. Any notable (finding EBD) you save from now on, just set the risk score to zero. For your traditional RRs, analyst queue (previously notable ARA) stuff is mostly irrelevant, you can however define a drilldown which is nice. For your traditional RIRs, be aware if you're searching tstats, the risk DM now has notables in it. This can be great context to surface with your risk notables/findings. --- Q: You mentioned an app to check for RBA readiness. What was the name of that? A: I specifically mentioned the RBA Navigator app by Matt Snyder, which he talks about at conf here. Also highly recommend Splunk App for Detection Insights in parallel, which does have some RBA related audit checks as well as many other useful features for ES. --- Q: The RBA example culminating in a user putting in a 2wk notice -- is there a notable for a 2wk notice?! Not important, just curious lol A: That's a hard one to design something OOTB that works for everyone; should be relatively easy to create a detection for this as long as you have the relevant data. If you're able to get that in Splunk, definitely a worthwhile event for RBA; generally I would veer away from notables for something like this that can happen frequently and you don't need to investigate every time it happens. --- Q: I missed how we get the Slack invite. Could someone send me that? A: https://rba.community has the link to the Slack invite request! ... View more

As you continue on your journey, please find other valuable resources here: Risk Based Alerting Feature Brief The Essential Guide to Risk Based Alerting 2024 Gartner® Magic Quadrant™ for SIEM Introducing the SIEM of the Future       ... View more

We wanted to provide you with the link to Haylee's demo: Risk Based Alerting: The New Frontier for SIEM   ... View more

Here are resources as you continue on your journey: Fraud Detection and Prevention Splunk Community Splunk Lantern Submit your info to: http://splk.it/slack   ... View more

Check out the Q&A from this session: Q: Will lambda expressions be marked as potentially unsafe/restricted by default (similar to the current | map command)? A: Would love to hear more about this, can you share about why you're concerned about whether they're unsafe? Lambda expressions are just shorthand for bulk operations that would require many more lines of code.   Q: The |map command is currently marked as such by AppInspect, and you won't be able to mark your app as Cloud compatible in Splunkbase if it contains the | map command in any of the shipped KOs. I think the general idea of the AppInspect team is that the | map command can get resource intensive if it's improperly written. I was wondering since lambda functions can have the same issues. A: The examples we showed with the spl2 map and reduce eval functions which used lambda functions will not be marked as unsafe, they are separate from the | map command you're referring to which operates on an entire event stream.   Q: When I enter an SPL command using backticks, can the command include a macro (also enclosed in backticks)? A: Yes absolutely. SPL2 ultimately transpiles to SPL for Splunk Enterprise use cases so any conf references (macros, modular regular expressions, etc) will be valid.   Q: Maybe too early to ask, but any plans for any sort of SPL2 AI assistant (LLM, copilot...)? A: Maybe in the future, but not yet 🙂   Q: I've just installed the open beta to try it out but have a 'license expired' notification and can't run any searches. This is a fresh install. Is it ok to use my dev license? A: Hi, you need to request a license by filling out the survey on the top of the page first. We will send you a license shortly once you fill that out!   Q: Does the $search (beginning of chain) have to be the first in a search or can it be anywhere? A: For streaming commands being defined by an SPL2 function the first parameter ($source) will always be the incoming data stream.   Q: Is Edge Processor same as the Data streams processor (DSP) - can the forwarders do the job like Edge processor? A: Hi, great question! Edge Processor achieves many of the same outcomes of DSP, but is not the same product. Edge Processor can be thought of as the successor to DSP 🙂   Q: Is SPL2 applicable when building TA (technology add-on) as well? A: Good question, not at this point in time. SPL2 is supported for search-time apps only.   Q: Just a follow-up, is SPL2 applicable for building ITSI Content Packs also? A: At this point, the answer is no. This is planned for the future.   Q: Sorry, new to SPL - isn't the macro achieving the same thing? A: SPL2 custom functions can be thought of as very similar to macros, with a few more capabilities (e.g., optional data type validation for arguments and outputs).   Q: Is SPL2 compatible with custom commands ? Is it possible to write custom commands (e.g. via functions) using Python directly from SPL2 ? A: Not directly at this point in time. You can do this via embedded SPL, however.   Q: This looks great, whats the impact on SVC license of using SPL2? A: At this point, we think it's negligible for the vast majority of use cases.   Q: Can we enable SPL2 in search&reporting app for all our customers to run searches on the search instead of using separate app ? A: Yes, you can do this by adding a _default module to any existing app.   Q: is spl2 available in xml dashboards A: Absolutely, you just need to use that | @spl2 syntax wherever your Simple XML references an SPL search and (for now) using the SPL2 on Splunk Enterprise Beta.   Q: Will/Is SPL2 available for Splunk Cloud? A: SPL2 is not yet available for Splunk Cloud but we are actively working towards enabling that, stay tuned!   Q: Is Visual Studio and the Splunk Extension the general favorite for an IDE for keeping track of your code/files/modules, etc? A: Yes! It's great for props & transforms editing, Python script authoring, SPL2 modules, etc.     ... View more

Please find more resources as you continue on your journey below: Download the SPL2 public beta from the Splunk VOC portal Blog post announcement Build an SPL2 app: Developer documentation Use an SPL2 app: Admin documentation SPL2 language documentation Splunk Extension for Visual Studio Code SPL2 API guide #spl2 channel in Splunk user-groups Slack workspace ... View more

And here are some questions for YOU: What other types of resources would help you make the most of Splunk's pre-built security detections? Are there any threat detection topics or use cases you're especially interested in learning more about? We'd love to hear from you!   ... View more

Q&A from the session   Q: How can I stay up-to-date on content releases from the Threat Research Team? A: The Community: Every month, we post a recap in the Product News & Announcements section with a list of all the new and updated security content we’ve released, plus links to learn more about each detection on research.splunk.com. You can find previous recaps here.   Q: Where can I find the latest research from the Threat Research Team? A:  The Splunk blog: We regularly post research and guidance related to the latest tactics, techniques, and procedures we see adversaries using in the wild. You can find all posts authored by the Splunk Threat Research Team here.   Q: Will the Threat Research Team be presenting at .conf this year? A:  Yes! Members of the Threat Research Team will be presenting a number of sessions. You can check out all of the security sessions that will be happening at .conf here.   Q: Please describe an efficient method to detect ransomware attack. Personally I like analyze entrophy of files but is that not too late? A: We have a greater chance to prevent ransomware by reducing the attack surface using products like - WDAC (windows defender application control), Microsoft Windows AppLocker or ASR rules (Attack Surface Reduction rules). On the mail gateway side, restrict the amount of allowed ingress file extensions (HTA, CHM, JS, VBS, and so on) will help reduce the amount of ransomware or malicious files to the mailbox. Using entropy to identify the files will be too late, unfortunately. Q: Will any of these vulnerabilities be exercises in Boss of the SOC? A: Not that STRT is aware of, unsure.   Please feel free to post additional questions here for us to respond to as you rewatch the Tech Talk and demo. ... View more

What's the next step? Register for Office Hours Save the date for .conf24   And here are additional resources as you continue your journey: View the Splunk Threat Research Team’s complete security content repository  Download Splunk Security Essentials Download Enterprise Security Content Update Learn more about Splunk Enterprise Security Check out the analytic stories: Confluence Data Center and Server Vulnerabilities JetBrains TeamCity Vulnerabilities Jenkins Server Vulnerabilities Read the blogs: Security Insights: Jenkins CVE-2024-23897 RCE Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199 Security Insights: Tracking Confluence CVE-2023-22527 Check out the “Office 365 Collection Techniques” analytic story Read Hunting M365 Invaders: Dissecting Email Collection Techniques  Read the blogs: Under the Hood of Snake Keylogger: Analyzing its Loader and its Tactics, Techniques, and Procedures Unveiling Phemedrome Stealer: Threat Analysis and Detections Do a little reading: Splunk Security Content documentation Blog posts by the Splunk Threat Research Team ... View more

These are the gists referenced on the tech talk walking you through how to setup docker containers with nginx: https://gist.github.com/MHaggis/e106367f6649fbb09ab27e7b4a01cf73 https://gist.github.com/MHaggis/26f59108b04da8f1d870c9cc3a3c8eec   ... View more

Here are a few top of mind questions answered during the live Tech Talk Q. What is the best approach to select 'key' fields from a data source? This is where performing a Baseline hunt may help. The outcome of that hunt should be a data dictionary of data fields available in a given data source along with their values. By looking at the values, you can determine which have the most relevance to the target/technique/payload you are hunting - these become the "key" fields.    Q. Do you convert successful hunts to correlation searches at least until something is mitigated? What does that process look like?  If it's an immediate concern or poses an imminent risk, we will escalate and have it mitigated as soon as possible. If it can be turned into a correlation search with high fidelity/low noise, we will have a detection created for. Otherwise, it may be used as a candidate for an L1 hunt because it is too noisy for a detection.   Q. During the Act phase of the framework, what type of factors do you consider when creating notables/alerts vs. recurring searches/dashboard panels for future hunts? One of the factors we consider when creating notables/alerts vs. recurring hunts is how easy it is to distinguish anomalous non-malicious from anomalous malicious events. If it requires a human to determine if something is malicious, say an unexpected scheduled backup, or unexpected deletion of software, we want a human to determine if the activity should be happening. Another factor is the significance of the asset. If the asset in question has significant importance to Splunk, we may want an analyst to review events related to that asset to confirm they are expected. Our goal when creating a notable/alert is to minimize false positives but if there is a risk that a true negative that could have a large impact to our security could slip through we want to have a human look at the events to make sure vs. depending on an alert to fire.   Q. When you talk about sharing your results, who is the intended audience of these reports?  It will depend. Typically, we share with other security operational teams and leadership. We may also share with relevant stakeholders like tool owners.   Q. How much time should be dedicated to threat hunting per week as a SOC analyst?   Organizations should prioritize allocating sufficient time for threat hunting, balancing it with other team priorities. We've observed that analysts require a minimum uninterrupted window of 4 hours, ideally a full day, to focus solely on hunting. Context switching between reactive ticket handling and proactive hunting proves challenging and may impede success. Establishing dedicated hunting days, where analysts are free from interruptions, is optimal. Additionally, ensuring adequate shift overlaps can help mitigate the backlog of tickets, allowing analysts to focus on hunting without concern for pending tasks.   Q. Does PEAK help to prioritize which topic I should hunt?   The PEAK framework doesn't address how to prioritize hunt topics. Instead, we prioritize them by considering factors such as the environment's importance to the business, our current detection coverage, threat intelligence team recommendations regarding recency or known adversaries, and any recent incidents related to the technique.   Q. How do you avoid going down a rabbit hole?  Crafting a well-defined hypothesis that outlines the target, technique, and expected payload, while also completing the ABLE table categories of Actor, Behavior, Location, and Evidence, is crucial for maintaining focus during a hunt. Straying too far from the hunt's objective is a common pitfall, and having a clear hypothesis helps prevent such diversions. In threat hunting, you'll encounter rabbit holes, and experience helps decide when to stop pursuing unproductive leads.   Q. For any new environment how do you prioritize what to hunt/hypothesis?  For a new environment, it may be helpful to start with a Baseline hunt to understand the data and would be valuable to hunt. Here is a blog post with additional information. https://www.splunk.com/en_us/blog/security/peak-baseline-hunting.html   Q. What learning sources are there to follow for effective hunts? There is a book with a wealth of Threat Hunting goodness called Bluenomicon. You can download it for free here: https://www.splunk.com/en_us/form/the-network-defenders-compendium.html   Q. The acquisition of Splunk by Cisco has the potential to enhance Splunk, making it a better tool?  We're enthusiastic about the possibilities stemming from our acquisition by Cisco. Currently, we're evaluating how to effectively utilize our combined expertise, tools, technologies, and data.   Q. How much time did it take M-ATH to process the data and output results?   For this one SPL example, 3-5 minutes. This was done many times for this hunt. It's always going to depend on your SPL scope.   Q. What skills are good to focus on for self-development that would help with getting into Threat Hunting (ie. SPL, general OS knowledge, etc.)? What are "must-have" or most critical skills/knowledge to have as a Threat Hunter? Curiosity and a desire to understand why things are the way they are. If someone says "that's just how it is", and your response is "yeah, but why?", that's a great quality for a threat hunter. Some of the best findings come from questioning something that seems benign, but is just slightly different. Also, the innate ability to see patterns in things. Embracing learning about things you don't know about and enjoying learning new things. Understanding the foundation of how things work, e.g., the OSI model, networking, DNS, common protocols, cloud infrastructure, having a strong foundational knowledge related to technology and common security attacks helps when you need to pick a topic and dig deep to learn more about it. Being able to collaborate with other teams who may be experts in a topic you are trying to hunt is also important.   Q. Do you use custom data models to enable threat hunting in Splunk? Is there a core data set you find "necessary" for threat hunting? We do have some custom data models and customized out of the box data models, but we are not using them as primary sources in our hunting. In terms of a core data set, it depends on the topic of the hunt. For example, cloud logs are necessary for hunting in the cloud, endpoint logs are necessary for digging into endpoing activity, which may also result in pivoting into network logs depending on the goal.   Q. What is the measure of success for the overall hunt program? The goal is to make the organization more secure. While we document metrics in terms of hunts completed, findings, knowledge shared, etc. we are continually trying to determine impact. There is a great PEAK blog post on this where you can read more about the topic here: https://www.splunk.com/en_us/blog/security/peak-threat-hunting-metrics.html   Q. What is the overlap with Red Teams/Pentest teams? How do you collaborate? The Red Teams colloborate with us when we have hunt topics that would benefit from attack-related events that we do not have in our environment. They will emulate an attack so that we can see what it looks like in the logs to better determine how to hunt. We also work closely with them on Purple Team engagements where we have multiple red and blue teams working together to simulate a threat actor.   Q. How are you grouping hunts with similar scope/TTP? What is the criteria/process? We follow a hunt intake process to assess anything new, grading them based on criteria such as relevance to our internal environment and whether they're related to incidents. Additionally, we sometimes organize group hunts involving multiple participants that share a similar scope.   Q. It seams like there is a lot of Security/Splunk engineering going on that you do not need to deal with prior to and after hunting. Do you have any advice for getting logs parsed and CIM compliant if you are the hunter and engineer? Log directly into tools that would send data to Splunk and do your hunting in the tool first to help prioritize and inform what should be onboarded to Splunk. In terms of parsing and CIM compliance, our professional services team can help with that. From a hunt perspective, hunting without CIM compliance is not a showstopper and though it is not optimal, you can also fix poorly parsed fields in SPL with Rex and Regex, or through our built-in data parser.   Q. Was the use of the PEAK threat hunting framework for managed service providers considered, or is it very much applied to internal use for an organization? The PEAK threat hunting framework can definitely be used by managed service providers, in fact, we encourage it. The framework is applicable to any organization seeking to create, perform, or manage threat hunting.   Q. Was the use of the PEAK threat hunting framework for managed service providers considered, or is it very much applied to internal use for an organization? The PEAK threat hunting framework can definitely be used by managed service providers, in fact, we encourage it. The framework is applicable to any organization seeking to create, perform, or manage threat hunting.   Q. Do you have any example threat reports?  We don't currently publish public reports as we are internally facing. We may in the future. ... View more

Here are a few questions asked during the live Tech Talk   Q. What else should I be doing to prepare for the Python upgrade? A.The Splunk Docs page https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration is the latest and greatest resource for learning more about how to upgrade. We also recently released Splunk Python SDK 2.0.0 with added support for 3.9. That resource is here: https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/   Q. What would you recommend as a cadence of upgrade? We are tight on resources and need to plan in advance. A. I think it is worth noting that every customer will have different constraints and challenges, so there isn't a single right answer to this question. However, the general guidance here would be to think about a few dimensions: (1) It's important to stay on a supported Splunk version, and as the presentation highlighted, there is a 2 year support window after each release comes out. It is therefore prudent to be running on a version that gives sufficient support window prior to your next upgrade. (2) Moving to a new version likely involves some amount of qualification in your environment. How long that qualification may take, along with your organizations operations and critical periods (eg likely you wont want to do upgrades during a peak season (eg Tax Season, or Black Friday / Winter Holidays). Often then, we see customers planning to upgrade to a new major/minor version right after their busy season(s). Our goal has been to make this upgrade as easy as possible by providing the ability to upgrade to a new version without having to sequentially upgrade through all intermediate versions. Do make sure to check the release notes / upgrade guide (for example https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/HowtoupgradeSplunk) for more details on this as this may vary for specific relases. The major/minor version will include features as well as bug fixes and security fixes. The length of time your organization needs to qualify a release will vary based on your own specific system complexity and organization processes. It is however recomended to upgrade to a new major/minor version at least once per year. (3) Staying current with regard to security vulnerabilities is likely an important aspect for you to consider. Many enterprises have specific policy around security vulnerabilities and the time in which they need to be mitigated/remediated. With this in mind, our maintenance releases, which come out roughly every 8 weeks provide updates for issues published in our security advisories (see https://advisory.splunk.com/). The maintenance releases do not contain features and are intended to be much easier to upgrade to, given the surface area of changes is much smaller and thus should require less qualification prior to deployment. It is therefore recommended to stay current on the latest maintenance version for your given version. In summary then, your specific circumstances will likely differ, but it is recomended to upgrade to the latest major.minor version at least once per year, and then to stay current with the maintenance versions for that major/minor release on an ongoing basis.   Q. We are currently on 9.0. Can we upgrade to 9.2 directly, or do we need to upgrade to 9.1 and then 9.2? A.Yes, that is a supported version. You can always find information on what the supported ugrade paths are in Splunk Documentation. For Splunk Enterprise 9.2, what is located here https://docs.splunk.com/Documentation/Splunk/9.2.0/Installation/HowtoupgradeSplunk   Q. Are you planning to discontinue "classic Dashboard"? A. As mentioned in the Webinar, the future vision is for Dashboard Studio to become the defacto standard and tool for creating Splunk dashboards. We know many customers are currently on Classic, and are working to get as much feature parity as possible so that customers can migrate.   Q. Will we get to see any more detail about how the certificate store integration works? A. You can find information about Trust Store integration in our Splunk Documentation here: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigTLSCertsS2S   Q. Are there any real changes expected to apps when we go up to 3.9 from 3.7? A. In our internal testing across the platform and Splunk-supported apps, we have not seen significant breakage or compatibility issues. We expect customers to be able to migrate to Python 3.9 relatively easily, but we do recommend customers testing it before deploying into Production. The version we are targeting after Python 3.9 is expected to be Python 3.12 - which we know will be a major effort. We continue to publish more information on Splunk Docs as it becomes available.   Q. Will Splunk be able to use the Windows Certificate Store and how do we select which certificate will Splunk use? A. You can find information about Trust Store integration in our Splunk Documentation here: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigTLSCertsS2S   Q. Are the Splunk Containers going to be released on the same cadence as the main product? We have seen many more CVEs in the containers than in Splunk. A. Yes, the docker-splunk team maintains the same cadence as Splunk. The Splunk Operator for Kubernetes, which utilizes Docker-Splunk for deployment in Kubernetes environments, also strives to adhere to this cadence. However, occasionally, it may require more time to align with the desired schedule.   Q. What versions of Splunk can we upgrade directly from to 9.2.1? A. You can always find information on what the supported ugrade paths are in Splunk Documentation. For Splunk Enterprise 9.2, what is located here https://docs.splunk.com/Documentation/Splunk/9.2.0/Installation/HowtoupgradeSplunk   Q. Aren't the DSs using DFS shares for the apps? A. For our internal testing, we have tested with NFS and can confirm it works. It should extend and work using DFS as well.   Q. Since it can be put behind a load balancer, does replication occur between Deployment servers?   A. All of the DSs are mounted with the same network driver folder for phonehome, client events and apps files. Since the folders are pointing to the same network driver files for all DSs, they can be share each other’s info.   ... View more

Key Resources Register for Community Office Hours: Threat Detection and Response on March 27  Check out the Threat Research Team's blogs  Register for Community Office Hours: Generative AI on March 13  Link to monthly ESCU update posts  Read the PEAK Threat Hunting Framework  ... View more