5.5 App Basics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 29 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Hello, I'm Natasha and in this video,
00:00
we'll go over the basics of using apps and Splunk.
00:00
Apps and add-ons are two ways to add to
00:00
Splunk capabilities and they're easy to get mixed up.
00:00
Partly because there's, according to Splunk,
00:00
no definite criteria that
00:00
universally distinguish an app from an add-on.
00:00
We can still try to separate them out.
00:00
Apps are applications you install on the Splunk platform
00:00
and often have interactive dashboards
00:00
so they'll do new things with your data.
00:00
Apps are typically more visual and interactive.
00:00
Add-ons or more for getting data in
00:00
and doing behind-the-scenes changes.
00:00
This could be a specific configuration
00:00
you give out to foreigners to
00:00
retrieve a certain type of data and
00:00
extract the fields properly, just for example.
00:00
Apps and add-ons can be Splunk
00:00
built or they can be built by vendors or users.
00:00
Many different companies offer
00:00
Splunk apps that work with the data from their products.
00:00
Individual developers can also submit apps.
00:00
It's highly recommended that you install apps in
00:00
a test environment before adding
00:00
them to a production environment.
00:00
Sometimes there can be conflicts with
00:00
other configurations and apps may cause issues.
00:00
You'll definitely want to check out Splunk base.
00:00
Here you can search over a thousand apps and
00:00
add-ons for things that may be
00:00
useful in your environment.
00:00
These are a few popular apps
00:00
just to give you an idea of what's out there.
00:00
Splunk security essentials provide
00:00
security focus searches you can use in your environment.
00:00
It has an interactive dashboard where you can
00:00
evaluate your source types for
00:00
the things you might monitor,
00:00
and look for what types of
00:00
threats you'd be able to target.
00:00
This is not to be confused with the Splunk app,
00:00
enterprise security, which you have to pay for.
00:00
But it still provides many useful abilities.
00:00
The DB Connect app is really helpful for tying into
00:00
databases such as SQL database to retrieve data.
00:00
The lookup file editor lets you modify
00:00
lookup tables from the web console with these.
00:00
There are a ton of vendor-specific apps,
00:00
such as ones for Cisco sources,
00:00
AWS, Palo Alto, Microsoft Azure, Workday, etc.
00:00
There are also plenty of
00:00
useful apps for specific purposes,
00:00
such as geolocation lookup,
00:00
special visualization, even weather information.
00:00
If you're interested in creating apps,
00:00
that's totally an option,
00:00
you can make them for your personal use
00:00
or share them with the community.
00:00
If you want to, you can become
00:00
a Splunk certified developer.
00:00
You need to first become
00:00
a Splunk Enterprise certified admin to pursue
00:00
this and then take
00:00
several classes specific to development,
00:00
and then take an exam.
00:00
Let's go ahead and install an app
00:00
from the GUI so you can see what it looks like.
00:00
The app I'm installing today
00:00
is called Splunk essentials for wire data.
00:00
This app is mostly going to provide examples and
00:00
instruction for working with wire data
00:00
like network traffic and packet captures.
00:00
To start off, I'm
00:00
just going to unclick this fine More Apps button.
00:00
If I wanted to, I could start off in Splunk base and then
00:00
download the file and upload it to the web interface.
00:00
Here, I can browse by tons of new apps,
00:00
lookout popular ones, and I can search by keywords.
00:00
I'm going to type in Splunk essentials
00:00
for wire data and see what comes up. There we are.
00:00
I'm just going to click "Install".
00:00
I will have to log in for this.
00:00
It just downloaded.
00:00
That was pretty quick and I'm going to go ahead and
00:00
restart now in order to complete the installation.
00:00
I've locked back in and now I see a new app under
00:00
here. Here we are.
00:00
We installed an app.
00:00
If we want to, we can click around a little.
00:00
This just gives us different use cases and examples.
00:00
If we were to open one of this app,
00:00
we can work with a search
00:00
to find things that match this use case,
00:00
like looking for a misconfigured DNS endpoints.
00:00
I click down here.
00:00
It gives us some sample searches and the types of
00:00
things that I might receive if I
00:00
had the proper data for this.
00:00
True or false?
00:00
You should first install an app
00:00
in a production environment before testing it.
00:00
If you read that sentence carefully,
00:00
you should have said false.
00:00
Production environment or Splunk is
00:00
currently being used for business purposes,
00:00
isn't the best place to test out new apps.
00:00
Ideally, you'll have a test
00:00
environment with the same version
00:00
and similar settings to the real one to experiment with.
00:00
Our next video, we'll begin our last module.
Up Next
Course Assessment - Introduction to Splunk
Assessment
30m