General Talks

Data AI Summit 2021 Exec Forum: Security and Governance Fundamentals for a Lakehouse Architecture

Having the best capabilities and the fastest pipelines means nothing if you can't deploy them. In this session, we will review strategies for meeting your InfoSec team's requirements for security, compliance, and governance. We will walk through an example from an early stage project that can grow safely, along with an example lakehouse with a fully realized secure deployment. Security success isn't always the most fun, but it can be hugely impactful to your project outcomes -- come learn how to make that success easier and faster.

  • Slides and videos from DAIS Exec Forum aren't publicly shared.

AI Village at DefCon 27 (2019): Network defenders in a data scientist world

Joint presentation with Ryan Kovar, Dave Herrald

So often data scientists and network defenders live in different worlds. Let us try to bridge those gaps and talk about how network defenders are starting to use AI, and how data scientists can build better models on better datasets.

Security Ninjutsu Series

.conf19 -- Security Ninjutsu Part Six: All of the SPL!

I always get a thrill when people come up to me after attending Ninjutsu events to share successes and lessons learned, but I feel bad, because I'm the only one who gets to hear those stories. So this year, we're going FULL lessons learned. We're going to hit on the best parts of the Ninjutsu Series (fear not if you're brand new) and tell you exactly what you need to know, from the folks who've deployed their learnings successfully. It's like the sports highlight reel for a lifetime of building security detections. That sounds like a party right? As always, attendance of prior Ninjutsus not required, though they are available below.

.conf18 -- Security Ninjutsu Part Five: Our SPL Goes to 12.. 11 Isn't Enough

Security Ninjutsu turns five! Last year, we told you every advanced SPL technique that we knew about, with a 23,000-word PDF chock full of detail. This year, we swing to the other side, and tell you about every advanced SPL search that we've ever seen customers love. This isn't bytes_out>35000, this is bytes_out>whoa that's cool! Of course, we will have sample data with every search, and every search will be present in Splunk Security Essentials. Come learn about all the latest and greatest, and be prepared to blow the SOCs off your team. And no, I am *not* sorry for the pun.

.conf 2017 -- Security Ninjutsu Part Four: Attackers Be Gone in 45 Minutes of Epic SPL

My favorite part of any spy movie is the gadgets. You see a spy in normal attire, without knowing that the jacket is bulletproof and the watch shoots amnesia darts. That spy is prepared for anything. Writing security searches in SPL is much the same—so you can call me Q. In past Security Ninjutsu sessions, we’ve covered many foundational elements common among security searches. This year, we are bringing the ninja, and it’s going to be epic. We’ll spend 60 minutes covering all the awesome search techniques used by Splunk Security Ninjas from around the world. There will be a massive PDF. Attendance of prior Ninjutsu sessions not required, though available at

.conf 2016 -- Security Ninjutsu Part Three: Real-World Correlation Searches

Throughout the Security Ninjutsu series, we used real world searches created by Splunk technical resources working with their customers. Now we will discuss the reverse: actual correlation searches built by customers on their own (easy, medium, hard). For each, we will explain what caused them to create the use case, how they built the query, tweaked and filtered and what action they took as a result. What happens when attackers stop being nice, and start being real? Come find out. (Optional: View prior Security Ninjustu series talks here:

.conf 2015 -- Security Ninjutsu Part Two: More Security Analytics, Correlation and Action!

At .conf2014 in Security Ninjutsu, we covered four real customer scenarios that allowed security users to leverage advanced correlation and anomaly detection, moving beyond basic incident response. You needn't have attended last year's session because this year we will cover four totally new use cases! We will be diving into analytics (basic through advanced) and threat discovery, easy apps for hunting, new bidirectional threat intel integrations and more! Through each of the examples, we will review the data sources, discuss how to analyze them, and see what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.

.conf 2014 -- Security Ninjutsu: Using Splunk for Advanced Correlation, Anomaly Detection and Response Automation

Splunk's analytical capabilities allow security users to leverage advanced correlation and anomaly detection moving beyond basic incident response. Splunk can also take action, ranging from integration with ticketing systems to automatic blocking and beyond. This session will walk the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain. Through each of the examples, we will review the data, how to analyze it, and what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.

Other Talks

.conf19 -- Splunk Security Essentials 3.0: Driving the Content that Drives You (Hands On!)

Co-presented with Johan Bjerke

Whether you have just SSE or all of Splunk's Premium Products, you can benefit from the ton of Security Content that Splunk produces. We'll start this session by setting a quick baseline on all of the fantastic detections that Security Essentials has had in the past, and then jump into the new prescriptive guides, MITRE ATT&CK™ integration, Auto-Dashboard-Magic, and all the related functionality that will help you plan your usage of any/all of Splunk's security products. We'll present all this information through the lens of helping you get the best possible detections deployed with the least amount of effort.

.conf18 -- Go From Dashboards to Applications With Ease: SplunkJS and Splunk Python for Non-Developers

Co-presented with Dave Herrald

Raise your hand and repeat after me, "I am not a professional developer, I just write code." If this is you, then you probably cherish SPL. But if you've ever tried to build anything new with Javascript or Python in Splunk, you've wanted to scream. Well good news — this talk is for you. David Veuve owns Splunk Security Essentials, Dave Herrald owns the BOTS Scoring App, and both have learned to do amazing things with SplunkJS and Splunk Python the hard way (by begging others to give them easy bite-sized code segments). They're now fitting that into one extensively documented .conf presentation, with an accompanying app. This is "Dashboard Examples" for building real applications on Splunk. If you like to be awesome, don't miss it.

.conf18 -- Splunk Security Essentials: What's New and What's Awesome

Splunk Security Essentials helps everyone be successful with everything — from basic security monitoring, to insider threats, to advanced threat detection. And it's constantly advancing! Let's walk through the latest and greatest capabilities for Security Essentials, and how you can go back to your environment and be more successful.

.conf 2017 -- Quickly Advance Your Security Posture with Splunk Security Essentials

Whether you're looking to reduce breaches, set up monitoring to anticipate attacks, or build more predictive capabilities, you will learn to apply the power of Splunk’s search processing language (SPL) via the Splunk Security Essentials App. We'll also present how to tighten your security with actionable searches that you can use immediately. All of the examples will have demo data, but you will see how you can apply custom data in your own environment. In this session, you will learn how to:
   – Optimize and make Splunk search work for you, so you can quickly gain insights into your data to identify and describe security impacts and potential threats
   – Detect unusual and potentially malicious activity using Splunk Enterprise statistical and behavioral analysis capabilities
   – Find unusual activities

.conf 2017 -- Searching FAST: How to Start Using tstats and Other Acceleration Techniques

You know the use cases, you understand stats. You might strut through the halls of .conf events as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk with upwards of a 1000x performance improvement: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to a ludicrously fast speed. This talk will explain how and when to leverage acceleration, and improving user experience, value and TCO for all kinds of use cases.

.conf 2016 -- How to Scale Search: From _raw to tstats

You know the use cases. You understand stats. You might strut through the halls of .conf2016 as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk software with upwards of 1000x performance improvements: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to ludicrous speed, but there’s a learning curve. This talk will explain how and when to leverage acceleration for all kinds of use cases in a simple way, taking it from the highest echelons of SPL Ninjutsu and bringing it to everyone.

  • This session was re-delivered at .conf 2017 as "Searching FAST" (above). Check out the download links there

.conf 2014 -- Passwords are for Chumps: Using Single Sign-On

There is a feature that many customers could deploy to simplify their deployments, ease user adoption and enhance their level of security, but few customers actually use it. That feature is Single Sign-on, and it can be deployed via the free Active Directory Federation Service (ADFS) available to almost everyone. This session will walk attendees through the basics of SSO, with an explanation and live demonstration of how ADFS works with Splunk, so that they can go back to their companies and enhance their Splunk experience.