A Day in the Life of a Splunk SearchDev Team Member
Introduction
The SearchDev (Search and Development) team makes Hurricane Labs unique. Our Splunk admin team and our SOC team should look familiar to most IT professionals; our admin team helps get your data in and your environment stable, and our SOC team investigates individual security events and helps create an overall plan for your security. SearchDev’s role, however, is to create searches and dashboards to provide you with the data you care about in an easily digestible way.
This article should give you an idea of what the position of a SearchDev entails as well as share some insight about what we do on a typical day.
So, what does our typical day look like?
Our work breaks down into the following categories:
1.) Searches
One of the main pillars of Splunk’s functionality is the ability to use the Search Processing Language (SPL) to take the data your environment has and find specific events of interest. SearchDev specializes in crafting searches that quickly and accurately provide the data you seek (for regular reporting, alerting, etc.).
2.) Security Searches
These are a special case where we want to create searches that provide actionable intelligence for our SOC team to investigate. Here we often used advanced techniques (such as anomaly detection and datamodel searches) to provide results to our SOC team to investigate.
3.) Dashboards
Sometimes your use case doesn’t neatly fit into the above, or you may be unsure of how to create something actionable for the data you do have. Dashboards are ideal for these situations because they give us the option to dynamically filter data (say, find all logins by specific users in a time range) or present data in ways that are easily digestible, such as charts and graphs. They’re great for users that may not be familiar with SPL syntax as well because they allow us to present data in a way that a new user can easily get what they need for their specific use case.
4.) New data sources
Splunkbase is a great resource for finding a wide range of applications to help onboard, visualize, and map your data. However, the world of logs is vast, and there are many use cases that may not be covered with existing apps. Although this falls beyond our standard services, we can help address these gaps by offering custom development support that uses Python to either add functionality to Splunk or create new add-ons to get your data into Splunk in a consistent, reliable format.
Conclusion
Hopefully this article has given you a better idea of what a member of the SearchDev team does on a typical day. Also, if you have a passion for data analysis and development, we’re hiring! Submit your application today.
The post A Day in the Life of a Splunk SearchDev Team Member appeared first on Hurricane Labs.
*** This is a Security Bloggers Network syndicated blog from Hurricane Labs authored by Tim Strawbridge. Read the original post at: http://feedproxy.google.com/~r/HurricaneLabsEngineeringNotes/~3/JtrpTF78qrs/
