Learning about Splunk

HOWTO for MSSPs

Vishal Nakra
Staff Sales Engineer, Global Strategic Alliances
vnakra@splunk.com
Last updated: February 1, 2019
Learning about Splunk – HOWTO for MSSPs

Table of Contents
Splunk Education ......................................................................................................................................................................... 3
Splunk Partner Portal ................................................................................................................................................................. 3
Splunk Certifications and Accreditations .......................................................................................................................... 3
Managed Service Program Requirements ................................................................................................................................................................. 4
Recommended Training Paths ............................................................................................................................................... 4
Technical Roles at MSSPs – Security Engineers/Architects, SOC Analysts, Deployment .............................................................. 4
Pre-sales training on Splunk ............................................................................................................................. Error! Bookmark not defined.
Other technical resources on Splunk Products you should know about ............................................................. 4
Splunk Partner Technical Symposium ................................................................................................................................ 5
Can you recommend a quick way to start learning the basics of Splunk? .......................................................... 5
Great! How can I get started with a free R&D or Developer license for Splunk? .............................................. 6
Do you have any sample security data I can play around with? .............................................................................. 6

2
Learning about Splunk – HOWTO for MSSPs
Learning about Splunk – HOWTO for MSSPs

This document is to help you walk through the massive amount of Splunk technical information out there.

To start with, know that there are two main sources for technical information on Splunk - Splunk Education and the
Splunk Partner Portal.

Splunk Education
This is where you go for official training on Splunk Products. This is intended for customers, partners, and Splunk
employees (Splunkers, as we call ourselves). The Education site has courses on all aspects of Splunk –
deploying, administering, getting data in, searching and reporting, developing apps, using the Machine Learning
Toolkit – for all Splunk products. Some are free, and we offer a discount to Partners that your alliance manager
can tell you about.

An excellent introduction to using Splunk is via the completely free Splunk Fundamentals 1 course. This doesn’t
go into Splunk architecture or deployment, but will give you a great grounding in how to use Splunk to get value
out of the data you ingest.

How do I log in? The Splunk Education website has a wealth of information on the courses to take however we
recommend that you register via the Partner Portal and access Splunk Education via the links in the portal. This
will ensure the correct discounts are applied to your training.

Splunk Partner Portal

This is only available to partners. Accessible at www.splunk.com/partners, the Partner Portal contains a lot of
information on selling, positioning, competition, as well as interesting use cases. Think of this as complementing
the Product training from Splunk Education by adding the “What is this thing and why should my customers care”
layer on top.

As new products and features are launched, details on why these are valuable to customers are rolled out
internally within Splunk to the various Field (customer-facing) teams via various internal newsletters, documents
and recorded Enablement Calls, which are often also placed on the Partner Portal. You can sign up for these
calls live too! There are Sales-focused enablement calls (called Virtual Enablement Calls), Sales
Engineering/Professional Services-focused calls (called Technical Enablement Calls), and Competition-focused
calls, called Competitive Enablement Calls. All of this content is created ad-hoc in response to business needs,
and has a more informal feel to it.

The official education from Splunk Education should always be your first priority, as it is systematic, phased
appropriately, and meant to teach you to use the power of Splunk, rather than just inform. Access this via the
Partner Portal.

The Partner Portal also has information relevant to operating as a Splunk Partner. Business practices, where to
go for help etc.

How do I log in? Go to the Splunk Partner Portal. The Partner Portal login is your splunk.com ID.

Splunk Certifications and Accreditations

3
Learning about Splunk – HOWTO for MSSPs
Learning about Splunk – HOWTO for MSSPs

Splunk offers both Certifications and Accreditations.

Managed by Splunk Education Services, Certifications are packages of formal technical training on Splunk
products, aimed at different roles (such as User, Power User, Architect and Admin). These are intended for
everyone - Customers, Partners and Splunkers. You will note that terms like “Power User” map better to generic
customer roles than to real job descriptions within the SOC, such as Tier 1 Analyst. For a better mapping to SOC
roles, see the Recommended Training Paths section of this document. Note that Splunk Certifications have
recently been revamped, so if you already have an older one, you’ll want to read about it here.

Managed by Splunk's Global Field Enablement team, Accreditations are packages of training for customer-
facing roles such as Sales, Professional Services, and Sales Engineering. These are only available to Splunkers
and Partners, not Customers. Accreditations build upon Certifications by adding hands-on context + real-world
sales and implementation experience from Splunk customer-facing teams such as Sales and Professional
Services.

Managed Service Program Requirements

The Managed Service Provider Program at Splunk requires Partners to maintain certain Certifications. These are
described in the MSP Program document on the Partner portal.

It is important to understand that the Program requirement are a minimum. We recommend additional training to
ensure that you are able to support your clients properly, which is described in the Recommended Training Paths
section. One of the first things you should do is to use these recommendations and work with us to develop a
training program customized for your team.

Recommended Training Paths

Technical Roles at MSSPs – Security Engineers/Architects, SOC Analysts, Deployment

Important: Recommended training for these roles is listed in the spreadsheet available on the Partner Portal.
This outlines which Certifications and Accreditations (in turn composed of Education courses and other content)
are appropriate for different roles. This spreadsheet is meant to be a starting point towards building out something
customized to your needs. It is tailored to technical roles within an MSSP – people who deploy Splunk, onboard
customer data, build correlation searches and alerts for the SOC, as well as the consumers of all this – the SOC
analysts themselves. The spreadsheet does not focus on pre-sales training for people who need to position the
value of Splunk-based MSS to clients.

Other technical resources on Splunk Products you should know about

Docs
Splunk makes a vast amount of official technical documentation freely available on http://docs.splunk.com and
the developer site, http://dev.splunk.com. No login needed.

Outside resources
If you prefer books, check out some here: https://whatpixel.com/best-splunk-books/

4
Learning about Splunk – HOWTO for MSSPs
Learning about Splunk – HOWTO for MSSPs

Need a nice directory of Splunk searches? Check out https://gosplunk.com or http://www.bbosearch.com/

Splunk Community
Splunk is also famed for its huge, vibrant, passionate community of users. Don’t live in a vacuum – take
advantage of it! You can learn a lot and get your technical questions answered in a crowdsourced fashion by
dipping into Splunk Answers, the Splunk Slack channel, and more. Find all these here.
www.splunk.com/community

Splunk blogs
The Splunk blogs are a great source of insight into interesting security use cases and random technical topics.
We highly recommend the “Hunting with Splunk” series to start with. See
https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html

Splunk PS wiki
The Splunk Professional Services team maintains a wiki with a great deal of useful content as well. This adds
real-world guidance to supplement the official education and docs. As partners, you get free access. Sign up
here: https://splservices.atlassian.net/

Splunkbase
And of course, don’t forget about Splunkbase, our “app store”. There are 1700+ apps and add-ons for
innumerable security use cases and data ingestion scenarios on here. There are even training apps to help you
learn how to use Splunk better, some of which are listed below.

.conf archives
And finally, here’s a treasure trove. Many of the best bits of Splunk tribal knowledge are things we share with
our customers, or better yet, they teach us, at our annual user conference, .conf. There are several years of
recordings and PDFs at the .conf website at http://conf.splunk.com. Scroll to the bottom and look for “.CONF
ARCHIVES”. Unfiltered, real, often gold. Want to uplevel your services with things only you can do? Go listen to
a few talks, and join us at the next one!

Splunk Partner Technical Symposium

Once a year, Splunk holds a special get-together for technical specialists at partners. We call this Partner
Technical Symposium. This is held in various locations around the world – Americas, EMEA, APAC – and is a
chance for you to get to know the people behind Splunk, as well as taking advantage of deep technical learning
from the people who build the technology and deploy it for a living. Engineers, Product Managers, Professional
Services Architects and other specialists around Splunk come together to network with partners and teach them
things. This is like .conf in that sense, but is entirely partner-focused, has some deeper technical sessions, and
offers a chance to meet people you would not otherwise, because you’re not competing with customers for their
attention.

Can you recommend a quick way to start learning the basics of Splunk?
Sure. Basics only…you can’t skip Edu J Go through these in order.

1. Free course – Splunk Infrastructure Overview. Learn what a Splunk deployment looks like.

5
Learning about Splunk – HOWTO for MSSPs
Learning about Splunk – HOWTO for MSSPs

2. Learn how to manipulate data, visualize it, and answer questions with Splunk.
a. Download a free copy of Splunk or sign up for a 15-day trial of Splunk Cloud and Free Splunk to try
today
b. If you’re short on time, go through the Splunk Tutorial.
c. If you have more time, the much more comprehensive (you’ll need to know this eventually ) free
course: Splunk Fundamentals 1
3. Time to see what Splunk can do for security.
a. Try the free Security Investigation online walkthroughs on splunk.com (These are free, full, online
Splunk environments with very nice, structured walkthroughs of common security scenarios that
you can play with to start to get the hang of Splunk’s power. The investigations are also packaged
as a free app called Getting Started with Splunk Security, so you can download Splunk in seconds,
download the app in another few, and walk through them there.
b. Download the free Splunk Security Essentials app. Security Essentials is a great overview of
hundreds of things you can do with Splunk, including monitoring, hunting, and UEBA-focused use
cases. It also maps use cases to your clients’ security maturity.
4. Now you’ve seen Splunk Enterprise. Time to see Splunk Enterprise Security. Get a free 7-day online trial
here: https://www.splunk.com/getsplunk/es_sandbox

Great! How can I get started with a free R&D or Developer license for Splunk?
Before you start googling and end up with the wrong thing, go read the HOWTO on NFR licenses on the Partner
Portal.

Do you have any sample security data I can play around with?
Of course. There are 3 routes for you.

1. Install the “Boss of the SOC” (BOTS) v1 dataset. This is excellent stuff – the dataset we used in our Ctf-style
blue-team competition. https://github.com/splunk/botsv1

2. Security datasets project. This project hosts several datasets including the BOTS one in a Splunk environment
that we run. You can log in and explore the data in a tutorial or ad hoc fashion.

3. Install a bunch of Technical Add-Ons from Splunkbase the eventgen app. Each TA comes with sample data that
the eventgen app can use to create more similar data.

6
Learning about Splunk – HOWTO for MSSPs