Description

The learning objectives of this lab are to:

·         Install two Splunk add-ons required to perform machine learning analytics

·         Explore some of the security datasets that are provided with the Splunk software using MLTK

·         Build ML classifiers/regressors using these datasets and then compare performance measures such as confusion matrix, precision, recall, accuracy and F1 score

·         Load your own dataset into Splunk

·         Explore your own dataset using MLTK

·         Build ML classifiers using your dataset and then compare performance measures such as confusion matrix, precision, recall, accuracy and F1 score

·         Explore the KDDcup99 Dataset and classify the data using different ML approaches

Your submission for this lab will consist of a Word document containing your answers to

Section A: 1 a) and b); 2 a) and b); and 3 a), b) and c).

Introduction

Splunk is a popular enterprise level SEIM which supports the following capabilities: monitoring, searching, analyzing, and visualizing using large amounts of data. It is a wide application used across a number of domains that include infrastructure and application monitoring, business and IT service monitoring, security, IoT applications, business analytics and process mining; and works on versatile technologies.

Splunk contains a Machine Learning Toolkit (MLTK) that can be used to implement machine learning applications including those in Cybersecurity. The MLTK is built on top of the Python for Scientific Computing (PSC) Library and this  ecosystem includes the most popular machine learning library called sci-kit learn, as well as other supporting libraries like NumPy, SciPy, Pandas, and Statsmodels.

In a previous lab, you learnt how to use Splunk by completing the Search Tutorial. In this lab you will use the MLTK to complete some Cybersecurity analytics exercises. For this lab you will need to install two Splunk add-on in the following order:

·         Python for Scientific Computing (PSC) (select Mac or Windows depending on your OS)

·         Splunk Machine Learning Toolkit

Section A: Working with the Security Use Cases in Splunk

Log into you Splunk Enterprise (trial version). Install the following add-ons as explained below:

·         Python for Scientific Computing (for Mac or Windows depending on your OS)

·         Splunk Machine Learning Toolkit

Install the add-ons as follows.

Select the Apps item on the top left and then select the ‘Manage Apps’ item from the dropdown menu.  Click on the ‘Install app from file’ button on the top right as shown on the screenshot below. Use the two TGZ files provide by browsing to the location where you save them to install the PSC first and then the MLTK.

You could also complete the installation by downloading the add-ons yourself but you might encounter some difficulties.