Visual link analysis with splunk and gephi _ splunk blogs


As cyber-security risks and attacks have surged in recent years, identity fraud has become all too familiar for the common, unsuspecting user. Current exchange rate usd to aud You might wonder, “why don’t we have the capabilities to eliminate these incidents of fraud completely?” The reality is that fraud is difficult to characterize as it often requires much contextual information about what was occurring before, during, and after the event of concern in order to identify if any fraudulent behavior was even occurring at all. Futures markets cnn Cyber-security analysts therefore require a host of tools to monitor and investigate fraudulent behavior; tools capable of dealing with large amounts of disparate data sets. Usd jpy exchange rate history It would be great for these security analysts to have a platform to be able to automatically monitor logs of data in real-time, to raise red flags in accordance to certain risky behavior patterns, and then to be able to investigate trends in the data for fraudulent conduct.

Binary math That’s where Splunk and Gephi come in.

Gephi is an open-source graph visualization software developed in Java. Cad usd graph One technique to investigate fraud, which has gained popularity in recent years, is link analysis. Brl usd exchange rate Link analysis entails visualizing all of the data of concern and the relationships between elements to identify any significant or concerning patterns – hence Gephi. Funny jokes for adults dirty Here at Splunk, we integrated Gephi 0.9.1 with Splunk by modifying some of the Gephi source code and by creating an intermediary web server to handle all of the passing of data and communication with the Splunk instance via the Splunk API. Binary list Some key features that we implemented were:

Gephi can populate a workspace or enrich the data already contained in a workspace by pulling in properly formatted data. Us stock market futures bloomberg We implemented this by setting up two servers, one of which would act as an intermediary and determine what kinds of data a node could pull in based on it’s nodetype, and another server which contained all the scripts that interacted with a Splunk instance to run Splunk searches, pull back the results, then format it in a way Gephi could already understand.

To make all this happen, Gephi makes a GET request to the Gephi-Splunk server (GSS) containing the nodetype, which prompts the GSS to return a list of available actions for that nodetype (Note: The list is statically defined in Gephi to simplify things for the demos). Fraction to decimal conversion chart Each of these actions can be used (along with information about the node) to construct another GET request which gets sent again to the GSS then forwarded to a script server to execute that action. Usd to jpy The action is completed by running a script held on the script server, actions involving Splunk searches are completed by using Splunk oneshot searches as defined in the Splunk API ( 10101 binary The script server takes in the results of the search, formats it, and forwards it to the GSS, which responds to the original request from Gephi with a formatted output that Gephi can render. The architecture is defined visually below.

The reason for the separation of servers into a “permissions” server and a script server is to make it easier to expand this project to serve multiple use cases and leverage multiple Splunk instances, while keeping organization simple and limited to a single point. Gold chart 2016 In other words, resources are separated, but management is centralized.

The first screenshot shows a use-case in which an analyst might have six IP addresses to be investigated. Usd to yen conversion The analyst can start out with only the six IP addresses shown on the graph, and then choose to select the “drilldown” menu option to make a call to Splunk for more information. Stock market futures definition Our Gephi instance will then populate the graph with all of the data received from Splunk, creating nodes with connections if the nodes do not already exist in the visualization, and only adding connections if the nodes do already exist in the visualization. Binary pdf The analyst can also choose to “playback” the data via the timeline to see how events were occurring through time.

Shown in the second screenshot is a use case in which an analyst might have a large dataset but no clues of where to start investigating. Commodity definitions Importing the data into Gephi would allow for recognition of clusters of correlated events (shown as large red nodes in the screenshot). Fx rate cad usd The timeline would also assist in seeing how these resources were being accessed through time.

In addition to anti-fraud use cases, the Gephi + Splunk integration can be applied to any datasets that have cause and effect relationships. Euro to aud chart The example we provide is of IP address, username, session ID, and user agent data. Us to rmb exchange rate In order to use other datasets, you will have to change some of the code to display the correct icons and to drilldown into the nodes correctly (see “Altering Data Sources” section of the github docs).

Disclaimer: This integration is provided “as is” and should not be expected to be supported. Rmb conversion to usd The application has not been extensively tested with large data sets, so use with caution. Dollar rupee exchange rate today Depending on the searches being run in Splunk, and the size of the underlying data set, searches may take a while to complete. Yen to usd The purpose of this application was to provide a proof of concept of using the Splunk API with an open-source graph visualization tool. Us stock market today At the moment, there are no official plans to integrate a graph visualization into the Splunk native web framework. If you intend on adapting this integration for your own uses, please be aware that it will require knowledge and use of Java and Python.

All materials are found on open spaces of a network the Internet as freely extended and laid out exclusively in the fact-finding purposes. If you are what lawful legal owner or a product and against its placing on the given site, inform us and we will immediately remove the given material. The administration of a site does not bear responsibility for actions of the visitors breaking copyrights.