Dear Buttercup: The Security Letters


Splunk security professionals exist for Splunk customers. We travel the world to meet with you, lurk on ICQ and Slack 24/7 hoping for a wild Splunk Security Essentials or BOTS question to appear, and we even wear Splunk shirts at hacker conferences just to hear, "Hey, do you work at Splunk? I've got a question…" (This last one is actually a lie. We cluster together, avoiding contact with humans and the sun. They're both scary!)

But frankly, it's not good enough. We can do better because honestly, we don't matter how many IPAs (or Hefeweizens) we drink. And honestly, many of the questions are the same.This means we haven't done a great job documenting (or sharing previously documented) answers! We can do better.

A year and a half ago we began blogging about "Hunting with Splunk" in an attempt to share some of the coolest ways we have found to use Splunk core to freestyle hunt badness with SPL. Now we want to talk about the Splunk security products that most of you use: Splunk Enterprise Security, Splunk Phantom, Splunk User Behavior Analytics, Splunk Security Essentials, PCI and more. Every couple of weeks, we're going to drop a blog post based on a question that's been asked of us in the past. It could be anything from “How do I configure threat intelligence lookups in ES” to “I keep trying to make a Phantom playbook and phailing. Help!”

If you have any specific questions you want to be answered, feel free to send them to With each "Dear Buttercup" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags