 So now it is my pleasure to introduce to you the second speaker for today and it is from Splunk, Gleb Eastman. Thank you, Ben. Hi, good morning. All right. Just give it another 30 seconds. Alex, you can closer. Cool. So solving crimes with wireless geofencing and multi-zone correlation analytics. This actually, my talk is a result of a real work I've done helping Alex, I'll introduce him briefly a bit later, for one of the European law enforcement agency where they were using interesting hardware that Alex built and I helped him from the software side. But let's do things in order. So I work at Splunk, so we have to show you guys this slide. Don't trust anything I tell you today and don't trade any securities based on information I will tell you today. Special thanks to Alftel Systems. This is Alftel, Alex Zaharov is a president of Alftel and he's a designer, he's a super smart security guy and he's a designer of all these cool devices. What you see on your screen is a multi-channel Wi-Fi capture devices. Basically, if you want to capture everything that's going on in Las Vegas, there are a few dozens of these things spread around and lots of good information could be received by that stuff. So, Alex, I believe you're in a wireless packet village, right? Scott Haskell, he's a Splunker, exceptionally good engineer and he built Maps Plus app for Splunk. Basically, that's a foundation of the systems that I built, and whatever I built for the last like six months, a little bit less like four months, I will give it for free today, I'll send you a link and you'll be able to download and see how it works. With some maybe rough edges around the corners, but it should work. So, briefly about myself. Kind of first half of my career worked at malware analysis, antivirus software. I moved in the United States four years ago when I joined Splunk. I moved from Canada, so you guys can still notice my Canadian accent. No? All right. I was born in Belarus. So, I was born in Belarus and when I started working, that's when the era of computer viruses came in, and nobody knew what to do with them, so I was very curious and see what could be done. So, all this like year of boot viruses, boot sector viruses, distribution tables and cool stuff. So, yeah, lots of interesting work in that space. I worked for IBM Watson Research for six years doing the same stuff. Then I kind of deviated to e-commerce payment processing, digital information, management, solution, data analytics. Before Splunk, I worked with Morgan Stanley, where I dealt with multiple enterprise-wide analytical systems, and that's when I found about Splunk. And Splunk allowed me to do things much easier than any other tool, and I, like, literally, I get excited about it, and that's how I evolved into joining Splunk later on. So, agenda for today, definitions, just to kind of set up baselines. Use cases for wireless geofencing, data, pieces, it's a big part of this presentation. Sources, devices, where it's coming from, how to capture it, what kind of conversion needs to be done to data, how to ingest it, creating Splunk applications step by step, data visualization, maps plus, solving use cases and completed app demo. I obviously will not be able to cover everything how to build Splunk apps, but I present pretty good steps for everybody of you can start today, and I think you will enjoy it if you haven't seen Splunk before. So, couple definitions, wireless forensics, and when I try to kind of come up with definitions, I try to come up with the simplest possible definition for things. Wireless forensics, process of collecting and analyzing data from wireless devices. Geofencing and the process of defining geographical boundaries or zones for whatever purpose. It could be multiple purposes, but that's what geofencing essentially is. Splunk, how many of you could raise your hands who don't know what Splunk is? Okay, cool. I would say like 10%. So, Splunk is a software, it's a data analytics software platform to get insights from the data. When I worked at Morgan Stanley before Splunk, we got so many data sources coming in many different formats, and I was surprised that I can just throw it all to Splunk without any ETL, without any pre-processing, and Splunk would ingest and understand and immediately or almost immediately will let me search through this data and correlate, combine, come up with the dashboards and visualizations of the data. Splunk ingest any kind of data imaginable. It should be in textual format, not binary. If you have like binary data, so metadata could be extracted and ingested, but otherwise CSV, pipe delimited, any kind of log files obviously could be ingested by Splunk. Splunk is a very scalable solution, and what I love about Splunk is that you can download absolutely free version of Splunk. It's a fully featured enterprise version, just go to Splunk website, download it. It's a fully featured enterprise version. Splunk charges for data ingest per day. I just want to be upfront with cost or free and things like that. If you ingest less than 500 megabytes per day, it's free forever. All of this fully featured enterprise tool is free. If you register for developer account, which is anybody could do, you get ability to ingest up to 50 gigabytes per day. I think I'm right about this number. 50 giga-day for free forever, if you're a developer. And you can do lots of things with this tool. Splunk is a super open platform. Everything is open. There is APIs, SDKs, gigantic documentation, all available online. You can install Splunk on the CTIS laptop. You can come up with. It will work there. Or Mac, Windows, Linux. You can install Splunk in a thousand nodes cloud deployment to scale up. We have customers who ingest more than like five plus petabytes of data per day into Splunk instances, and it works just beautifully fine. So it's a cool system. When I first time saw it, I got hooked into that. I literally spent weekend building stuff on it. Okay. I just want to be aware of time because there's lots of materials to cover. So suspects, crime, and Wi-Fi signals. So imagine couple scenarios. Crime one, arson happens at location A at time one. And a similar arson happens at location B at time two. Kidnapping, location X times three. Similar crime at another location at another time. Robbery at location. And the kind of similar patterns happen in different places at different times. So the questions, so we want to build a system that would help us to solve crimes. Who did it? What was the possible suspect? Give us full list of suspects. Who is the most probable suspect? We want to sort at least. Top five, ten people or like metadata that would possibly lead us to actual suspects. So we want to build solutions that first sort Wi-Fi signals by the probability of being suspect. Taking GPS coordinates, time and signal strength into account to calculate this probability. While building this solution, working with Alex, we came up with a formula that actually helps to do just that. Basically calculate a risk score that would sort metadata by the most probably belonging to suspect. And this formula will be one of the slides. And second, visually define multiple geofence zones. So essentially you will have a map. You'll be able to build solution, have a map. All your devices, all your captured data sources will be on this map. You'll be able to visually define zones of interest. You will be able to define times for each zone and then correlate them together to find answers. So by monitoring Wi-Fi spectrum for signals emitted by wireless devices, we can match crime scenes and times to wireless devices owned by possible suspects. So let me shift to the next slide. So last year there were series of pipe bomb explosions like real case. Police was investigated that and typically they issue warrant to Google because they know that, well, if the same person does that, maybe that person had an Android device phone in his pocket and Google would know everything because Android devices, any phone device would just call home, ping home, and with that data somewhere GPS coordinates with this device being sent. And by correlating these areas and times of crime together, it's possible to pinpoint to possible suspect in this. So that's called geofence warrants. It's how law enforcement come to Google and ask them to help. And Google using something similar. I don't know what exactly how system look like, but what we're going to build today is looking something pretty similar to that. So essentially zone is defined, time is defined, and then multiple zone is defined, and then show us all devices that are possibly present in all of these zones. And then we might get in closer to the criminal who did that. So how to capture data? Now I'm not going to focus too much today about actual packet disassembling, but basically what we do after the fact. But to capture the data on the left side is a kind of poor man's solution. You can get these cheap things, plug into your laptop, or you don't even have to do that. So basically your laptop Wi-Fi card can capture the signal, you install Wireshark, and it will switch your network interface to promiscuous mode, and basically you start capturing Wi-Fi data from around you. So that's what I call poor man's solution. Like real man's solution on the right side, it's Alex's off-tilt devices that can capture simultaneously multiple channels. So if you don't want to miss anything, it's a serious project. You want to have device that will provide you, give you lots more capabilities. So Alex's devices is... Did you bring any things with you in your pocket? Yeah. So Alex's device is basically a Linux box with connected to this multi-channel things. It looks like a spider. This is how I call my app Spider 2. But it's like multiple antennas, multiple channels simultaneously, pretty cool stuff. It runs Linux, and you can do anything with this device. It has LTE interface. You can remotely control this device through your cell phone if you want to, from any country in the world. You can see what it's captured. You can send a program device to send captured data anywhere and anywhere you like. For example, in your Splunk instance, it will show the stuff. So apps or application. Splunk has an app store called Splunkbase. Actually, it's a wrong store. It's a wrong word store. Splunkbase.com is a repository of Splunk applications. 95% of them are free. Sort of like you download this app, apply it to Splunk, and it will give you some extra capabilities or extra visualizations. So it's pretty cool. You should check it out. There's lots of interesting applications that you can just download to Splunk, apply it, it will work, and it looks cool. Create new app. So it's very easy. You go to Splunk, you log in to Splunk web. So, by the way, when you install Splunk, it will, everything you can manage through the web interface. If you're a developer, any sentence Splunk you can manage through REST API calls. I mean, literally, you don't need to use any UI. It's all REST API-able system. Everything could be controlled. But visually, you can just follow the steps. I will not do demo of these steps, but just click create new app. And like in 30 seconds, you'll have your own blank new app. You create index, which is a database you will ingest data to. And then capture data. Pickup files. If you use Wireshark, that's the quickest way to start capturing data. You can download samples from the web, but I think it's pretty interesting if you just do it yourself. Capture data in pickup files. Convert data to CSV format. So pickup is a binary. We need to convert them to text, and we also need to specify which fields we are interested in to this data. That would be, for example, MAC addresses. That would be information, some information related to beginning and some capabilities of wireless source would be there in this data. It could be gigantic. It could be as small as you like. In just data to Splunk, again, it's a pretty simple thing to do. There is a menu. Actually, let me just show you. So to just... This is Splunk instance. It's kind of small. Let me just make it bigger. So to ingest data, you go to settings, add data, and then it will let you... Now, this is like... This is a demo machine. It's actually in my home in San Francisco. I hope it works now. I'm fine today for the demos. But you can ingest data in so multiple ways, but simplest way is settings, add data, upload, and you'll be done with that. So it's pretty straightforward. Okay, let me just go back. Okay. In just data, build analytical logic, dashboards, SPL queries. So that's what we'll be talking more about. Oh, so create a new Splunk app. I just specify the steps. Exact things you should click on, you know, on your menus after you install Splunk to make it happen. Pretty simple, all visual. There is... Actually, there is very little zero coding to do to build the solution. You might adjust SPL queries a little bit, but there is not... Not much of a... Actually, you don't need to be a coder to do it. Capture data, convert data to CSV format. So what I used, we worked on data files. I used the t-shark utility to convert them to CSV format. Actually, to pipe the limited format. And so that's a common line. It's kind of gigantic looking, but essentially why it's so big, because I wanted to extract as many fields that I wanted to. And it's like dash e field name, dash e field name. That's why it's kind of so big. Let me see what's on the next slide. So that's the result of converted data, how it looks like. So essentially, let me just... So that's how it looks like. So we have like gigantic header. And that's how... I'm just trying to... Yeah. Okay. I wanted to kind of make it on one line, but so after you run, it's pretty fast utility. What a quick conversion to CSV file. And at this point, this kind of file you can ingest to Splunk directly now. And that's what you will do following this guide. Splunk source type. Every data source you can send to Splunk. You can specify a little bit about how this file looks like, what which field... If some field needs a little bit of tweaking, you can specify them on this file with some instructions. I gave you... You will get it already pre... Not pre-installed, but like it was in the zip files that I'll give you to download. You can look at that, read Splunk docs, what they mean. But essentially this configuration file means we have delimiter is a pipe, line breaker is carriage return line feed and it's CSV. And then I create some aliases WS call protocol as protocol. So kind of create aliases for fields to make it easier than to do search and build dashboards after that. So adding data to Splunk. You... If you manually update the source type prop files that I specified in this previous slide, you run this command change ownership, make sure everything in your app owned by Splunk Splunk and that's basically what this tells about. Adding data to index, again, set of instruction, how to... What you need to click to upload data to Splunk. So literally having that couple slides you'll be able to upload data to Splunk. So after you just data to Splunk you'll end up with kind of bear index that I want to show you how it works. So I go to app, let's say you'll create this app. You'll go to this app to search and then you can do some ad hoc searching here. So what I do here, as I said, this is my name of my index give me most recent 100 results and to show me table of results for these fields that I'm interested in. Time stamp, frame number, latitude, longitude and some information about the data that's within the file. So I run this query, slunk return me results, I can see all of them and I can scroll. But to remember this gigantic gigantic CSV file there's like way more data here. So what I can specify is that, okay, well, you know, Splunk show me everything you've got in my fields. So I can say, okay, table WLAN star and I can run the security and now I get this table but it's much wider. So pretty much every field here we can see. Scroll and scroll and scroll and scroll and scroll. Pretty cool stuff here like capabilities, frequencies, signal strengths, vendor name for MAC address and all this goodness here. You notice here the beacon frames and probe responses. So probes actually contains more interesting data that allows to identify kind of follows the source and you can say, okay, Splunk, show me only packets that contain these probes. So I can just type probe here index probe and then now I can see only probes for each MAC addresses that whatever they send to the whatever they broadcast it and this kind of helps to identify data source. Okay. Summary index. Summary index is a technique where you when you have ingest raw data but you actually do search in a subset of fields. It's cleaner to create secondary summary index that only contains that fields that you are interested in and that the fields that you are going to search more often on. So summary index will kind of when you create it it will require some storage space but it doesn't apply toward your license. It's kind of from long perspective. It's free for you. You can use it or if it helps. So I present couple samples of queries. What's kind of why we create summary index. So in some cases sender names, that's a field I create that is a combination of WNSA result. It's a source address. WATA result source or source. Find me first fields out of these three that none null and consider it as a sender name. And so couple things like that I sorry that the couple queries like that would help me to extract fields, put them in summary index and then I would use that summary index to do all my dashboards and queries and all my analytics based on. That's how we create summary index. It's a sample of SPL that you run once if you want to do it ad hoc manually. If you want to build the system to function automatically, you can create schedule search and say to run every five minutes because data is continuously coming in. And the links that I'll provide you to download this up also will have a read me file with the sample of the security that you can just copy paste and run it on your app when you create it. Data model. I just mentioned it. Accelerated data models. It's a way how you can structure data within Splunk to query hundred to thousand times faster. It's basically create index fields for every field of interest and if you have let's say hundreds of millions of events, you want to search for all of them in like in seconds, not in hours. Accelerated data model is a way to go. So Splunk 90, 10 rule. 80, 20 rule. You can do 20% of effort to accomplish 80% of results. So in Splunk world it's like you can do 10% of effort to accomplish 90% of results. So 90% of all dashboard logic code and all the kind of analytical layer could be contained in XML. When you create an app you create essentially create XML files with some text configuration files. You can drive it completely through a web UI. You don't need to do any coding. You can customize stuff with CSS and JavaScript of course, but it's very visual. 90% of all dashboards could be built as following. So basically you go to Splunk ad hoc search. You run some query. Let's say I want to create query that shows me the fields of interest and now I want to create a dashboard. So you can essentially save it as a panel and that's how dashboard gets created in Splunk. So like 90% of how people build dashboards that actually start with this ad hoc save as a dashboard or panel and then you start building this visual interface. So that's essentially what I mentioned specified here. When you run query, let me just actually a little bit demo for that right after that. So when you run query in Splunk by default it returns you a table, but you can also select visualization. Like say to Splunk I actually want to visualize this result in some interesting way and I'm about to do a demo for you how it works. So this is a query that go and search our summary index that we created and I'm only interested in three fields. I'm interested in latitude, longitude and description which is access point names. So I want to visualize from my pickup file on a map where these access points are. So I run this query first make sure it returns me latitude, longitude and access point name. Now I click on visualization section and here I can select what how I want to visualize this data. Now bubble chart, this type of visualization selected here doesn't make much sense for that type of data. So I click on this icon and Splunk shows you all visualizations that are available to you to visualize data set. So let me just find the maps plus up. So maps plus I added it to Splunk already. So I click on it and basically that's what's happened. So instead of like bubble chart or whatever, I just said, okay, use maps visualization for that data set. Each visualization requires certain data fields to be present and maps plus is really happy that I have latitude, longitude and description and now I can actually zoom in into these data points and I can see exactly where they were captured. So that's basically law enforcement vehicle with Lex's device installed was driving around and collecting data. Now the data I shown here is anonymized but essence is the same. So that's how it works. And then you can zoom in further and see device identifications, any metadata that is present in pickup files would be shown here. So that's how it works. About the map plus up you can click on format and there is like literally hundreds and hundreds of options you can change. You can say, okay, well I don't want open street map, I want some sort of like a dark representation of map. So now we have like this, you know, cool dark up that is shown essentially the same thing. You can go to format, you can select clusters, you can select markers, heat maps and I'll show you heat maps pretty soon. You can decide to apply Bing maps with your API keys. You can decide to represent data as Google places around the captured points, for example. You can pick and choose custom colors for every little bit and piece that you want to put on this map. So it's pretty flexible capabilities that you want to, that would be pretty interesting to employ here. I actually think I ran a little bit forward, so that's a demo I just show you about all the how this map looks like. Pretty simple again, fully visually in like two minutes you can run QT, save it as a dashboard with a map there and kind of start building from there. That's kind of one of the demo snapshot of what this map is capable of. So Scott Haskell decided to as a demo to visualize all the criminal activity in Chicago. When he downloads this criminal activity CSV from a police website, you know, this map looks like, oh my god, there's lots of going on here. You can filter in different crimes and do lots of sorting here. Pretty interesting stuff, but you can represent each dot. You can say this type of crime is red dot, this type of crime is like big purple dot, so it's fully customizable here. So when I did work with Alex, we've been provided with a number of data sources, data files, which were captured by two different devices basically, or two different vehicles. And one of the ask was how we can, is it possible to add a heat map on a map that would represent the strengths of a signal source. And when you capture the data with a wire shark or with Alex devices, typically this signal strengths will be present there. And so based on this field value we came up with SPL. SPL is a splunk processing language. So that's basically QT is that we calculate heat map on three zones, like weak, medium and strong. And then basically create a table, latitude, longitude and heat map. And from this point on that map that I show you suddenly will show a heat map like this. And that would be I believe this demo. So that's how heat map looks like of the same data, same data set but heat map functions added to the QT. And now you can zoom further. Each heat map is presented by the separate layer. I can say, okay, just show me the strongest signal sources here. So I can filter out weaker layers and just see what the strongest signals looks like on this map. Where exactly they were located and how they were called. Things like that. So it's pretty interesting capabilities. And then I can also choose to okay, just don't show me points, just show me heat map. I want to see how covered this area by the signal. So I can do things like that as well. Let me just make sure I'm jumping too far ahead. So I want to show you this. It's kind of high resolution, like I work on this map for like 4K screen. I'm trying to squeeze it here. Basically these panels, it's a simple search, running against this pick up capture data that shows senders, receivers, access points, and protocols that were engaged in this data. And I can now can do lots of filtering. For example, I can see, okay, show me only this data, only this sender map address. So I can click on map address, on MAC address. Splunk will recalculate all statistics based on only for that data source. And it will show me on a map, this data source. And it will show me all statistics that is related to this. Whom this source was talking to, what kind of protocols were used, what kind of access point were involved into these conversations and things like that. So I can also see, like this chart on the right shows me multiple set of data, like protocols or access points. So I can choose to expand time chart and now this time chart kind of looks more user-friendly. And it's interesting to see spike on this chart. I can zoom in into the spike and see all the access point or data sources that were responsible for this spike in conversations. I can see MAC addresses. I can sort data by the vendor of MAC address. I see the Cisco devices. 18 MAC addresses were captured that were responsible for most of that traffic within this time frame. I can choose to represent data instead of protocols or, for example, on this chart I see access points, but I want to see protocols. So I can drill down certain drop-down protocols and splunk will recalculate everything and show me the protocols. So 82.11 is probably the most present data source. Now we have some DNS frames. We have other protocols and I can, again, zoom in and see who is responsible most for DNS queries or some interesting things that I might be able to find it. And data in the map will automatically will be redrawn and show me only sources that I'm interested in. All these queries will be, so you'll get the copy of this map and see all this up and see exactly how it's implemented. Basically to design this dashboard you can just click edit and start adding controls to the let me just do it. So click edit and then I could let's say add panel or add input and input would be one of these like text, radio button, drop-down, checkbox and so I added couple of these textual inputs that will allow me to do filtering on this data. And so when I click on one of these names or MAC addresses I automatically populate one of these inputs and search query is, picks this up and recalculates everything. So it's pretty flexible systems that you can build and design totally visually without coding. Correlating data from multiple capture devices so I want to cover this suspect score, how we calculate possible suspect score. So imagine we have a fixed capture point, captured devices like that where they installed into the areas, maybe more areas of interest where crime usually happens or some security areas that needs to be monitored and we need to investigate events that happens in multiple places and each device has some captured data for us. So what we want to find is devices that were present at that times and these two locations which is pretty easy to do. We can just do stats, that's a sample of query, stats by sender MAC and show us DCSRC means number of distinct data sources for each MAC address. So if this MAC was present in two places, this DCSRC will be this places variable will be equal to two. So show me place for all MAC addresses were places more than one. Now this will give us list of all devices that were present but it doesn't calculate any score. They kind of like equal at this point. So we want to actually calculate, come up with a way to calculate the score for each device to consider that some of them are more probable suspect and some are less. So in this case we consider signal strengths, which we have available. So we have signal strengths, time and location. In this case that's how we calculate score. So we basically consider single strengths in we divide it by 20. So we come up with a five level of signal strengths and it becomes a DBM score at this point. Oops. Just DBM score. So the total score of each MAC address will be some of scores for at each location multiplied by the square root of number of places. So to explain it in kind of human terms what we're looking for, if we have one strong signal in one location and we have another signal which was very weak but in both location we want this weak signal source to have higher score than this strong signal score because the strong one was only at one location. So that's formal, it takes care of that. And the result of that calculation I'll show on this one of the next dashboards. So this table in the middle that's actually what it does. So it in this app I have two data sources available, S1 and S2 and the task is solving is find me all MAC addresses that were present in both location and sort them by the highest score on top. And so that's the result of it and then I can see some identity of the signal sources that were captured and contains the highest score. So that's essentially this formula applied and this dashboard as a result of it. Now, and jumping to actual geofencing here the map plus app has capabilities that usually define geofence zones and each zone is represented once you define it and I'll show you how is represented by the series of latitude, comalongitude semicolon. So if you define zone in like six dots it will have this it will come up with a string of all this GPS coordinates together and you can copy and paste the string or look at it with it. And Splunk will so the task that this dashboard will show that I'll show you next will calculate the presence of every axis point on every geofence zone defined. So that's how it looks like as a result and I want to show you the demo now. Demo 4 and that's actual dashboard. Just make it zoom out a little bit. So we have maps here that's the data represented on the map no zones defined yet. I made it so we can define four separate zones here, zone one zone two up to zone four and for each zone we can define specific time frame. So if I'm interested in if I know that certain number of events happened and I know timing of this event and I know location of this event. Now I want to find which data sources which signal sources were present in all of these locations. So what I can do here for example let's define the zone right here. So I click on this start new measurement and I start plotting the points just clicking here and then double click on my last point and here I have the zone defined. So feature definitions that's the long string that actually lists all coordinates that are part of the zone and I copy and paste it into zone one boundary. So when I do that Splunk actually calculates the bounding rectangle around this polygon and gives me the result. So we got this bounding rectangle for your zone is here. So what next? So next we want to define two more zones. So I go back create new measurement. So for example I know something happened in this area. So I want to define zone around that area. I want to take feature definition which is information about the zone, paste it tab, splunk recalculate everything after each zone is defined. So now I have second zone. Now I want to define third zone. So new measurement. Each zone is colored differently for simplicity for to visually understand it better. So I copy a zone definition from the third zone paste it into zone three boundary here. Now I got three zones defined. I also can define specific time frame for each zone. I don't want to do it right now. It gets a bit kind of it will take too much time. But it's easy to do in Splunk. You can just click on this time and easy define reality for time or date range or date and time range in so many ways so it's possible to do. Now I want to find the data that we show in this table on the left is matching signal sources across all defined constraints. So right now I have lots of results here and why because matching rule as this drop down says show everything ignore zones. So basically show all data that I have. I can actually apply any rule I want here. So for example I can tell Splunk show me the point. I have three zones defined but I'm interested in points that were present in at least two zones. So I can just click here and Splunk will recalculate all this data for me. And so now instead of a few hundreds points I get only four. So only four points but these four were present in at least two zones out of three. So this point on wire zero two was present in zone number two and number three Unity media was present in zone number one and number three and so on. If I want to find all points that were present in all defined zones I can just select this one present in all defined zones Splunk will recalculate me and give me an answer which would be probably just one point. So now I have only one signal source that was defined in all these three zones at all the specified times. And now I can visually tap into all the data I have and pretty quickly get answers to all the kind of questions that would allow me to correlate data sources between different times and geographical coordinates. Live demos was that what we just did and I finished a bit early. So geofencing so xp.us slash geofencing that's where you can go and download this app and download the readme files that show you step by step instructions how to install it. I might be missing something so please feel free to send me email or add me on LinkedIn ask me any questions so I'll be happy to help and I'll probably send some of this readme files or maybe app later on but so that's what I want to cover and to introduce you to this technology what it can do for you and how you can play with it. So back to my times where I was before Splunk my boss told me I was hired actually to deploy one of the IBM analytical systems into bank environment and so I was working in fraud and security teams and they keep coming to me and like asking questions like help us to investigate crime help us to investigate this suspicious fraudulent or anomalous activity on our user accounts and so I what I had to do I had to extract data from the IBM system and ingest it into Splunk to actually find an answer in this question so my boss told me like it's super hard to do the work on IBM system not on the Splunk so I actually had to do spend the weekends to do work with Splunk to actually come up with the answers and like security I really love working on security data sets and find suspicious activities there so anyway eventually I just joined Splunk and I'm super happy now so yeah please any questions thank you say it again so yes and no so for this specific app it was like POC and this is concerned to find to really kind of put identity to the device because MAC addresses could change I think the probe packets would help to identify device or provide some context for the device even if it changed MAC I'm not an expert in that though probably ask somebody who knows how to identify devices that has random MACs but I don't know Alex is it like what's today is it concerned or like how the I found that device capabilities there is some data points that shows for example WLAN supported rates, frequency there is some device capabilities that also helps to kind of put some metadata on the device even though it would change MAC but yeah I guess there is multiple answers to this question but somebody who an expert probably will be able to dig deeper well I guess thanks guys appreciate it good to be here