Dsdl

Most security teams have the same problem: data volume is growing faster than analyst capacity, and signature-based detection alone is not catching the sophisticated, low-and-slow attacks that matter most. Machine learning promises to help, but production ML in a SOC is genuinely hard to operationalize. The gap between a data science notebook and a running inference pipeline that feeds your SIEM is wider than most blog posts acknowledge. This series documents the end-to-end build of a working edge AI inference pipeline in a real security lab – not a cloud demo, not a toy dataset. The hardware is four NVIDIA Jetson Nano 4GB Developer Kit nodes. The SIEM is Splunk Enterprise 10.0 with Enterprise Security. The ML toolkit is Splunk’s own Deep Learning Toolkit (DSDL). The detection targets are real security data sources: Zeek connection logs, Splunk Stream DNS telemetry, and Windows Security event logs. ...

Introduction In Part 1, you learned why an edge AI inference pipeline is a compelling approach for security operations, and you understood the key constraints imposed by the Jetson Nano 4GB hardware and DSDL 5.2.3’s actual behavior. In this post, you will build the inference container – every file, every command, and every decision explained. The build covers four areas: the Dockerfile and its critical dependencies, the DSDL-native Flask application that implements the correct wire protocol, TLS certificate generation using a lab CA, and the distribution workflow for deploying the finished image to all four nodes. ...

Introduction In Part 2, you built four HTTPS inference containers running on Jetson Nano hardware. They are healthy, serving the DSDL-native protocol, and waiting for requests. In this post, you will wire everything together: Splunk DSDL installed on the search head, HEC configured on the indexer cluster, and the exact configuration files that make DSDL’s fit and apply commands route correctly to your containers. This is the most configuration-dense part of the series. It is also where most implementations break down – not because the concepts are complex, but because DSDL 5.2.3 has several undocumented behaviors that only become visible when you read its Python source code. This post documents those behaviors explicitly so you do not have to discover them through trial and error. ...