Sharing data between Splunk ITSI and Splunk Enterprise Security

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

SOC (Security Operations Center) and NOC (Network Operations Center) teams often work in isolated silos. This fragmented approach hinders effective collaboration between these teams during incidents. This can result in slower incident response times, inefficient investigations, and a higher likelihood of overlooking critical information.

Solution

The Splunk App for Shared Alerting helps you bring the SOC and NOC teams closer together, giving them greater visibility of what is happening in their environment. Having better visibility allows the teams to collaborate during an incident, investigate more efficiently, and resolve incidents more quickly.

To get started, download the app and follow the installation instructions. Ensure that the app is installed on both the Splunk Enterprise Security (ES) and Splunk ITSI search heads. There is a small amount of configuration that is needed, which includes creating two indexes in the indexer cluster that is shared by the ES and ITSI search heads. You will also need to enable the correlation searches in ES and ITSI that ship as part of the app.

Tweaking

There is filtering for both ITSI and ES built into the app. You might want to adjust what is shared between teams.

For ES, you might want to change the notable urgencies that are shared with ITSI. You can also use the filter macro to remove certain rules (source), domains (security_domain), or tags (tag). If the field is in the notable index you can use it in the filter macro.

Similar adjustments apply to the ITSI filter macro. You could make a simple adjustment, like including other Notable Event Aggregation Polices you want to filter. Or you could do something more advanced like having a number of events as part of the episode (itsi_group_count), looking for a specific KPI (kpi or kpi_name), or filtering for a specific keyword in the episode description (itsi_group_description). If the field is in the itsi_grouped_alerts index, it can be used in the ITSI filter macro.

Outcome

After everything is set up and running, you should see additional context in your ES notables and ITSI episodes.

This screenshot shows an example of the additional context in ES.

This screenshot shows an example of the additional context in ITSI.

This additional context should make it easier to know when another team is working an event that involves the same machine. You can then easily collaborate with that team to quickly investigate and resolve the issue.

Next steps

These resources might help you understand and implement this guidance:

Github: Splunk App for Shared Alerting overview
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you require assistance.