Configuring and optimizing Enterprise Security
The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For assistance with ES 8.x, Splunk Professional Services can help.
Adding asset and identity data
Adding asset and identity data is a best practice and is required for effective use of Splunk Enterprise Security. You can register asset and identity data in some different ways:
- Manually register asset and identity data in the Asset and Identity Manager
- Use LDAP to register data in the Asset and Identity Manager
- Use your cloud service provider data to register data in the Asset and Identity Manager
For detailed information on these processes, refer to Splunk Docs.
If Professional Services handled your installation and configuration, the process of adding asset and identity data will have been started for you.
Configure users and roles
Splunk Enterprise Security adds three roles to the default roles provided by the Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security based on a user's access requirements. The administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in Splunk Enterprise Security. To learn more about each role and how to add capabilities to them, see Splunk Docs.
Enrich data
Enriching data involves using assets, identities, and threat intelligence.
Threat Intelligence (TI) is an important asset for data enrichment that speeds up incident response. TI is information that has been collected, analyzed, and evaluated for reliability by people with deep security expertise. It contains information that helps consumers of the TI to conduct faster incident investigations and responses. The TI is packaged for easy integration with security analytics tools such as Splunk Enterprise Security, and with orchestration tools such as Splunk SOAR.
Splunk also has a Threat Intelligence Platform (TIP) that helps with the acquisition of TI from Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs). The TIP also allows the creation and sharing of site-specific TI to be shared back and participate in the intelligence cycle. The Splunk TIP can be integrated with ES by using the TruStar Unified App for Splunk Enterprise and Enterprise Security.
Explore additional content that helps you better understand enriching data in Splunk Enterprise Security:
- Docs: Add threat intelligence to Splunk Enterprise Security
- .conf session: Transform your intelligence for informed, actionable automation
- .conf session: Integrating a threat intelligence platform
- Blog: Asset & identity for Splunk Enterprise Security - Part 1: Contextualizing systems
- Blog: Asset & identity for Splunk Enterprise Security - Part 2: Adding additional attributes to assets
- Blog: Asset & identity for Splunk Enterprise Security - Part 3: Empowering analysts with more attributes in notables
- Blog: Threat intel and Splunk Enterprise Security Part 1 - What’s The point of threat intel in ES?
- Blog: Onboarding threat indicators into Splunk Enterprise Security: SolarWinds continued
Configure correlation searches
A correlation search is a type of scheduled search that scans multiple data sources, which can then be used to detect suspicious events and patterns in your data. You can configure a correlation search to generate an adaptive response, such as creating a notable event when search results meet specific conditions. You can then investigate notable events using the Incident Review dashboard in Splunk Enterprise Security. This dashboard presents the conditions discovered by the search. The urgency of the event and other contextual information are also shown so you can determine next steps as quickly as possible.
Correlation searches are often synonymous with use cases. Security-focused use cases often involve searching for an indicator of compromise, and when found, raising it as an event for investigation or remediation. Many repetitive tasks involved in investigation and remediation should be automated with a SOAR product like Splunk SOAR.
To configure a correlation search:
- Access the Configure drop-down menu from the app.
- Select Content Management, and set the type to Correlation Search.
- You can then enable and disable searches, update the settings that dictate how they run, change the search logic, and throttle their adaptive response actions. This configuration page is where much tuning and development will take place.
Determining what to search, filter, or adjust can be complex. If you need direct help, use On Demand Services early and often to access experts available on request. You can also access a catalog of some of the services available to you.
It is best to enable one correlation search at a time, understand how that search works, and validate it provides valuable information, not just noise. Enabling too many searches at once risks your SOC being flooded with alerts which may be hard to fix. It's best to start small, as the speed of enablement, validation, and tuning will get faster with practice. No SIEM is a set and forget endeavor. It requires a practice of continuous improvement because the nature of security is itself dynamic.
The beauty of Splunk Enterprise Security is that it is so expressive in its ability to be improved and pivot in different directions as an investigation or hunt unfolds. This flexibility makes your learning curve steeper, but is well worth the effort because after you have a working knowledge of how to use it, your ability to detect, respond, and act on security incidents will be robust and fast.
Configuring searches is a big topic. If you'd like to go deeper, here is some more useful content to read:
- Docs: Correlation search overview for Splunk ES
- Docs: Configure correlation searches in Splunk ES
- Blog: Upping the auditing game for correlation searches within Enterprise Security — Part 1: The basics
- Blog: Analytics stories for Splunk Enterprise Security, Part 1: Organizing my security use cases
- Product Tip: Using the Splunk Enterprise Security assets and identities framework
RBA
You can use Risk-based alerting (RBA) in Splunk Enterprise Security to help you implement use cases more efficiently. To get started with RBA, see the following resources:
- Splunk Lantern: Risk-based alerting
- Splunking for outcomes: Kicking off your RBA Journey
- Webinar: The future and foundation of next-generation security
- Solution guide: Embark on your risk-based alerting journey with Splunk
- .conf Talk: Detecting suspicious GitHub behavior with risk based alerting and Enterprise Security
Behavioral Analytics for Splunk Cloud Platform ES customers
To leverage threat detections so that you can monitor cyber threats and enhance your security operations, you can enable behavioral analytics service on Splunk Enterprise Security. Behavioral analytics allows you to ingest raw data from various supported source types and provision tenants automatically. You can also forward notables, risk events, assets, and identity data from Splunk Enterprise Security to the behavioral analytics service.
To learn more about how to enable behavioral analytics, see Splunk Docs.
Splunk Mission Control
Splunk Mission Control is an application in Splunk Enterprise Security that provides a unified, simplified, and modern security operations experience for your SOC. With Splunk Mission Control, you can unify detection, investigation, and response capabilities and data to take action based on prioritized insights, simplify operations by codifying your processes into response templates, and modernize your SOC with security automation (SOAR). Eligible users of ES Cloud deployed in the AWS regions shown on this page can access Splunk Mission Control directly from Splunk Enterprise Security via App selector > Mission Control > Enable.