Use cases are driving the security focus of any mature security organization. The ability to implement content on demand and adapt to a dynamic security environment is what helps make Splunk Security Essentials (SSE) a must have enhancement for security investigations on Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk SOAR.
As a security analyst you need detailed security detections and deep analytic stories that help get you to the answers without leading you down rabbit holes, which consume time, resources and leave risks unaddressed.
Splunk Security Essentials
Splunk Security Essentials improves security operations and investigations with an extensive library of over 900 pre-built detections and data recommendations for a multitude of Splunk environments, from Splunk Cloud Platform to Splunk Enterprise Security and our Splunk SOAR offerings.
SSE provides teams with a guided, measurable path to program maturity. Users can explore content through a variety of views and filters to find content based on their interest, understand what data you have or might need to implement that content, deploy content to their environment and easily measure their security maturity level from a variety of dashboards and heat maps based on today’s common cybersecurity frameworks.
Adopting SSE content into an already curated Splunk Enterprise Security will enable your analysts to conduct more insightful security monitoring, expand your threat detection, investigation and incident response processes. SSE is the kickstart that will dramatically increase and strengthen the SOC.
The benefits and value of SSE include:
- Improved detections, find content that is most relevant to your environment
- Learn Splunk and detections through rich content documentation and easily interpretable descriptions
- Improve production deployments
- Operationalize frameworks like MITRE ATT&CK and Cyber Kill chain
- Measure your success
- It’s FREE on Splunkbase!
SSE provides out-of-the-box security use cases and actionable security content to begin addressing threats and assessing gaps quickly and efficiently. You can leverage the wide-ranging use case library to eliminate gaps in defensive posture, implement detections, measure and justify new sources of data based on coverage of threats and risks to the business. Additionally, the deep integration with MITRE ATT&CK and Cyber Kill chain, will help you configure ES by pushing attributions to the Incident Review Dashboard, assess the level of coverage to ATT&CK tactics and techniques, and easily integrating into Risk-based events and alerting.
- Security Content Library
- Browse, bookmark and deploy over 900 security detections with a few clicks.
- Find the right security content by filtering via use case, threat, data source or cybersecurity framework.
- Stay head of threats with content that pulls the latest detections from Splunk Threat Research Team
- Cybersecurity Frameworks
- Automatically map your data to cybersecurity frameworks such as MITRE ATT&CK and Cyber Kill Chain.
- Measure your business posture against the frameworks and easily identify gaps to strengthen your defenses
- Drill down on MITRE tactics, techniques and threat groups to understand what detections are tied to different phases of the Kill Chain.
- Data and Content Introspection
- Inspect and analyze data and security content already in your environment.
- Gain a better understanding of your Splunk environment and how your data is and can be Common Information Model (CIM) compliant.
- Enrich your existing security content with tags and metadata such as threat and data source categories, MITRE ATT&CK notes and more.
- Security Data Journey
- Develop a maturity roadmap with security and data recommendations.
- Track and measure your progress through the Security Data Journey
- Easily implement best practices and detections with the data you’re already collecting
- Prioritize ingestion of new data sources to increase coverage and reduce risks.
Curate your own content library by using the bookmarks feature in SSE, you can build a repository of security content for planning, know if you have data missing to make the content effective, track its implementation status and export content in a variety of methods to easily integrate into another Splunk environment.
Why implement SSE and use security content use cases?
SSE is an extensive security content library providing detailed guidance on what, why, and how to expand your security use case content on Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics and Splunk SOAR environments. SSE uses standard search SPL combined with data prerequisites to help you determine if a use case has the right data in place to gain the most value from the content you are interested in. Implementing an SSE use case requires three simple steps:
- Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
- Verify that the data format (or a lookup, if appropriate) is accurate so that you are just looking at items of focus.
- Save or Schedule the search.
The components that make SSE so valuable to use case expansion are:
- Use case and categorization
- Select from predefined Security Use Cases and go granular through specific threat categorization.
- Data availability
- Understand the data you have and its quality or the data you need to add value to your security operations.
- Cyber framework attribution
- Enhanced by MITRE tactics & techniques and Cyber Kill Chain phases.
- Search results and SPL
- Understand what is occurring under the hood with line-by-line SPL documentation.
- Visualizations & introspection
- Analysts use dashboards and heatmaps to assess posture and identify gaps in threat coverage.
- Examine your current saved searches, determine detection alignment to SSE content or create custom detections.
Security Essentials content and native detections can be sourced from the collection of out-of-the-box searches, or you can easily create your own custom saved searches to build your own library to utilize SSE as a content catalog.
How to implement Splunk Security Essentials and use Security Content use cases
Locate and review use cases from the Security Content page
The Security Content page is the main landing page for Splunk Security Essentials. From this page you can easily get a complete list of content or dive deeper into any individual item using a variety of filters. Let’s explore some of the items in Stage 1 of the Security Journey.
- From the main menu in Splunk Security Essentials, navigate to the Security Content page.
- Navigate to Monitoring and Detection as your starting point. SSE has nearly 120 detection searches in Stage 1.
- Click a detection search to learn how it can help you. For example, clicking on the detection search Basic Brute Force Detection means you can drill into the context so you can understand the impact of the search, how it works, adapt it to your environment, and handle the alerts that will be generated by this event. In the content details you can see the following information:
- Data Source Links: Click on these links to see several popular technologies, not just a list of technologies that provide those data sources. You can also find the installation documentation here.
- Related Splunk Capabilities, Known False Positives, How to Respond: Each of these elements help you learn how to implement and respond to these searches.
- Enable SPL Mode: By toggling on SPL mode you can see the prerequisite checks that make sure you have the right data onboarded, access the Open in Search buttons, and schedule the saved search right from the app. In case your environment might not be fully compliant for this, SSE provides guidance on how to address it.
4. Click the Line-by-Line SPL Documentation link to bring up a commented section. This helps you understand what the SPL is doing and what is happening upon execution of your use case.
5. Click on the View SPL link to access the View buttons, which shows a list of what searches are available for each security content search.
6. You can also open the How to Respond section, which helps you understand why this use case is being detected and what you can do to help ensure correct identification and handling.
Understand the data you have and let Splunk Security Essentials guide you to valuable content
You can use SSE to take advantage of the work you have already done in your environment and configure the products that are implemented with the Data Inventory Dashboard.
The Data Inventory dashboard is used to configure the products you have in your environment. Products have a variety of metadata such as sourcetypes, event volume, and Common Information Model (CIM) compliance, and are connected with data source categories. The Data Inventory dashboard can show you what content can be turned on using your current data.
To use the Data Inventory dashboard, follow these steps:
- Navigate to Data > Data Inventory.
- From the pop-up window, select how you want to get your data into this dashboard.
- If Splunk Security Essentials is installed on your production search head, click Launch Automated Introspection to automatically import data. Introspection allows Splunk Security Essentials see what data you have available to use across the app.
- Or, click Manually Configure to manually enter your data.
- If you choose Automated Introspection, click Automated Introspection to see the five automated introspection steps that will pull in a variety of data.
- If any of your sources or source types don't appear correctly, click Update in the Actions column to make changes.
- Once your data appears in the menu, if there is an X or a question mark (?) beside a datasource in the menu, manually review the datasource to see whether you have that type of data in your environment.
Review MITRE ATT&CK tactics and techniques and find detections
As you review common cybersecurity attacks and threats, you might notice that most reports are providing common framework alignments such as the MITRE ATT&CK techniques used in the attack.
Follow these steps to search for these MITRE ATT&CK techniques in SSE to quickly see if your environment has detections to help protect against them:
- From the main menu in Splunk Security Essentials, navigate to the Security Content page.
- Copy and paste or enter one or more MITRE ATT&CK techniques from the attack report into the search bar. Alternatively, you can add and use the ATT&CK Technique filter to select the MITRE ATT&CK technique IDs you want to find content for.
- Review the detections that appear to determine if your environment is protected against the potential attack.
- (Optional) Click Edit and enable the Content Enabled filter and the Data Availability filter. Use the Content Enabled filter to filter the detections based on what detections are already running in your environment. If a detection is enabled, you already have some protection against the listed techniques. Use the Data Availability filter to filter the detections based on if you have the data available for them.
It has never been easier to implement security content in your environment than using SSE. Using these steps, you can start assessing and adding more detections to your security posture. SSE is there to help guide you along the way and help you measure up in your Security Journey.
SSE Security Journey
No matter where you are in building out your security operations and processes, SSE has a way to help you assess, implement and measure your progress. Using the SSE Security Data Journey, you can develop a maturity roadmap with security and data recommendations to secure your business. You can track the progress of your security program and understand milestones and possible challenges at each stage of the journey. You can also implement best practices and security detections with the data you’re already collecting, improving your security posture. Finally, you can use the data onboarding guides to collect and analyze additional host, network, and account activity.
For a comprehensive Splunk Security Essentials demo or to engage Professional Services for setting up SSE in your environment, reach out to your Splunk account team or representative. In addition, these Splunk resources might help you understand and implement this guidance:
- .Conf Talk: Splunk Security Essentials 3.0: Driving the Content that Drives You
- .Conf Talk: Splunk Security Essentials: An Approach to Industry Threat Detection Engineering
- Splunkbase: Splunk Security Essentials
- Docs: Install and Configure Splunk Security Essentials
- Docs: Use Splunk Security Essentials
- Docs: Develop Custom Content in Splunk Security Essentials