Skip to main content

Splunk Lantern turns 5 on May 28th. Thank you for being one of our 750,000 annual users!
Click here to join our Slack channel to tell us what you love about the site or what content you'd like to see more of.
Lantern Home

 

Splunk Lantern

Getting started with Splunk Enterprise Security

  1. Last updated
  2. Save as PDF

 

This guide is designed to help you make the most of your investment in Splunk Enterprise Security and to make improvements on your configuration to ensure you receive maximum value.

It’s important that you understand how Splunk Enterprise Security can provide visibility of your organization's security posture. Splunk Enterprise Security uses correlation searches to provide visibility into security-relevant threats and generate notable events for tracking identified threats. You can capture, monitor, and report on data from devices, systems, and applications across your environment.

Install Splunk Enterprise Security

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For assistance with ES 8.x, Splunk Professional Services can help.

  • For Splunk Enterprise users, follow the instructions on Splunk Docs.
  • For Splunk Cloud Platform users, Splunk's support team will give you access details for Splunk Enterprise Security.

Splunk Enterprise Security is highly configurable. Because of this, it is highly recommended that your installation and initial configuration is handled by Professional Services. While installation is automated for Splunk Cloud Platform customers, Professional Services engagement is still recommended to assist with configuration, including getting data onboarded.

After installing Splunk Enterprise Security, you'll need to follow these steps:

  1. Identify applicable use cases for security monitoring.
  2. Identify the data sources you need to implement your use cases.
    1. For Splunk Enterprise users, identify the appropriate add-ons from Splunkbase. Most add-ons in Splunkbase are compliant with the Common Information Model (CIM). If data is custom, it has to be mapped manually to the CIM.
    2. For Splunk Cloud Platform users, engage Professional Services to get your add-ons set up.
  3. Start sending your security-related data to the Splunk platform using your add-ons.
  4. Validate your data using the Splunk Common Information Model (CIM) app.
  5. Configure your assets and identities to access to the full functionality of Splunk Enterprise Security.
  6. Enable security investigation and monitoring by setting up dashboards and reports.