SIEM replacement- Exabeam Security Operations Platform considerations

Action editor

The functional equivalent of the Exabeam Action Editor most aligns with capabilities provided in Splunk SOAR, but they can possibly be performed with notable event actions in some limited capability. While not as comprehensive as SOAR playbooks, notable event actions can be used to automate specific tasks such as sending alerts, creating tickets, or initiating data enrichment and contextual lookups.

Be sure you understand your standard operating procedures for incident response and triage, and determine what, if any, circumstances might be needed for Splunk Enterprise Security. This might take the form of custom workflow actions, investigation workbench customization, incident review settings, and more. Document anything that might need to be customized or extended within ES.

Correlation rules

Correlation rules in Exabeam often incorporate behavioral baselines and anomaly detection similar to how Splunk User Behavior Analytics (UBA) operates in its detection capabilities. Exabeam emphasizes ease of use and automation over customization, whereas Splunk ES correlation rules can be specifically written to create complex rule sets and multi-stage attack sequences. Comparably, risk-based alerting(RBA) focuses on aggregating risk over time through modular alerts, with a strong emphasis on customizing how and when risk scores trigger alerts.

A “lift and shift” approach of Exabeam detections to ES correlation searches is unlikely to be successful, as logic differs and the current alerts might not produce the fidelity of your goals. As you perform the use case planning portion of the SIEM Use Case Development Workshop, ensure you capture all business requirements and security monitoring objectives, and take a requirements-based approach to building ES use cases.

Context management

Exabeam’s context management is similar in nature to the Splunk ES Asset and Identity framework, with some key differences. The Splunk platform provides more flexibility and customization in how this context is managed and applied within correlation searches and enrichment rather than being an intrinsic part of a unified behavioral analytics framework.

As you work through the SIEM Use Case Development Workshop, ensure you document all sources of relevant asset and identity data. Start with the main source of truth, and add additional enrichment sources (vulnerability data, CMDB, etc) that might be relevant and provide contextual value. These can be configured directly in Splunk Enterprise Security, and will be merged into a single kvstore collection for assets and another for identities.

Advanced analytics

Splunk User Behavior Analytics (UBA), Splunk Machine Learning Toolki (MLTK) , and the risk-based alerting (RBA) framework all have components to consider and discuss when replacing advanced analytics in Exabeam with Splunk ES.

• Splunk User Behavior Analytics: Like Exabeam, Splunk UBA builds behavioral baselines for users and entities, identifying deviations that could indicate malicious activity. UBA utilizes machine learning algorithms to detect anomalies and patterns in user and asset behavior, focusing on identifying those events that deviate from established patterns. Splunk ES and UBA use common data models. This ensures consistency in the way data is processed and analyzed across both platforms. When UBA detects an anomalous behavior, it generates a notable event which is sent to Splunk ES where it can be correlated with other security data to provide a comprehensive view of the incident.
• Machine Learning Toolkit: Splunk MLTK can be used to provide advanced and predictive analytics for a variety of security use cases. MLTK models can be integrated with Splunk ES correlation rules to apply comparable functionality to Exabeam’s Advanced Analytics.
• Risk-based alerting: RBA focuses on aggregating risk scores over time, with alerts triggered when the cumulative risk surpasses certain thresholds. This approach helps in prioritizing high-risk incidents and detect security events that take place over long periods of time with varied tactics and techniques.

As with correlation search discovery, it is important to identify and document your business requirements for advanced use cases, behavioral detections, and machine learning analytics to determine how to design and solve for these requirements within Splunk Enterprise Security. Splunk User Behavior Analytics might be required as part of your Splunk architecture, but a number of these should be able to be addressed using MLTK and standard deviation methodology within Splunk ES.

Threat center

The Threat Center in Exabeam SOP is more aligned with the features and functionality of Splunk Mission Control. Splunk Mission Control and its feature set is broader in functional scope, serving as a unified platform for all security operations. It integrates threat intelligence but also includes incident management, SOAR, case management, and workflow automation features including full SOAR capabilities, offering automated incident response, playbooks, and case management to streamline security operations.

Incident responder

The functionality of Exabeam Incident Responder aligns most closely with Splunk SOAR. Be sure you understand your standard operating procedures for incident response and triage, and determine what, if any, circumstances might be needed for Splunk Enterprise Security. This might take the form of custom workflow actions, investigation workbench customization, incident review settings, and more. Document anything that might need to be customized or extended within ES.

If you leverage Exabeam's Incident Response capabilities, be sure to discuss these within the context of the SIEM Use Case Development Workshop. It is important to identify and document your business requirements for incident response and determine how to solve for these requirements within Splunk ES and the Splunk Unified Security Architecture. Splunk SOAR might be required as part of your Splunk architecture to provide equivalent functionality.

Outcomes navigator

Splunk Security Essentials (SSE) provides best practices and use cases for security operations. Analytics stories in Splunk ES, similar to Exabeam’s Outcomes Navigator, provide detailed guidance on how to detect and mitigate specific threats and guidance on security use case strategy. However, Splunk’s analytics stories are more focused on individual use cases, while Exabeam's Outcomes Navigator provides a broader, outcome-driven security framework. Document anything that might need to be customized or extended within ES.

Service health and consumption

The Splunk Monitoring Console (SMC) tracks the health of Splunk services, indexers, search heads, and forwarders. It monitors system performance, availability, and resource usage, similar to Exabeam’s Service Health feature.

The Splunk License Usage Dashboard provides insights into how much data is being indexed relative to the licensed volume, helping administrators manage license consumption and data usage over time, similar to Exabeam’s Consumption feature.

Platform health and monitoring considerations should be discussed and documented but might be outside the scope of the SIEM Replacement Workshop.

Load balancing

The Splunk platform provides the ability to distribute the incoming data across multiple indexer nodes to balance the load. Use Splunk universal forwarders to distribute data to multiple indexers, configuring to round-robin data among the available indexers or to use more sophisticated load balancing strategies based on the volume of data or the number of events.

Data replication

The Splunk platform supports indexer replication where each piece of data can be replicated across multiple indexers to prevent data loss. Search head clustering provides fault tolerance for search management.