- Start sending your security-related data to Splunk using Common Information Model (CIM) compatible Technology Add-ons (TAs).
- Use Splunkbase for add-ons to get data in.
- Validate data using the CIM validation app.
- Start to configure assets and identities.
- Enable notable events to drive the use case (start with 2-3 high-impact use cases and get them understood and tuned).
This Splunk Enterprise Security app is highly configurable, which helps you be effective in the fast-changing domain of Cyber Security. Because of that, it is highly recommended that installation and initial configuration is handled by Professional Services. If you are a cloud customer the installation is automated, but Professional Services are still recommended to assist with the configuration, including getting data in.
This guide is designed to help you get started with Splunk Enterprise Security or to make improvements on your configuration to ensure you receive maximum value from the platform.
Getting data in
Splunk Enterprise Security uses the Splunk platform's searching and reporting capabilities so you can get an overall view of your organization's security posture.
Splunk Enterprise Security uses correlation searches to provide visibility into security-relevant threats, as well as generating notable events for tracking identified threats. You can capture, monitor, and report on data from devices, systems, and applications across your environment.
One of the fundamentals of using Splunk Enterprise Security is to have all your security data sent into a Splunk deployment to be indexed. Once it's there, you can correlate events from disparate data sources across time, and identify complex behavior that could be malicious. Correlation is facilitated by the Splunk Common Information Model (CIM) which normalizes field names needed for correlation. It also puts the data into data models that accelerate searches. Because of this, Splunk Enterprise Security requires that all data sources comply with CIM.
Step 1: Getting data in
The document Data source planning for Splunk Enterprise Security has detailed configuration information for add-ons and other data input components.
The terms "Add-on" and "TA" are often used interchangeably. The term "App" has a different meaning that implies that it has views on dashboards, all of which are available on Splunkbase).
You can easily download the TAs needed to send data into a Splunk deployment to drive your use cases. Common examples include: The Splunk Add-on for Microsoft Windows, Palo Alto Networks Add-on for Splunk, Splunk Add-on for Check Point Log Exporter and many others that support security products from Cisco, McAfee, CrowdStrike, Z-Scaler, and many others. There are currently over 1400 security-related apps and add-ons on Splunkbase.
The use of the TAs provides you with CIM-compliant data going into a Splunk deployment. In the event you need to validate or troubleshoot, see the manual for the CIM add-on. This add-on is normally in place as part of the Splunk Enterprise Security installation.
Syslog is a technology frequently employed, and considered a best practice, when collecting data from security devices such as firewalls and security appliances. You can set up a syslog server to collect data from its sources, and then forward it from the syslog server to a Splunk deployment. Further considerations with syslog are documented in the Spunk validated architecture whitepaper.
Here are more resources that can help you to get data in:
- Docs: Getting data in to Splunk Cloud
- Docs: Getting data in to Splunk Enterprise
- Docs: Data source planning for ES
- Docs: Use apps to get data in
- Docs: Use CIM to validate your data
- Tech Talk: Splunk Connect for Syslog: Ingest security data
- .Conf session: Data onboarding: Where do I begin?
- .Conf session: Taming GDI: The wild world of ‘Getting Data Into’ Splunk
Step 2: Further configuration and content management
Adding asset and identity data to Splunk Enterprise Security is a best practice and is required for effective use of Splunk Enterprise Security. This process will have been started for you by Professional Services if they did your installation and configuration.
You might feel that you do not have a good list of assets and identities. While this may be true, it is critical to start collecting and configuring this information so that the urgency of alerts are correctly evaluated and so you can get important context for investigations. This document contains guidance on how to collect and what add-ons can help with the process.
Threat Intelligence (TI) is another important asset for data enrichment that speeds up incident response. TI is information that has been collected, analyzed and evaluated for reliability by people with deep security expertise. It contains information that helps consumers of the TI to conduct faster incident investigations and response. The TI is packaged for easy integration with security analytics tools such as Splunk Enterprise Security, and with orchestration tools such as SOAR.
Splunk has a Threat Intelligence Platform (TIP) that helps with the acquisition of TI from Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations (ISAOs). The TIP also allows the creation and sharing of site-specific TI to be shared back and participate in the intelligence cycle. Splunk’s TIP can be integrated with ES by using the TruStar Unified App for Splunk Enterprise and Enterprise Security.
While there are many items in Splunk Enterprise Security that can and should be configured and adjusted, here are some common configuration and tuning tasks.
Configure users and roles
Splunk Enterprise Security adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in Splunk Enterprise Security.
This includes assets, identities, and threat intelligence.
- Docs: Add asset and identity data to Splunk Enterprise Security
- Docs: Configure users and roles
- Docs: Add threat intelligence to Splunk Enterprise Security
- .Conf session: Integrating a threat intelligence platform
- Blog: Asset & identity for Splunk Enterprise Security - Part 1: Contextualizing systems
- Blog: Asset & identity for Splunk Enterprise Security - Part 2: Adding additional attributes to assets
- Blog: Asset & identity for Splunk Enterprise Security - Part 3: Empowering analysts with more attributes in notables
- Blog: Threat intel and Splunk Enterprise Security Part 1 - What’s The point of threat intel in ES?
- Blog: TruSTAR operationalized data orchestration and normalization
- Blog: How do I add COVID (or any) threat intelligence from the internet to Splunk Enterprise Security?
- Blog: Onboarding threat indicators into Splunk Enterprise Security: SolarWinds continued
Configure correlation searches
A correlation search is a type of scheduled search that scans multiple data sources, which can then be used to detect suspicious events and patterns in your data. You can configure a correlation search to generate an adaptive response, such as creating a notable event when search results meet specific conditions. You can then investigate notable events using the Incident Review dashboard in Splunk Enterprise Security. It is in this dashboard where the conditions discovered by the search are presented. The urgency of the event and other contextual information are also shown so you can determine next steps as quickly as possible.
Correlation searches are often synonymous with use cases. Security-focused use cases often involve searching for an indicator of compromise, and when found, raising it as an event for investigation or remediation. Many repetitive tasks involved in investigation and remediation should be automated with a SOAR product like Splunk SOAR.
To configure a correlation search:
- Access the Configure drop-down menu from the app.
- Select Content Management, and set the type to Correlation Search.
- You can then enable and disable searches, update the settings that dictate how they run, change the search logic, and throttle their adaptive response actions. This configuration page is where much tuning and development will take place.
Noting what to search, filter or adjust is as varied as cyber security is itself. If you need direct help, use On Demand Services early and often to access experts available on request. You can also access a catalogue of some of the services available to you.
It is best to enable correlation searches one at a time, understand how that search works, and validate it provides valuable information - not just noise. Enabling too many searches at once risks your SOC being flooded with alerts which may be hard to fix. It's best to start small, as the speed of enablement, validation and tuning will get faster with practice. No SIEM is a set and forget endeavor - it requires a practice of continuous improvement, because the nature of security is itself dynamic.
The beauty of Splunk Enterprise Security is that it is so expressive in its ability to be improved and pivot in different directions as an investigation or hunt unfolds. This does make your learning curve steeper, but is well worth the effort because once you have a working knowledge of how to use Splunk, your ability to detect, respond and act on security incidents will be robust and fast.
This is a big topic! If you'd like to go deeper, here are some more things you can read.
- Docs: Correlation search overview for Splunk ES
- Docs: Configure correlation searches in Splunk ES
- Blog: Upping the auditing game for correlation searches within Enterprise Security — Part 1: The basics
- Blog: Analytics stories for Splunk Enterprise Security, Part 1: Organizing my security use cases
- .Conf Session: On the fence about Enterprise Security? Can it add value to your SOC/company?
Set up dashboards and reporting
After data is in and some basic configurations are complete, it's time to start looking at dashboards and reports.
Splunk Enterprise Security has many out-of-the-box dashboards. You can start with the Security Posture dashboard which gives a single high-level view of what has taken place over the past 24 hours. This dashboard shows trends and key indicators, and can be customized to focus you or any other user on what is important for their role - for example, it could be set up to be deeper for an Analyst, or more high-level for a CISO or Director.
You might also want to set up the Incident Review dashboard. This dashboard is where an Analyst would typically start their shift, so they can begin to investigate incidents and formulate responses.
Enterprise Security use cases
There are a lot of use cases that can be addressed with Splunk Enterprise Security, but finding out what you want to do can be difficult.
Using a framework like MITRE ATT&CK can help you find gaps in your coverage and areas you need to implement. The pre-configured notables in Splunk Enterprise Security represent many detections for use cases. Many more can be found in the Splunk Enterprise Security Content updates, Security Essentials, Lantern, and other places. Often the first place to start is to enable a few correlation searches and adjust them to fit the use case in your environment.
Here are some resources to help you get started. Use MITRE ATT&CK to see how these map to advisory Tactics, Techniques and Procedures (TTP). You can also check the Use Case Library in Splunk Enterprise Security, accessed via the Configure menu, then Use Case Library.
The Splunk Enterprise Security Content Update app is linked to the Splunk Security Research Team's work and it is updated frequently with timely detections. It is a best practice to use this often.
Here are some common starting points for use cases organized by what is called security domains in Splunk Enterprise Security.
- Brute force access behavior detected (local and cloud) (See the correlation search in Splunk Enterprise Security)
- Default account activity detected (See the correlation search in Splunk Enterprise Security)
- Concurrent login attempts detected (See the correlation search in Splunk Enterprise Security)
- Abnormally high number of endpoint changes by user (See the correlation search in Splunk Enterprise Security)
- Execution of a renamed psexec.exe to avoid detection (See the correlation search in Splunk Enterprise Security)
- Indicator of mimikatz activity using Microsoft Sysmon (Splunk Security Essentials)
- Basic malware outbreak (Splunk Security Essentials)
- Common ransomware extensions
- Suspicious network connection (Splunk Security Essentials)
- Account compromised followed by exfiltration (Splunk Security Essentials)
- Excessive DNS queries (See the correlation search in Splunk Enterprise Security)
- Network traffic communications over Port 4444 (Metasploit Default) (Splunk Security Essentials)
Other resources on use cases development
- Risk-based alerting in Splunk Enterprise Security
- Webinar: 20 SIEM use cases in 40 minutes: Which ones have you mastered?
- Community: Example of how to detect basic malware outbreak
- Blog: Kaseya sera. What REvil shall encrypt, shall encrypt
- Blog: REvil ransomware threat research update and detections