How Splunk can help: Managing incidents - foundational
Splunk Enterprise Security gives you the ability to tune alerting to improve your investigations, enrich your events to accelerate response, and use one common work surface to track progress. The features that help you do this are:
- The assets and identities framework lets you add and categorize systems of interest so you know which are critical and in what order to respond to incidents.
- The incident review dashboard lets you sort through incidents by urgency, status, or one of the domains Splunk Enterprise Security comes with. These domains work with data already brought into your environment and give you preliminary groups to review incidents by. You can quickly identify which incidents are open, in-progress or have already been closed.
- The notable framework powers a number of dashboards. You can review incident response efforts with your peers and leadership.
- The MITRE ATT&CK framework maps to tactics, techniques, and threat groups to quickly provide additional detail to prioritize and work incidents based on need.
- The risk analysis framework lets you use the power of risk-based alerting to surface incidents with overlapping notables of interest. RBA incidents with more context provide useful information to help you make your initial hypothesis for your investigations and see if something is abnormal for your environment.
- The use case library gives you detail to identify sources you want to respond to today, as well as use cases for tomorrow to target response efforts towards. Splunk Enterprise Security has a growing library of over 1000 detections, with analytic stories that give you background references, prebuilt content, and sample searches.
Watch the following video to learn more.