Splunk Enterprise Security
Advancing analytics-driven security
Detect. Prevent. Respond.
Splunk Enterprise Security is a next-generation security intelligence platform that addresses SIEM (Security Information and Event Management) use cases by providing pre-packaged dashboards, reports, incident response workflows, analytics, and correlations to quickly identify, investigate, and respond to internal and external threats. It also provides out-of-the-box support for the most common security data sources including network security, endpoint solutions, malware and payload analysis, network and wire data, identity and asset management systems, and threat intelligence to accelerate deployment and adoption.
Splunk Enterprise Security includes:
- Library of security- and risk-based KPIs and KSIs to use in any combination within dashboards and monitors to streamline security operations
- Threat Intelligence Framework—aggregate, de-duplicate and operationalize threat feeds from multiple sources including open sources, subscription based, law enforcement, local, and shared from other organizations
- Supports multiple formats including flat-files and standards-based formats such as STIX and OpenIOC as well as support for multiple transport mechanisms such as TCP and TAXII
- Incident review dashboards and workflow actions enable users to drill down or pivot on any piece of data to rapidly understand the priority, impact and context of any activity
- End-to-end visibility with direct access across all data and security domains including user/asset, network, endpoint, access, threat intelligence and wire data technologies
Splunk Enterprise Security
Splunk Enterprise Security runs on top of Splunk® Enterprise to identify and address emerging security threats through the use of monitoring, alerts and analytics.
Security Analytics, Correlation and ResponseOptimize security monitoring, prioritization, response, containment and remediation processes by analyzing machine data to understand the impact of alerts or incidents.
Risk-Based AnalysisApply risk scores to any data or correlation to enhance decision-making and align risk posture with the business.
User Identity and Asset CorrelationApply user- and asset-based context to all machine data to monitor user and asset activities and to verify privileged access and detect unusual activity.
Threat Intelligence SourcesThreat intelligence sources include free threat-intelligence feeds, third-party subscriptions, law enforcement, FS-ISAC Soltra (via STIX/TAXII), internal and shared data.
Operationalize Threat IntelligenceMultiple threat intelligence sources can be aggregated, de-duplicated and assigned weights so a wide range of IOCs can be used for all aspects of monitoring, alerting, reporting, investigation and forensic analysis.
Detect Unknown and Advanced ThreatsDetect unusual activities associated with advanced threats by leveraging statistical analysis, correlation searches, dynamic thresholds, and anomaly detection.
User Activity MonitoringUser activity monitoring can be employed to detect anomalous user activities and high-risk behaviors, as well as stolen credentials by external attackers.
Splunk Enterprise Security Tour
Security Posture Dashboard
User Activity Monitoring
The Security Posture Dashboard provides continuous monitoring and at-a-glance situational awareness by tracking key security indicators and security metrics across identity, access, malware, endpoint and threat intelligence data sources. All aspects of data source, key indicators, and visual displays are configurable and customizable to suit any organization’s operating procedure. The point-and-click interface provides integrated workflows and actions from the graphical display.
Quickly triage, prioritize, and respond to notable events by understanding the priority of any incident and which hosts were involved. Gain contextual insights about the incident and host, and pivot on any incident or host attribute to find additional indicators and related events. Security team members can collaborate and review all activities related to the host and incident in a single location, as well as explore the raw data and view the journal of incident activities.
The Asset Investigator allows you to visually correlate activities across devices that employ disparate technologies. You can adjust timeframes and build a story from the events, and then either create searches to detect those events or share the story with a team member. Watch the video.
The Threat Activity dashboard provides direct access to events that correlate to all threat intelligence sources: third-party subscriptions, law enforcement, internal, and shared sources. It provides insights into the trends, activities, users, and host event information associated with threat intelligence. Utilize threat intelligence as the starting point of your workflow, or use threat intelligence across various aspects of monitoring, reporting and investigation. Watch the video.
User Activity Monitoring enables you to track user activity and credentialed usage across the entire enterprise, in real time or over historical data, for the detection of high-risk behavior and unusual activity. Correlation searches, KSIs and swimlane objects enable you to rapidly detect and respond to advanced and insider threats.
Protocol Intelligence provides fast access to wire data and includes dashboards for the most important fields in the most common protocols that are provided by the Splunk App for Stream or provided by network forensics tools. Pre-built reports that use key fields extracted from wire data simplify profiling to spot unusual activity. Protocol intelligence also applies threat intelligence to email envelopes, DNS queries and responses, and SSL certificates to accelerate incident response and detection.