What’s new and exciting:
- 25 new detections primarily focused on Insider Threat, including 50+ pages of documentation with line-by-line SPL explanations.
- Better integrations with Splunk Enterprise Security and Splunk Enterprise Security Content Update, including links from SSE directly over to the products.
- All detections will create risk indicators, and we built an improved workflow for searches that create notable events.
- Updated descriptions of the anomalies in Splunk User Behavior Analytics.
- Moreover, along with more "usability" features, we squashed bugs making it easily the most significant release since 2.0.
Never heard of Splunk Security Essentials? Get excited! SSE is already one of the most installed apps in all of Splunkbase and provides a showcase of what can be done in the world of Splunk for security. SSE includes 125 examples of detections that can be deployed on Splunk Enterprise to give your security program more focus and get it up and running more quickly. In fact, we’ve already featured these detections in prior Splunk blog posts, including:
- UT_parsing Domains Like House Slytherin
- Staff Picks for Splunk Security Reading: May 2018
- Strengthen Your SIEM And Be Ready For The GDPR
- Closing the Detection-to-Mitigation Gap – Or, To #Petya or #NotPetya… #whocares?!
- Splunk User Behavior Analytics (UBA) 4.0: The Ultimate LEGO for Machine Learning Models
- Are you using Bad Rabbit as an opportunity to look at the basics and be strategic?
You’ve been surrounded with security goodness and didn’t even know it.
Each of these examples ships with demo data that will show you what the detection will find, along with the live queries that will run on your real data. Sometimes the app even includes accelerated searches that take advantage of Splunk’s Common Information Model! Content covers many popular security use cases, such as security monitoring, advanced threat detection, insider threat, compliance and more.
Also, each example is thoroughly documented to give you the "how" and "why," and help you implement, including:
- Required data sources
- Use case and category of detection (e.g., Insider Threat, Lateral Movement, etc.)
- MITRE ATT&CK and Kill Chain Phases
- Security relevance
- Implementation guidance
- Response recommendations
- Known false positives
- Expected alert volume
- SPL difficulty rating and line-by-line documentation for how the SPL works
You may be wondering how this relates to Splunk’s premium security products, Splunk Enterprise Security and Splunk User Behavior Analytics. Customers who are looking to jumpstart their SIEM and Advanced Analytics programs with those premium products will even get a guide to that content; SSE provides references to the over 300 detections they provide, all mapped to the same sets of use cases and requirements.
Of course, where to start can be a daunting challenge. That’s why we never recommend anyone try to conquer the world from day one. To help here, SSE maps all its content to the Splunk Security Data Journey, which models how customers typically mature their installations from day one onward. It’s important to understand not just what you can do, but what you should do first. If you're new to using Splunk for your security—or even if you're new to security analytics altogether—walk through the journey to understand what content you can look forward to taking advantage of, the recommended order for onboarding data sources and more!
Did I mention the data onboarding guides? The most common questions we hear from customers is about data onboarding, so... we're giving you ALL the guides! These guides are Splunk Professional Services reviewed and approved. Use the guide to walk through the "how-tos" of ingesting data into Splunk, as well as configuring source systems to actually send the data required for the use cases. So far the guides cover:
- Windows Security (including Event ID 4688)
- Linux Host Logs
- Microsoft Sysmon
- Palo Alto Networks
- Cisco ASA
- AWS Cloudtrail
- AWS VPC Flow Logs
- Microsoft O365
- Symantec EP
- Splunk Stream DNS
At this point, you might be asking yourself, "Is Splunk Security Essentials for me?” My answer: Yes. Why? Because countless small (and large) organizations have built their first sets of security analytics detections with the help of SSE. It's a great place to begin building out your analytics whether you are a Fortune 100 or a small startup. We worked hard to make sure that SSE can help an organization of any size get more value out of their Splunk logs than they have seen for ages.
Want to learn more? If you're an existing Splunk customer or are generally comfortable installing an app, download Splunk Security Essentials and follow the easy install docs. If you’re newer to Splunk, maybe you’d like to learn a little more before you jump in. I’ve got just the book for you—The Essential Guide to Security—as an introduction to the Splunk Security Data Journey, the use cases that customers typically solve with Splunk solutions and some introductory content from SSE that will help you succeed!