Splunk security professionals exist for Splunk customers. We travel the world to meet with you, lurk on ICQ and Slack 24/7 hoping for a wild Splunk Security Essentials or BOTS question to appear, and we even wear Splunk shirts at hacker conferences just to hear, "Hey, do you work at Splunk? I've got a question…" (This last one is actually a lie. We cluster together, avoiding contact with humans and the sun. They're both scary!)
But frankly, it's not good enough. We can do better because honestly, we don't scale...no matter how many IPAs (or Hefeweizens) we drink. And honestly, many of the questions are the same.This means we haven't done a great job documenting (or sharing previously documented) answers! We can do better.
A year and a half ago we began blogging about "Hunting with Splunk" in an attempt to share some of the coolest ways we have found to use Splunk core to freestyle hunt badness with SPL. Now we want to talk about the Splunk security products that most of you use: Splunk Enterprise Security, Splunk Phantom, Splunk User Behavior Analytics, Splunk Security Essentials, PCI and more. Every couple of weeks, we're going to drop a blog post based on a question that's been asked of us in the past. It could be anything from “How do I configure threat intelligence lookups in ES” to “I keep trying to make a Phantom playbook and phailing. Help!”
If you have any specific questions you want to be answered, feel free to send them to email@example.com. With each "Dear Buttercup" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:
- Modifying the Incident Review Page
How to modify the Incident Review page and add information to Notable Events in Splunk Enterprise Security
- Threat Intel and Splunk Enteprise Security Part 1 - What’s The Point of Threat Intel in ES?
How threat intelligence works with Splunk Enterprise Security
- Threat Intel and Splunk Enterprise Security Part 2 - Adding Local Intel to Enterprise Security
Getting started with local threat intelligence in Splunk Enterprise Security
- Dear Buttercup, To SIEM or not to SIEM; that is the Question
Answering the question of what IS and IS NOT a SIEM, and if you need one