I am pleased to unveil a range of new features in Splunk’s flagship SIEM platform, Splunk Enterprise Security (ES). The latest version of Splunk ES v 5.2 introduces two new capabilities, Event Sequencing and Use Case Library and features an enhanced Investigation Workbench.
Customer interest in these new capabilities has been overwhelming. Steve McMaster, Director of Managed Security Services at Hurricane Labs says, “New Splunk ES features, such as Event Sequencing and Use Case Library, will provide immediate value in our SOC, helping to find and remediate threats faster.”
Event Sequencing expands threat detection by providing the ability to sequence notable events and risk modifiers together to identify high-fidelity incidents and threats. Sequencing events gives you the ability to define a workflow to solve your use cases based on conditional execution of correlation searches and/or risk modifiers in sequential order (or not) based on your specification.
It's straightforward to get started with this powerful new capability. You start off by creating a “Sequenced Template” from the “Content Management” dashboard and configure it to execute on specific conditions and status of correlation searches and/or risk modifiers (i.e., you can specify how sequenced events are constructed that reflect your use cases while creating the sequenced templates). Once you've created a sequence template, it's available for execution within 5 minutes.
Splunk ES 5.2 provides an easy way to track which sequences are running or completed, which is shown in the figure below.
When a sequenced event has been created you can view it in the familiar Incident Review dashboard. The example below displays information specific to the “Phishing Attack Detected” template such as the name and description, the correlation searches involved, the state of each transition in the sequence, and the sequence expiration date.
You have the flexibility to execute event sequences in an ad hoc manner. For more details on how to use Event Sequencing, review the technical documentation in Splunk Docs.
Use Case Library
The Use Case Library helps security practitioners strengthen their security posture with ready-to-use content that's relevant to them. You can discover new use cases and determine which ones can be used within your environment based on the data ingested at the time of its ingestion.
You can use the Analytic Stories from Splunk Enterprise Security Content Update (ESCU) as use cases directly with the Use Case Library. The analytic stories provide actionable guidance for detecting, analyzing and addressing security threats. An analytic story contains the searches you need to implement the story in your own Splunk ES environment. It also provides an explanation of what the search achieves and how to convert a search into response actions where appropriate.
You have the ability to create, curate, install and manage ES Content and Analytic Stories. You can create a new Analytic Story and map it to the type of searches you would like to use.
Use Case Library helps reduce your organizational risk by enabling faster detection and incident response to newly discovered and ongoing threats.
The enhanced Investigation Workbench introduces two new artifact types—file name and URL—and real-time notification of new notable events during an investigation. These enhancements will help you understand the full scope of incidents and make decisions in real time.
Get Started Now
If you are an existing Splunk Enterprise Security customer, you can download the latest version in Splunkbase.
If you are not familiar with Splunk Enterprise Security, use the free seven-day cloud Splunk Enterprise Security Sandbox to get started in minutes.
Contact us to find out how you can benefit from Splunk Security Solutions.