Splunk Enterprise Security 7.3 Delivers a Refined Analyst Experience and Enhanced Risk Context for Seamless Incident Triage

Large Security Operations Centers (SOCs) with multiple teams need help to make fast decisions when overwhelmed with security events.

A few short weeks ago in our Splunk Enterprise Security 7.2 release, we introduced optional enhancements to the Incident Review Dashboard that provide a more customizable experience when investigating notable events. This allows analysts to customize and configure the Incident Review Dashboard with table filters and columns to help isolate and rapidly investigate events that matter to them. Additionally, analysts can create saved views of their customized Incident Review Dashboard and share them with other Enterprise Security analysts. Saved Views allows analysts with different use cases to share their tailored views of notable events with other incident investigators in order to collaborate on notable events seamlessly. Splunk Enterprise Security Administrators also have access to a new level of control over the analyst experience in Incident Review, including configuring default views for all users.

This refined analyst experience is now on by default in Splunk Enterprise Security 7.3!

In order to ease customers into these new workflows, we’ve also launched an interactive, in-product onboarding experience that will guide users through these new features.

Splunk Ideas Continues To Be Front and Center in Splunk Enterprise Security

Customer feedback continues to drive innovation and enhancements in Splunk Enterprise Security. In this release, we added Drill-Down Dashboards to Incident Review, allowing content engineers to drill-down into a Splunk dashboard directly from the incident workflow. Users can now create multiple drill-down dashboard links and then use them to investigate a specific notable event. This enables analysts to seamlessly access critical details during an investigation, while reducing manual workloads.

Content engineers can now customize the text of the drill-down link and also configure the fields that will be passed as tokens to the dashboard. The use cases for custom dashboards are endless with this new flexibility, and we can’t wait to see how the world’s most advanced SOCs leverage it.

Additionally, customers tell us that there are rare instances outside their control where data is not forwarded to Splunk in real-time, but that they still want Enterprise Security to check those data feeds for threats and anomalies. In this release, we’ve added Index Time Correlation Searches that allow administrators to run specific correlation rules on index time instead of event time for the data sources that routinely arrive after real-time. With this enhancement, Splunk continues to ensure complete visibility no matter where, or when, the data originates.

Risk-Based Alerting Is Now Even More Powerful

Risk-Based Alerting is an innovative approach to help organizations prioritize security threats, aligned to the MITRE ATT&CK framework and an entity risk score. The SOC can reduce false positive investigations by up to 80% and speed the time needed to investigate and remediate true positive incidents by 50%. In Splunk Enterprise Security 7.3, the Risk Event Timeline is updated to include Drill-down Searches, Drill-down Dashboards, and Contributing Events so that analysts can quickly gather contextual information about risk events as they respond to Risk Notables.

With Splunk Enterprise Security 7.3 you’ll get to experience the following enhancements:

• Drill-down Searches are a long standing feature of Splunk Enterprise Security’s Incident Review Dashboard. Recently in Splunk Enterprise Security 7.2, we added support for multiple Drill-down Searches so that content engineers can provide analysts with as many options as they need to gather additional information via pre-made searches. Now, all available Drill-down Searches are available in the Risk Event Timeline, when applicable.
• The new Drill-down Dashboards, launched in this new release, now also appear in Risk Event Timeline in addition to the Incident Review dashboard, if applicable.
• Contributing Events are now refined in Risk Event Timeline to show analysts the raw events associated with a Risk Event, regardless of the presence of drill-down searches or drill-down dashboards having been defined. This provides analysts with the opportunity to gather more information about Risk Events.

Additionally, risk events generated by cloud-based streaming analytics, included with Splunk Enterprise Security for customers operating in Splunk Cloud, will also benefit from the Contributing Events refinement for Risk Event Timeline.

Upgrade Today to Splunk Enterprise Security 7.3

Splunk Enterprise Security 7.3 updates are available now in both cloud and on-prem environments.

We’re listening! If you have ideas and requests, please submit them to Splunk Ideas.

To learn more about Splunk Enterprise Security 7.3, check out the release notes.

Happy Splunking!