Splunk Enterprise Security 8.0 and Splunk SOAR 6.3 Unify and Automate TDIR Workflows within the Market-Leading SIEM

Security analysts spend an average of 3 hours on alert investigations. Yikes.

41% of alerts are ignored because analysts don’t have the time to process them. Not good.

Mean time to respond to incidents is 15.5 hours. That’s not as bad as a few years ago, but certainly not where we need to be.

Why is this happening?

First of all, security analysts are bogged down with disjointed data coming from a multitude of sources. This hampers their ability to aggregate, correlate, and prioritize information crucial for efficient threat detection and response.

Second, their security analytics tools are not doing a very good job of providing actionable insights from that data, and generating alerts that are immediately actionable. This lack of actionable context undermines an analyst’s understanding of a threat’s' severity, potential impact, and ultimately how they prioritize response.

Third, security teams are juggling 25+ different security tools that perform different actions across detection, investigation and response. Look up an IP here, send malware to a sandbox there, block an executable over there. What’s worse is that the vast majority of those actions are being performed manually. Good luck responding quickly by pitting human speed (manual response) versus machine speed (malware execution).

How do we fix this?

The solution lies in a SOC’s ability to unify visibility, control, and orchestration across detection, investigation, and response workflows… and then automate it. Splunk Enterprise Security, now natively integrated with automation capabilities from Splunk SOAR, provides these benefits.

Threat Detection, Investigation, and Response: Unified and Automated

Splunk recently released Splunk Enterprise Security version 8.0. This release represented a monumental step forward for an already market-leading SIEM that has defined the SIEM category for the last 10 years. Splunk Enterprise Security 8.0 redefined how a SIEM should streamline SOC workflows, and automate actions across those workflows. Splunk Enterprise Security centralizes workflows and unifies processes across detection, investigation, and response to fuel SOC operational efficiency and stop breaches.

Here’s how it works. Mission Control is a native, built-in feature of Splunk Enterprise Security. It provides the analyst with a unified work surface that provides case management and consolidates detection, investigation and response workflows into a single modern interface. Response Plans are a key feature of Mission Control in Splunk Enterprise Security, allowing users to easily collaborate and execute incident response workflows for common security use cases. Response Plan templates allow users to see each phase of an incident response plan, assign key stakeholders to specific phases, and apply simple automation playbooks and workflows to tasks for quicker, more efficient remediation efforts.

Within this interface is also security automation from Splunk SOAR — now natively integrated into Splunk Enterprise Security (only enabled with an active Splunk SOAR license subscription). Splunk SOAR automation playbooks can be consumed, run, and resolved all within the Splunk Enterprise Security interface. Analysts gain one-click access to orchestration and automation functionality. Subsequent to a detection event in Splunk Enterprise Security, Splunk SOAR can take immediate action to automate investigative and response tasks associated with that detection event. With just a few clicks from within the Splunk Enterprise Security interface, the SOC can rapidly and efficiently resolve incidents — without the burden of manual workloads.

Detection, investigation, and response is not only unified, but all of it is automated — all within a single SIEM user interface in Splunk Enterprise Security 8.0. This will forever transform how security analysts work. The combination of Mission Control’s unified work surface with Splunk SOAR automation functionality will dramatically improve both the mean time to detect (MTTD) and mean time to respond (MTTR) to incidents.

What does this look like in the Splunk Enterprise Security interface? Watch this demo.

As you saw in the demo, the Splunk Enterprise Security connector allows you to automate any process or task from the Splunk Enterprise Security user interface. It includes more than 35 API calls, and the ability to automatically triage findings from the Analyst Queue in Splunk Enterprise Security. From the Splunk Enterprise Security user interface, the “Run Playbook” button is directly integrated into the Analyst Queue where an analyst can simply select findings and run automation on them with a single click of a button without ever navigating away from the Splunk Enterprise Security user interface. Going further, the analyst can see an open investigation with built-in Response Plans that provide prescriptive guidance and suggestions on what playbooks can be run as part of an investigation. This allows the analysts to orchestrate playbooks from within an investigation in just a few clicks.

We’ve also made sign-on a breeze. The self-pairing feature provides a single sign-on across Splunk Enterprise Security and Splunk SOAR. It also allows the admin to selectively grant SOAR functionality with new role mapping to users.

The Automation Rules Framework ensures that playbooks are appropriately dispatched when new detections and findings appear in Splunk Enterprise Security. Within the Splunk SOAR user interface, it’s easy to select amongst potentially hundreds of detections and assign them to a few playbooks. You can also assign a specific detection to launch a specific playbook. The analyst has better visibility and control over what playbooks are being triggered automatically, and it supports both generic and hyper-specific automation use cases.

With these new innovations, threat detection, investigation and response (TDIR) in Splunk Enterprise Security is integrated, unified, simple, and seamless. It provides operational efficiency and SecOps at scale to power the SOC of the future. And by the way, we’re not alone in saying that Splunk Enterprise Security is revolutionizing TDIR capabilities in the SIEM. Gartner gave us their highest score for TDIR capabilities in their Gartner Critical Capabilities for SIEM Report 2024.

To learn more or upgrade to Splunk Enterprise Security 8.0, visit the visit the current release page, read the blog, and watch the full-length comprehensive demo.