Speeding Detection, Investigation, and Response with Splunk for Security

The year 2020 brought about change at a historic rate, and last year we mentioned the massive, seemingly overnight, global shift to cloud. It turns out that this “overnight” shift is an ongoing one, and that challenges from last year persist. Chief among them is the rising complexity of hybrid and multicloud infrastructures, not to mention the loss of security visibility and the rapidly expanding attack surface they brought about.

As if speeding digital transformation wasn’t challenging enough, according to the research done in the Splunk State of Security 2021: 84% of orgs suffered a significant security incident in the past two years. Not only that, it isn’t getting easier — 49% of respondents said keeping up with security requirements has gotten harder in the last 2 years. And with 76% of respondents saying that remote workers are harder to secure, it’s no wonder SOC teams are falling behind.

Organizations are facing off against a lack of visibility across their ecosystem, massive amounts of alerts in the SOC and no contextualized intel or paths for automation. Security is essential to, and enables, an effective digital transformation plan. That’s where Splunk can help. 

Splunk for Security

We understand your desire to reduce dwell and resolution times. And this week at .conf21 we are unveiling several features and announcements focused on improving your ability to battle threats, and transform securely.

Enterprise Security Cloud

With Enterprise Security Cloud we continue to improve on capabilities previously announced, while launching new features essential to the modern SOC. Here is what’s coming soon!

Executive Summary Dashboard

Enterprise Security provides organizations with a tremendous amount of metrics on how your security program is running. The new Executive Summary dashboard surfaces key performance indicators that provide insights on the overall health of the SOC and facilitates reporting to CISOs and other senior leaders.

The Executive Summary Dashboard allows you to quickly assess the following:

  • Mean Time to Triage
  • Mean Time to Resolution
  • Investigations Created
  • Risk Based Alerting Trends
  • And More!

Security Operations Dashboard

Similar to the Executive Summary Dashboard, the Security Operations Dashboard shares key insights but provides deeper analysis for SOC managers and team leads. Previously, Enterprise Security introduced a dispositions feature of incident review that allowed you to record whether an event was a true positive, false positive, or a benign positive. Coming soon,you will see and report on this data over time, and get a deep dive into exactly which correlation sources contribute to each of the four default disposition types. This will allow your team to decide which events should be expanded and which are eligible to be retired.

Cloud Security Monitoring Dashboard

We’re also enhancing the Cloud Security Monitoring Dashboard  to give you enhanced visibility into AWS environments including new dashboards like AWS Security Groups, AWS IAM Activity, a new dashboard to capture your Microsoft 365 data and more..

Automated Real-Time Content Updates

We are also adding in-product, automated real-time content updates, so you can get the latest security content from the Splunk Threat Research Team, as soon as it is available, with one click!

Behavioral Analytics for Security Cloud (Preview)

Behavioral Analytics for Splunk Security Cloud, now in Preview, provides threat detection using streaming security analytics capabilities to uncover unknown threats and anomalous user and entity behavior. Augment your SIEM in the cloud with real-time search and analytics in addition to traditional search-based correlations and batch analytics to ​​accelerate your mean time to detect and spend more time hunting with higher-fidelity, risk-based behavioral alerts.

Splunk Security Essentials

Discover pre-built detections and Analytic Stories, which are grouped detections against adversaries or events, for security use cases with Splunk Security Essentials. Just in time for .conf21, Splunk Security Essentials 3.4.0 introduces MITRE ATT&CK industry-based detection recommendations, enhanced custom content mapping, and a new feature to identify helpful Splunkbase add-ons so you can utilize even more security content in your environment.


With Splunk SOAR, anyone can automate — from the no-code novices to the super SOAR users, and everyone in between. We’ve focused on delivering changes and improvements to the user experience so you can achieve faster time to value!  

Visual Playbook Editor

The new Visual Playbook Editor delivers a simplified interface that makes automating security tasks easier than ever, featuring: 

  • Improved readability and navigation
  • Vertical playbook orientation 
  • Decreased dependence on custom code

Apps on Splunkbase

Splunk SOAR apps are now available amongst our extensive ecosystem of partner and community-built technical integrations on Splunkbase, providing you with a one-stop shop to extend the power of SOAR. 

App Editor

The new App Editor makes it easy to view, test, extend, and edit existing apps — and create entirely new apps — all from the SOAR user interface, allowing you to: 

  • Save time and energy with end-to-end development contained within the UI
  • Easily view and add code, test actions, see log results, and troubleshoot
  • Gain additional visibility into how an app functions and modify it to suit your use case

TruSTAR Intelligence Management

The TruSTAR Intelligence Management technology breaks down data silos within and across enterprises to align security effectiveness with business objectives, improving cyber resilience and operational efficiency. As Splunk and TruSTAR continue to integrate, joint customers will benefit from the ability to:

  • Reduce noise from intel sources to automatically improve alert prioritization
  • Easily share threat intelligence data across teams, tools, and sharing partners
  • Drive efficiencies in Splunk SOAR playbooks with enrichment based on normalized intelligence


The complexity of security threats is increasing exponentially. Having access to expert knowledge, refined processes, and best-of-breed technologies can enable organizations to stay proactive in securing their business. SURGe helps security teams react swiftly to high-profile, time-sensitive cyberattacks by providing timely contextual awareness and initial incident response techniques. By leveraging SURGe’s timely technical guidance, security teams can find clarity amid chaos, reduce their mean-time-to-detect, and reduce their mean-time-to-respond.

With SURGe, you can:

  • Empower your blue team with initial incident response techniques 
  • Apply trusted threat intelligence to stay ahead of threats 
  • Leverage Splunk’s people, processes, and technologies to help you protect your business

Want to be notified of high-profile cyberattacks? Sign up for alerts and receive initial incident response guidance from SURGe.

Ready to learn more about how Splunk can help secure your cloud journey? Join us and more than 20,000 Splunk customers and partners online at .conf21 live. We will offer updates across our security portfolio and deep dive demos. 

Follow all the conversations coming out of #splunkconf21!

Jane Wong

Posted by