15FEB2019
Splunk security professionals exist for Splunk customers. We travel the world to meet with you, lurk on ICQ and Slack 24/7 hoping for a wild Splunk Security Essentials or BOTS question to appear, and we even wear Splunk shirts at hacker conferences just to hear, "Hey, do you work at Splunk? I've got a question…" (This last one is actually a lie. We cluster together, avoiding contact with humans and the sun. They're both scary!)
But frankly, it's not good enough. We can do better because honestly, we don't scale...no matter how many IPAs (or Hefeweizens) we drink. And honestly, many of the questions are the same.This means we haven't done a great job documenting (or sharing previously documented) answers! We can do better.
A year and a half ago we began blogging about "Hunting with Splunk" in an attempt to share some of the coolest ways we have found to use Splunk core to freestyle hunt badness with SPL. Now we want to talk about the Splunk security products that most of you use: Splunk Enterprise Security, Splunk Phantom, Splunk User Behavior Analytics, Splunk Security Essentials, PCI and more. Every couple of weeks, we're going to drop a blog post based on a question that's been asked of us in the past. It could be anything from “How do I configure threat intelligence lookups in ES” to “I keep trying to make a Phantom playbook and phailing. Help!”
If you have any specific questions you want to be answered, feel free to send them to bots@splunk.com. With each "Dear Buttercup" blog post, we will continue to update this post with links to the other blogs. Check out the posts below:
- Modifying the Incident Review Page
How to modify the Incident Review page and add information to Notable Events in Splunk Enterprise Security - Threat Intel and Splunk Enteprise Security Part 1 - What’s The Point of Threat Intel in ES?
How threat intelligence works with Splunk Enterprise Security - Threat Intel and Splunk Enterprise Security Part 2 - Adding Local Intel to Enterprise Security
Getting started with local threat intelligence in Splunk Enterprise Security - Dear Buttercup, To SIEM or not to SIEM; that is the Question
Answering the question of what IS and IS NOT a SIEM, and if you need one - Stitching Notables Together with Event Sequencing
Using event sequencing in Splunk Enterprise Security to create linked notable events - Asset & Identity for Splunk Enterprise Security - Part 1: Contextualizing Systems
Introduction into working with assets in Splunk Enterprise Security - Asset & Identity for Splunk Enterprise Security - Part 2: Adding Additional Attributes to Assets
Extending existing asset frameworks and providing the ability to add additional fields
- Asset & Identity for Splunk Enterprise Security - Part 3: Empowering Analysts with More Attributes in Notables
Contextualizing assets and identities in notable events so analysts have them automatically - How Do I Add COVID (or Any) Threat Intelligence From the Internet to Splunk Enterprise Security?
Getting threat intelligence data to find and detect domains, URLs, and hashes in Splunk Enterprise Security - Analytics Stories for Splunk Enterprise Security, Part 1: Organizing My Security Use Cases
Using the Use Case Library and Analytic Stories to organize security use cases - Analytics Stories for Splunk Enterprise Security, Part 2: Creating and Sharing (Because Sharing is Caring) Use Cases
Building and organizing your own content into use cases in Enterprise Security and sharing them with your friends and neighbors - Integrating COVID (or Any) Threat Indicators with MISP and Splunk Enterprise Security
Integrating MISP servers with Splunk Enterprise Security's Threat Intelligence framework - MITRE ATT&CK Integration is a Notable Event
Contextualizing notable events to MITRE ATT&CK tactics and techniques