Continuing to ride the waves of Summer of Security and the launch of Splunk Security Cloud, Splunk Security Essentials is now part of the Splunk security portfolio and fully supported with an active Splunk Cloud or Splunk Enterprise license. No matter how you choose to deploy Splunk, you can apply prescriptive guidance and deploy pre-built detections from Splunk Security Essentials to Splunk Enterprise, Splunk Cloud Platform, Splunk SIEM and Splunk SOAR solutions.
Bolster Your Security Operations with Splunk Security Essentials
We know that your environment can be complex, but Splunk for Security doesn’t have to be. With Splunk Security Essentials, also popularly known as SSE, you can get more from your Splunk security offerings with easy-to-deploy detections and Analytic Stories that align to your security journey. Analytic Stories are groups of detections specifically built to detect, investigate, and respond to a specific threat, like Ransomware. You and your analysts can explore security use cases and address threats and challenges unique to your business while staying ahead of new and emerging threats with automatic content updates from the Splunk Threat Research Team.
You can take your data and detections a step further with SSE by operationalizing MITRE ATT&CK® and Cyber Kill Chain® frameworks. Enable your security team to identify and address gaps in your security coverage with framework modeling, improving your security posture and demonstrating high-level compliance to your stakeholders. With Splunk Security Essentials, your team can now get started quickly with Splunk for Security and begin detecting and responding to threats faster.
Review MITRE ATT&CK Techniques and Find Detections with Splunk Security Essentials
As you review common cybersecurity attacks and threats, you might notice that most reports list the MITRE ATT&CK® techniques used in the attack. You can search for these MITRE ATT&CK® techniques in SSE to quickly see if your environment has detections to help protect against them:
- From the main menu in SSE, navigate to the Security Content page.
- Copy and paste or enter the list of MITRE ATT&CK® techniques from the attack report into the search bar. Alternatively, you can add and use the ATT&CK Technique filter to select the MITRE ATT&CK® technique IDs you want to find detections for.
- Review the detections that appear to determine if your environment is protected against the potential attack.
- (Optional) Click Edit to enable the Content Enabled filter and the Data Availability filter. Use the Content Enabled filter to filter the detections based on what detections are already running in your environment. If a detection is enabled, you already have some protection against the listed techniques. Use the Data Availability filter to filter the detections based on if you have the data available for them.
This screenshot shows some of the MITRE ATT&CK® Technique IDs used in the Sunburst attack and detections that can help protect against these techniques. These MITRE ATT&CK® Technique IDs were detailed by FireEye in December 2020.
To learn more about using detections in SSE, check out “Review your content with the Security Content page” in the documentation.
See Splunk Security Essentials in Action
Last month, Splunk Security Essentials was featured in Splunk’s Tech Talks security edition. Tech Talks is a series of short, technical webinars focused on features and best practices to help you continue on your Splunk journey. Watch “Finding the Right Security Content with Splunk Security Essentials” on-demand to learn how to leverage the Security Content Library, explore new security use cases, and deploy detections to Splunk Cloud Platform, Splunk Enterprise, Splunk SIEM and Splunk SOAR offerings. And if you’re ready to get started with Splunk Security Essentials now, download and install the app from Splunkbase.
This article was co-authored by Amy Heng and Auburn Wilcox, Technical Writer, with contributions from Johan Bjerke and Cynthia Li.