Introducing Analytics Advisor to Splunk Security Essentials

Splunk Security Essentials (SSE) version 2.4 is now available! This release packs loads of new functionality into it that will benefit all users. If you don’t know what Security Essentials is, head over to this blog post that explains the app in detail - Splunk Security Essentials. Go ahead, read it, we’ll wait….

OK great, now that you know more about SSE, a major addition to this latest release is the ability to perform introspection in your environment to figure out what data sources are available while also analyzing which detection searches are currently running. These two new data points allow us to create a completely new UI for identifying the best and most relevant content with minimal effort.

We call this new feature the Analytics Advisor!

Using this interface, Analytics Advisor can:

  • Highlight gaps in coverage with the content you have enabled

  • Map active and available content against the MITRE ATT&CK Framework and
    Cyber Kill Chain

  • Show maturity against the Splunk Security Journey

  • Find opportunities for data re-use

  • Find relevant content in just 2-3 clicks

The ability to map active and available content against the MITRE ATT&CK Framework and Cyber Kill Chain opens up new possibilities to gauge your maturity and coverage easily right inside the app.

How does the mapping work?

Each piece of content in SSE is mapped to a Data Source Category. A Data Source Category refers to a specific type of event that needs to be present in a data source in order for the content to work. Don't just think Network Data, think Network Data with Originating User. This version of SSE has a feature called Data Inventory that checks availability against all Data Source Categories and stores this locally.

The goal of the Data Inventory is to understand what data you have and to provide the means to create a foundational set of dashboards that guide you to valuable content. Ultimately, we want to provide a prescriptive view to what content will add value to your security operations.

We hope to automate as much of the data inventory process as possible through introspection into the current environment. You might not run SSE in your production environment, in which case you can manually adjust availability and coverage per Data Source.

SSE also checks whether a specific search is enabled or not and highlights this as well.

Why is it in Beta?

Currently, we have approximately half of the introspection automated via the Data Source Check dashboard (excluding data sources used only by Splunk premium solutions), but we have near term plans to enhance this Data Inventory dashboard with extensive introspection capabilities. Once this is done we will move these new dashboards into the non-beta section. However, don’t let this stop you using the capabilities now. Even at this stage we believe they will provide a lot of value.

For full details on this exciting new release, head over to the Security Essentials page on Splunkbase and grab the latest version.

Happy Splunking!

Johan Bjerke
Posted by

Johan Bjerke

From Sweden, now London since many years. I love travelling and having a good work life balance.