In our latest release of Splunk Enterprise Security 7.2, we are excited to introduce capabilities that deliver an improved workflow experience for simplified investigations; enhanced visibility and reduced manual workload; and customized investigation workflows for faster decision-making. The majority of these updates and new features were requested directly from Splunk Enterprise Security (ES) users and submitted through the Splunk Ideas portal. Keep the great ideas and suggestions coming — we’re listening!
With these new capabilities, ES helps you see more, act faster, and simplify your investigations. Let’s take a look!
Improved Workflow Experience for Simplified Investigations
- Multiple Drill-down Searches on Correlation Rules: Users can now create multiple drill-down searches on correlation rules to quickly narrow their investigation stemming from a notable event. This eliminates the need to manually create queries, saving time and increasing SOC efficiency.
- Enhanced Risk Analysis Dashboard: Security analysts are always looking for ways to increase security visibility to better understand organizational risks. With the enhanced risk analysis dashboard, security analysts have a deeper, more holistic layer of visibility across all detection events. The SOC can assess organizational risk faster from users and entities, and analysts can drill down on specific users and entities for additional context on risk contributions.
- Dispositions in Incident Review: SOC teams often struggle with threat prioritization. Dispositions in Incident Review help analysts classify notable events by separating false positives, benign positives, and true positives. With this information, SOC leaders and detection engineers can make decisions about what detections should be reviewed and when. Now, with ES 7.2, ES Administrators can require disposition when closing notables. This provides a feedback loop into detection engineering, allowing efficient review of security detections. Additionally, analysts can now filter on a disposition value in Incident Review to gather notable events based on specific dispositions without manually searching disposition values in the Incident Review search bar.
- Hyperlinks in Correlation Search “Next Steps”: Many ES users have incident response runbooks and additional documentation on how to triage certain incidents, and in certain cases, new analysts may not be familiar with the process. This new capability enables ES administrators to include a link to resources such as wiki pages, runbooks, Splunk dashboards, or even third party websites, as part of an analysts’ response workflow. Analysts are able to view details as part of an event’s “Next Steps” which enhances and accelerates the analyst’s investigation process.
Enhanced Visibility and Reduced Manual Workload
Security analysts need to reduce manual workload. With the new Auto Refresh in Incident Review, ES will automatically showcase the most up-to-date events for the SOC. Administrators can now customize and control the frequency of the auto refresh. This ensures that analysts are seeing the latest notable events to help them make efficient and fast decisions, and save time by reducing manual work.
Furthermore, security analysts can currently prioritize notable events within Splunk Enterprise Security, but often want to visualize it by date and time. That’s why we’re bringing back the Timeline function in Incident Review. Analysts can now view related events across a specific time frame. This interactive timeline for notables supports analysts by enabling the SOC to quickly gain insight into anomalous activity, such as an unusually high number of notables around a certain time, and therefore prioritize time-sensitive critical incidents.
Customize Investigation Workflows for Faster Decision-Making
Large Security Operations Centers with multiple teams often struggle to make fast decisions when they are overwhelmed with security events. ES 7.2 introduces optional enhancements to the Incident Review dashboard that provides a more customizable experience when investigating notable events.
Analysts are now able to customize and configure the Incident Review dashboard with table filters and columns that provide the capability for practitioners to look at events that matter to them. Additionally, they can now create saved views of their customized Incident Review Dashboard and share them with other Enterprise Security analysts. This allows analysts with different use cases to share their tailored views of notable events with other incident investigators in order to seamlessly collaborate on notable events. Splunk ES Administrators also have access to a new level of controls on the analyst experience in Incident Review, including the ability to configure default views for all users.
Splunk Enterprise Security 7.2 updates are available today in both cloud and on-prem environments. As we mentioned, the majority of updates in this release were requests that came directly from users. We’re listening! If you have ideas and requests, please submit them to Splunk Ideas.
Ready to get hands on with Enterprise Security 7.2? Register for our Tech Talk!