Recently Splunk published a document regarding Splunk and SIEM integrations-that outlines the challenges faced by many federal along with commercial customers. The challenges are well known and revolve around scalability as well as expanding beyond defined rules for true situational awareness. Splunk provides great value to SIEM customers because we can provide the true “common operational picture” by allowing analysts to look at all the data form one console-in real time. We do this with terabytes of data and continue to address scaling issues with customers world wide.
The document provides details in how Splunk integrates and servers as a the critical tool that not only integrates with SIEM, but other key underlying technologies. This paper positions Splunk as complementary to SIEM deployments. It also describes technical requirements for integrating Splunk with existing ArcSight ESM deployments. Splunk is a superior alternative to ArcSight Logger, and can even be a drop-in replacement for Logger if already installed, while preserving existing ESM security analysis workflows. The whitepaper discusses using Splunk’s real-time API and a CEF-output Framework to send a real-time stream of data to ESM in Common Event Format (CEF) — ArcSight’s open log event format standard.
Thanks to our customers and engineers that helped gather this information and validate it, so it can be shared across the security community.
Here’s a link to the paper and a recent customer video on the topic: Extracting More Value from SIEM Deployments: Integrating Splunk with ArcSight and Splunk at a large Federal Agency.
-Tony Ayaz, VP Splunk Federal