Splunk Security Essentials 2.2 is Live!

Something big just happened for Splunk security customers. Version 2.2 of Splunk Security Essentials (SSE for short) was just released and is—as always—free!

What’s new and exciting:

  • 25 new detections primarily focused on Insider Threat, including 50+ pages of documentation with line-by-line SPL explanations.
    • Did you hear about that recent Microsoft Zero Day? Though technically SSE would have already found it, we took the public documentation and built out a dedicated detection just for unusual processes spawning off of spoolsv.exe and connhost.exe.
  • Better integrations with Splunk Enterprise Security and Splunk Enterprise Security Content Update, including links from SSE directly over to the products.
    • All detections will create risk indicators, and we built an improved workflow for searches that create notable events.
    • Updated descriptions of the anomalies in Splunk User Behavior Analytics.
  • Moreover, along with more "usability" features, we squashed bugs making it easily the most significant release since 2.0.


Never heard of Splunk Security Essentials? Get excited! SSE is already one of the most installed apps in all of Splunkbase and provides a showcase of what can be done in the world of Splunk for security. SSE includes 125 examples of detections that can be deployed on Splunk Enterprise to give your security program more focus and get it up and running more quickly. In fact, we’ve already featured these detections in prior Splunk blog posts, including:

You’ve been surrounded with security goodness and didn’t even know it.

Each of these examples ships with demo data that will show you what the detection will find, along with the live queries that will run on your real data. Sometimes the app even includes accelerated searches that take advantage of Splunk’s Common Information Model! Content covers many popular security use cases, such as security monitoring, advanced threat detection, insider threat, compliance and more.

Also, each example is thoroughly documented to give you the "how" and "why," and help you implement, including:

  • Required data sources
  • Use case and category of detection (e.g., Insider Threat, Lateral Movement, etc.)
  • MITRE ATT&CK and Kill Chain Phases
  • Description
  • Security relevance
  • Implementation guidance
  • Response recommendations
  • Known false positives
  • Expected alert volume
  • SPL difficulty rating and line-by-line documentation for how the SPL works


You may be wondering how this relates to Splunk’s premium security products, Splunk Enterprise Security and Splunk User Behavior Analytics. Customers who are looking to jumpstart their SIEM and Advanced Analytics programs with those premium products will even get a guide to that content; SSE provides references to the over 300 detections they provide, all mapped to the same sets of use cases and requirements.

Of course, where to start can be a daunting challenge. That’s why we never recommend anyone try to conquer the world from day one. To help here, SSE maps all its content to the Splunk Security Data Journey, which models how customers typically mature their installations from day one onward. It’s important to understand not just what you can do, but what you should do first. If you're new to using Splunk for your security—or even if you're new to security analytics altogether—walk through the journey to understand what content you can look forward to taking advantage of, the recommended order for onboarding data sources and more!

Did I mention the data onboarding guides? The most common questions we hear from customers is about data onboarding, so... we're giving you ALL the guides! These guides are Splunk Professional Services reviewed and approved. Use the guide to walk through the "how-tos" of ingesting data into Splunk, as well as configuring source systems to actually send the data required for the use cases. So far the guides cover:

  • Windows Security (including Event ID 4688)
  • Linux Host Logs
  • Microsoft Sysmon
  • Palo Alto Networks
  • Cisco ASA
  • AWS Cloudtrail
  • AWS VPC Flow Logs
  • Microsoft O365
  • Symantec EP
  • Splunk Stream DNS

At this point, you might be asking yourself, "Is Splunk Security Essentials for me?” My answer: Yes. Why? Because countless small (and large) organizations have built their first sets of security analytics detections with the help of SSE. It's a great place to begin building out your analytics whether you are a Fortune 100 or a small startup. We worked hard to make sure that SSE can help an organization of any size get more value out of their Splunk logs than they have seen for ages.

Want to learn more? If you're an existing Splunk customer or are generally comfortable installing an app, download Splunk Security Essentials and follow the easy install docs. If you’re newer to Splunk, maybe you’d like to learn a little more before you jump in. I’ve got just the book for you—The Essential Guide to Security—as an introduction to the Splunk Security Data Journey, the use cases that customers typically solve with Splunk solutions and some introductory content from SSE that will help you succeed!

David Veuve

Posted by


Join the Discussion