Using Security Essentials 2.4: Analytics Advisor

In the latest release of Splunk Security Essentials (Version 2.4) (SSE), we added a new set of features centered on choosing the most relevant analytics called the Analytics Advisor. If you would like to learn more about what it does (and you most certainly do!), head over here to go into greater depth about Analytics Advisor. In this post, I will show how you would benefit from using this awesome new feature!

Scenario 1: Identifying New Use Cases

You have been tasked with figuring out how to get additional value out of your Splunk investment. Splunk is great for enabling data re-use across different use cases and departments. If you work in security, it’s easy to forget that security is not the most common use case for using Splunk, it’s just one of many use cases that our customers get value from.  

With the launch of the Analytics Advisor feature in Security Essentials, this task is easier for anybody using, or wanting to use, Splunk for security.

Open up the Analytics Advisor dashboard and change the Split by dropdown to Data Source

The Chart View below highlights the security relevant data sources and the content that is available to be re-used for security use cases.

If you move your mouse over the term Available in the legend, any content labelled Available will be highlighted. This means that you have content (detections, correlations etc.) that can be enabled with data already in Splunk!

If you scroll further down you see the total amount of content filtered in the view, Selection.

By clicking on the view Selection by Data Source, you will see a tabular view with the data sources sorted by the largest amount of content available to enable.

In the view, you see that the Email data you have in the system has no content enabled. Perhaps this means that the IT team is using Email data that the Security team could also benefit from?

Scenario 2: MITRE ATT&CK

Imagine your security operations team is aligning their analytics and reporting to the MITRE ATT&CK Framework and you need to measure the adoption of the framework against your operations. Quite simply, you want to better understand and articulate your coverage against well-known adversary techniques. Coverage means that you have detections or preventative counter-measures in place for the techniques. Let’s take a look.

Open SSE and navigate to the MITRE ATT&CK Framework.

The top of the dashboard highlights three key indicators that highlight all of the content available in the environment that is mapped to either ATT&CK Tactics or ATT&CK Techniques. A different color represents content that is currently running (Active), the content you can enable because you have the event data for it (Available) and the content you need to onboard more data to enable (Needs data).

As you can see in the dashboard below, you can quickly gain insights into the status of your environment as it pertains to ATT&CK tactics!

If you want to drill further and look at your coverage against ATT&CK Techniques, use the Split by dropdown and select MITRE Technique.

In addition to the bar graph, there are four additional views to visualize coverage; Security Journey, Sankey View, Radar View, and MITRE Map View.

The Radar View (aka Spider Chart) produces this management friendly gem that highlights the ATT&CK coverage by tactic and helps easily visualize which tactics may need to be prioritized to improve coverage.

Based on this Radar View, it appears that we have the appropriate data available to us to better address Exfiltration and Credential Access, so perhaps our near term focus should be on getting those analytics enabled and deployed to our Splunk instance

One other view of particular interest (not that all the views aren’t interesting, but this is very cool!) is the MITRE Map View. This view provides a tabular listing of all of the tactics and techniques in ATT&CK while highlighting the analytics available in the system. You can highlight content that is Active, Available or that Needs data or view all. The darker the color the more content exist.

If there is a specific technique you want to learn more about, click the cell and the view will be filtered down to that technique so you can take steps to enable it or read more about this particular content.

As you can see, the Analytics Advisor is a very valuable addition to the capabilities of Security Essentials. If you haven’t done so already, head over to Splunkbase and install the latest version.

Happy Splunking!

Johan Bjerke
Posted by

Johan Bjerke

From Sweden, now London since many years. I love travelling and having a good work life balance.