Splunk Enterprise Security Features
Threat Topology
Threat Topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity.
MITRE ATT&CK Framework Matrix
The MITRE ATT&CK Framework feature in Splunk Enterprise Security allows security analysts to quickly build situational awareness around an incident in the context of the MITRE ATT&CK Matrix and pivot directly to associated MITRE documentation.
Security Posture dashboard
Built on a scalable platform, Splunk Enterprise Security (ES) delivers data-driven insights so you can gain full-breadth visibility across your organization.
The Security Posture dashboard provides high level insight into real-time notable events across your security operations center. You can configure the dashboard with the KPIs you need and monitor change over a 24-hour period.
Executive Summary dashboard
Give CISOs and other senior leaders increased visibility into the overall health of their security program, with the ability to filter security metrics over time.
SOC Operations dashboard
Get more information about the efficiency and performance of your SOC team, like MTTD and number of notables, making it more relevant for SOC managers and team leads./span>
Incident Review dashboard
This is the primary interface where you can see your detections (or Notable Events). Notable Events provide a starting point for an incident you're investigating and you can easily sort them by severity, so you can prioritize security incidents and remediate them quickly.
Risk Based Alerting (RBA)
Risk-based alerting, or “RBA,” builds upon the great out-of-the-box detections in Splunk ES by greatly reducing false-positive detection rates and increasing productivity in your SOC. RBA attributes risk to users and systems and generates alerts when risk and behavioral thresholds are exceeded.
In incident Review, you can easily expand to view the timeline of events that contributed to an RBA-generated Notable (or a Risk Notable).
Adaptive Response Actions
Adaptive Response Actions are actions that can be taken either manually or automatically against any notable event generated.
These actions can help gather context or help accelerate response and remediation when investigating notable events and are a great foundation for automating certain processes before evolving to full security orchestration, automation and response solution with Splunk SOAR.
Threat Intelligence and SOAR
Splunk Intelligence Management enables security teams to operationalize their internal and external security intelligence sources across their ecosystem by delivering insights directly into Splunk ES and Splunk SOAR.
Splunk SOAR can seamlessly share information with Splunk ES, helping to accelerate incident investigation and response by enriching alerts and performing actions at machine speed.
Behavior Analytics
Splunk User Behavior Analytics (UBA) integrates with ES to enhance insight, strengthen security and streamline investigations so analysts can focus on high-fidelity alerts. UBA utilizes machine learning to profile user and entity behaviors, filter out real threats and share those threats with Splunk ES.
Alternatively, the behavioral analytics service is also available for cloud-deployed Splunk ES customers to provide comprehensive security visibility to uncover hidden and unknown threats through streaming analytics.
ES Content Updates and Use Case Library
The Splunk Threat Research Team releases security content in the form of pre-packaged detections and responses to help your team stay on top of the latest threats.
Find this content in the Use Case Library in the form of Analytic Stories, where you can filter by use case or by an industry framework like MITRE ATT&CK.
Asset Investigator and Security Domains
The Asset Investigator dashboard aggregates events over time into swim lanes for easier threat hunting and incident forensic. Each swim lane defines high and low activity periods by color shade, revealing patterns in host and user actions.
Within Security Domains are ready-to-use dashboards with individual focuses — such as tracking login attempts, breach endpoints or network intrusions — that you can pivot and correlate across to reduce remediation time.
Risk Analysis dashboard
The Risk Analysis dashboard tracks and categorizes assets by risk. Assets with, for example, sudden increased activity are prioritized over those that merely contain confidential information, reducing alert noise.
Access Anomalies dashboard
Another example of security intelligence within Splunk ES is the Access Anomalies dashboard. Access Anomalies visualizes anomalies across your users' behavior, displaying concurrent authentication attempts from different IPs and unlikely travel anomalies.
Investigation Workbench
During an investigation, you can quickly pivot to the Investigation Workbench, which centralizes all threat intelligence, security context and relevant data, including users and devices, for fast and accurate assessments of incidents.
The Investigation Timeline allows for better collaboration and tracking of investigations. Ad-hoc searches are also easy to run from Workbench so you save time and remain focused on your investigation.
