false

Enterprise Security Features 

Explore detailed product features and in-depth workflows to see how Enterprise Security drives efficiency, precision, and impact across your security operations.

Unified Workflows

Work faster by combining multiple siloed tools into a single platform.

SIEM

Collect, centralize, and analyze security data in real time, enabling swift detection, investigation, and response to security threats with the market-leading SIEM. 

AI Assistant

Obtain instant findings, craft queries, and summarize incidents to supercharge your productivity and insights.

SOAR

Leverage automation to streamline workflows, enrich alerts, and accelerate response actions regardless of your SOC role.

UEBA

Use machine learning-powered UEBA to detect insider threats, compromised accounts, and advanced attacks. 

Cisco Talos and Threat Intelligence Management

Obtain actionable intelligence and context associated with normalized scores based on centralized and enriched data to detect, prioritize, and investigate security events. 

Detection Studio

pd-es-detection-coverage

Deploy detections with confidence for faster mean time to detect. Get the complete detection lifecycle experience to enable engineers to seamlessly test, deploy, and monitor detections. Measure and enhance your coverage that maps to the MITRE ATT&CK® Framework — so that your team can keep pace with evolving TTPs and swiftly take action on detection gaps.*

*In Alpha where available

Finding-Based Detections

Learn how finding-based detections can help your security team quickly understand security incidents and respond accordingly. A finding-based detection is based on the specific detail or analytics observed, including timestamps key/value pairs, entity information, impact, risk score, threat object, and more.

Detections

See how you can leverage detections and detection content in Splunk Enterprise Security 8.0. This new version of Splunk Enterprise Security provides an easier to manage full library of detection content. Detection content is cleaner, better organized, and easier to track, so detection engineers can easily identify and update out-of-date content.

Detection Versioning

Learn how detection versioning in Splunk Enterprise Security 8.0 can help you better manage detection hygiene in your SIEM. Automatic detection versioning provides native, automatic version control of ESCU and customer-owned detections. Detection engineers can easily and efficiently save new versions of detections, back up detections, roll back to prior versions of detections with a single click, and maintain custom detections.

MITRE ATT&CK Framework Matrix

The MITRE ATT&CK Framework feature in Splunk Enterprise Security allows security analysts to quickly build situational awareness around an incident in the context of the MITRE ATT&CK Matrix and pivot directly to associated MITRE documentation.

Security Posture dashboard

Built on a scalable platform, Splunk Enterprise Security (ES) delivers data-driven insights so you can gain full-breadth visibility across your organization.

The Security Posture dashboard provides high-level insight into real-time notable events across your security operations center. You can configure the dashboard with the KPIs you need and monitor change over a 24-hour period.

Risk-Based Alerting (RBA)

Risk-Based Alerting (RBA) builds upon the great out-of-the-box detections in Splunk Enterprise Security by greatly reducing false-positive detection rates and increasing productivity in your SOC. RBA attributes risk to users and systems and generates alerts when risk and behavioral thresholds are exceeded.

In incident review, you can easily expand to view the timeline of events that contributed to an RBA-generated Notable (or a Risk Notable).

Threat Intelligence and SOAR

Splunk Intelligence Management enables security teams to operationalize their internal and external security intelligence sources across their ecosystem by delivering insights directly into Splunk ES and Splunk SOAR.

Splunk SOAR can seamlessly share information with Splunk ES, helping to accelerate incident investigation and response by enriching alerts and performing actions at machine speed.

Behavior Analytics

Splunk User Behavior Analytics (UBA) integrates with Splunk ES to enhance insight, strengthen security and streamline investigations so analysts can focus on high-fidelity alerts. UBA uses machine learning to profile user and entity behaviors, filter out real threats, and share those threats with Splunk ES.

Alternatively, the behavioral analytics service is also available for cloud-deployed Splunk ES customers to provide comprehensive security visibility to uncover hidden and unknown threats through streaming analytics.

ES Content Updates and Use Case Library

The Splunk Threat Research Team releases security content in the form of pre-packaged detections and responses to help your team stay on top of the latest threats.

Find this content in the Use Case Library in the form of Analytic Stories, where you can filter by use case or by an industry framework like MITRE ATT&CK.

Access Anomalies dashboard

Another example of security intelligence within Splunk ES is the Access Anomalies dashboard. Access Anomalies visualizes anomalies across your users' behavior, displaying concurrent authentication attempts from different IPs and unlikely travel anomalies.

Dynamic Identifier Reputation Analysis

The Dynamic Identifier Reputation Analysis playbook is an essential tool for any security operations center (SOC) team looking for a comprehensive view of their environment’s threat landscape. By leveraging MITRE DEFEND's approach for dynamic identifier reputation analysis, SOC teams can quickly identify potential threats and vulnerabilities and take proactive steps towards mitigating risk before it causes damage.

Threat Hunting

Learn how Splunk SOAR can help security practitioners perform threat hunting activities at machine speed.

Analyst Queue

In this SIEM in Seconds demo, we’ll explore the new and improved Analyst Queue in Splunk Enterprise Security 8.0. This is where security analysts spend the majority of their time triaging and investigating alerts. With our new right-hand side panel, analysts can consume all details of a finding and instantly kick off investigations and automate response.

Investigations

In this SIEM in Seconds demo, explore how changes to investigative workflows in Splunk Enterprise Security 8.0 allow for faster mean time to respond (MTTR) to incidents.

Threat Topology

Threat Topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity. 

Incident Review dashboard

This is the primary interface where you can see your detections (or Notable Events). Notable Events provide a starting point for an incident you're investigating and you can easily sort them by severity, so you can prioritize security incidents and remediate them quickly.

Asset Investigator and Security Domains

The Asset Investigator dashboard aggregates events over time into swim lanes for easier threat hunting and incident forensic. Each swim lane defines high and low activity periods by color shade, revealing patterns in host and user actions.

Within Security Domains are ready-to-use dashboards with individual focuses — such as tracking login attempts, breach endpoints or network intrusions — that you can pivot and correlate across to reduce remediation time.

Risk Analysis dashboard

The Risk Analysis dashboard tracks and categorizes assets by risk. Assets with, for example, sudden increased activity are prioritized over those that merely contain confidential information, reducing alert noise.

Investigation Workbench

During an investigation, you can quickly pivot to the Investigation Workbench, which centralizes all threat intelligence, security context and relevant data, including users and devices, for fast and accurate assessments of incidents.

The Investigation Timeline allows for better collaboration and tracking of investigations. Ad-hoc searches are also easy to run from Workbench so you save time and remain focused on your investigation.

Investigation Command Line

When you're on the Splunk SOAR investigation page, there are several ways to run actions. One of the easiest ones is to use the command line, down where you would write comments in the event. If you start off with a slash (/) you get prompting for the action you would like to choose.

Case Management

Splunk SOAR orchestrates workflows and responses across your security and IT stack so that each tool is active in your defense strategy. Case management functionality uses workbooks to codify your processes into reusable templates. Whether you're using custom templates or industry standards for incident response, Splunk SOAR facilitates task segmentation, assignment, and documentation, ensuring a cohesive and collaborative investigative process.

Event Management

Analysts are often overwhelmed with a large volume of security events. Splunk SOAR makes event management easy by consolidating all events from multiple sources into one place. Analysts can sort and filter events to identify high fidelity notable events and prioritize action.

Wayfinder

Wayfinder is a dynamic navigation tool within Splunk SOAR designed to help you move around the Splunk SOAR user interface quickly and easily. By using straightforward keyboard shortcuts, you can jump directly to key incidents, automation playbooks, and other critical information without wading through multiple menus. Wayfinder enhances your experience by making navigation intuitive and efficient.

Main Dashboard

Splunk SOAR’s customizable main dashboard allows users to track key metrics such as mean time to detect and respond, time and dollars saved, and much more. You can adjust the location of dashboard panels to ensure you have the information that matters most to you right at your fingertips.

Contextual Action Launch

Splunk SOAR apps have a parameter for action inputs and outputs called "contains". These are used to enable contextual actions in the Splunk SOAR user interface. A common example is the contains type "ip". This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another.

Create Manual Event

If you haven’t done anything on your Splunk SOAR instance yet you'll see zeros across the top in what we call the ROI summary. So how do you get started creating events in Splunk SOAR? You create one manually.

Splunk Intelligence Management for Splunk SOAR

While Splunk SOAR playbooks automate security actions, they become even more powerful and easy to use with the addition of Splunk ES’s Intelligence Management. This allows users to intake prepared and normalized intelligence from internal and external sources for faster triage and more streamlined playbooks.

Unified TDIR

Splunk Enterprise Security 8.0 revolutionizes the SOC workflow experience, enabling security analysts to seamlessly detect what matters, investigate holistically, and respond rapidly. Elevate security operations with complete and unified TDIR workflows, simplified terminology, modern aggregation and triage capabilities, and enhanced detections. This comprehensive demonstration covers all features and capabilities of Splunk Enterprise Security 8.0.

Response Plans

In this SIEM in Seconds demo, see how Response Plans in Splunk Enterprise Security allow users to easily collaborate and execute incident response workflows for common security use cases. Response Plan templates allow users to see each phase of an incident response plan, assign key stakeholders to specific phases, and apply simple automation playbooks to tasks for rapid remediation.

SIEM and SOAR Unified Workflows

In this SIEM in Seconds demo, see how direct integration with Splunk SOAR playbooks and actions within the case management and investigation features of Splunk Enterprise Security and Mission Control delivers a single unified work surface. Optimize mean time to detect (MTTD) and mean time to respond (MTTR) for an incident. Analysts can detect, investigate and respond to threats from one modern interface.

Adaptive Response Actions

Adaptive Response Actions are actions that can be taken either manually or automatically against any notable event generated.

These actions can help gather context or help accelerate response and remediation when investigating notable events and are a great foundation for automating certain processes before evolving to full security orchestration, automation and response solution with Splunk SOAR.

Prompt-Driven Automation

Prompt-driven automation lets you send real-time, secure prompts to teams outside the SOC to streamline response workflows and resolve security incidents faster. Deliver prompts through any ITOps, ChatOps or Ticketing applications. 

Guided Automation

Guided automation unlocks a whole new visual experience overlaying real incident data atop the logical sequencing in a playbook. Analysts can drastically reduce the time to build automation and improve accuracy.

Playbook Building with Natively Integrated SIEM and SOAR

In Splunk SOAR 6.3, SOAR features now come fully integrated with Splunk Enterprise Security 8.0. In this demo, see how to easily create a Splunk SOAR playbook in the context of your SIEM workflows. Playbooks and actions are now directly integrated within the Splunk Enterprise Security analyst queue. You can run playbooks and see the results without leaving the Splunk Enterprise Security interface. A Splunk SOAR and Splunk Enterprise Security license is required.

Playbooks

Automate security tasks to conquer complex workflows faster with Splunk SOAR playbooks.

Visual Playbook Editor + Input Playbooks

Whether you’re new to coding or a Python expert, Splunk SOAR provides you with the means to create and customize playbooks. The Visual Playbook Editor simplifies the playbook creation process by allowing you to assemble custom workflows with prebuilt code blocks and action strings. Splunk SOAR also features input playbooks for basic IT tasks, which can be integrated into larger playbooks and security workflows. With a variety of prebuilt playbooks, you can immediately start automating.

Logic Loops

Logic Loops are a feature in Splunk SOAR that allow users to reduce the operational complexity of building and maintaining playbooks that require repeatable looping functionalities without having to write their own custom code. This iterative function allows users to automatically retry playbook actions if they fail, or continue with the rest of the playbook when the action succeeds. This function can be applied to use cases like sandbox engines for malicious URL quarantine and remediation as well as forensic investigation workflows.

Custom Functions

Splunk SOAR’s custom functions allow you to share custom code across playbooks while introducing complex data objects into the execution path. These aren’t just out-of-the-box playbooks, but out-of-the-box custom blocks that save you time and effort. These capabilities provide the building blocks for scaling your automation, even to those without coding capabilities.

Configure Third Party Tools

To get started in Splunk SOAR, you will need to configure an asset. Assets are the security and infrastructure assets that you integrate with the Splunk SOAR platform, like firewalls and endpoint products. Splunk SOAR connects to these assets through apps. Apps extend the platform by integrating third-party security products and tools.

App Editor

In addition to our out-of-the-box apps, Splunk SOAR also allows you to create custom apps to best fit the use cases that matter most to you. With Splunk SOAR's App Editor, you can easily view and add code, test actions, see log results and troubleshoot. This additional visibility into how well your app works enables you to iterate it to suit your needs and evolve as your SOC evolves.

Apps

Splunk SOAR integrates across 300+ third-party tools and supports 2,800+ automated actions via our catalog of connectors on Splunkbase. This allows you to connect and coordinate complex workflows across your teams and tools, so you don’t need to rip and replace your existing stack. All Splunk SOAR apps are available on Splunkbase.

Executive Summary dashboard

Give CISOs and other senior leaders increased visibility into the overall health of their security program, with the ability to filter security metrics over time.

SOC Operations dashboard

Get more information about the efficiency and performance of your SOC team, like MTTD and number of notables, making it more relevant for SOC managers and team leads.

Get started with Splunk Enterprise Security