Enterprise Security Features
Explore detailed product features and in-depth workflows to see how Enterprise Security drives efficiency, precision, and impact across your security operations.
Unified Workflows
SIEM
AI Assistant
SOAR
UEBA
Cisco Talos and Threat Intelligence Management
Detection Studio
Deploy detections with confidence for faster mean time to detect. Get the complete detection lifecycle experience to enable engineers to seamlessly test, deploy, and monitor detections. Measure and enhance your coverage that maps to the MITRE ATT&CK® Framework — so that your team can keep pace with evolving TTPs and swiftly take action on detection gaps.*
*In Alpha where available
Finding-Based Detections
Learn how finding-based detections can help your security team quickly understand security incidents and respond accordingly. A finding-based detection is based on the specific detail or analytics observed, including timestamps key/value pairs, entity information, impact, risk score, threat object, and more.
Detections
See how you can leverage detections and detection content in Splunk Enterprise Security 8.0. This new version of Splunk Enterprise Security provides an easier to manage full library of detection content. Detection content is cleaner, better organized, and easier to track, so detection engineers can easily identify and update out-of-date content.
Detection Versioning
Learn how detection versioning in Splunk Enterprise Security 8.0 can help you better manage detection hygiene in your SIEM. Automatic detection versioning provides native, automatic version control of ESCU and customer-owned detections. Detection engineers can easily and efficiently save new versions of detections, back up detections, roll back to prior versions of detections with a single click, and maintain custom detections.
MITRE ATT&CK Framework Matrix
The MITRE ATT&CK Framework feature in Splunk Enterprise Security allows security analysts to quickly build situational awareness around an incident in the context of the MITRE ATT&CK Matrix and pivot directly to associated MITRE documentation.
Security Posture dashboard
Built on a scalable platform, Splunk Enterprise Security (ES) delivers data-driven insights so you can gain full-breadth visibility across your organization.
The Security Posture dashboard provides high-level insight into real-time notable events across your security operations center. You can configure the dashboard with the KPIs you need and monitor change over a 24-hour period.
Risk-Based Alerting (RBA)
Risk-Based Alerting (RBA) builds upon the great out-of-the-box detections in Splunk Enterprise Security by greatly reducing false-positive detection rates and increasing productivity in your SOC. RBA attributes risk to users and systems and generates alerts when risk and behavioral thresholds are exceeded.
In incident review, you can easily expand to view the timeline of events that contributed to an RBA-generated Notable (or a Risk Notable).
Threat Intelligence and SOAR
Splunk Intelligence Management enables security teams to operationalize their internal and external security intelligence sources across their ecosystem by delivering insights directly into Splunk ES and Splunk SOAR.
Splunk SOAR can seamlessly share information with Splunk ES, helping to accelerate incident investigation and response by enriching alerts and performing actions at machine speed.
Behavior Analytics
Splunk User Behavior Analytics (UBA) integrates with Splunk ES to enhance insight, strengthen security and streamline investigations so analysts can focus on high-fidelity alerts. UBA uses machine learning to profile user and entity behaviors, filter out real threats, and share those threats with Splunk ES.
Alternatively, the behavioral analytics service is also available for cloud-deployed Splunk ES customers to provide comprehensive security visibility to uncover hidden and unknown threats through streaming analytics.
ES Content Updates and Use Case Library
The Splunk Threat Research Team releases security content in the form of pre-packaged detections and responses to help your team stay on top of the latest threats.
Find this content in the Use Case Library in the form of Analytic Stories, where you can filter by use case or by an industry framework like MITRE ATT&CK.
Access Anomalies dashboard
Another example of security intelligence within Splunk ES is the Access Anomalies dashboard. Access Anomalies visualizes anomalies across your users' behavior, displaying concurrent authentication attempts from different IPs and unlikely travel anomalies.
Dynamic Identifier Reputation Analysis
The Dynamic Identifier Reputation Analysis playbook is an essential tool for any security operations center (SOC) team looking for a comprehensive view of their environment’s threat landscape. By leveraging MITRE DEFEND's approach for dynamic identifier reputation analysis, SOC teams can quickly identify potential threats and vulnerabilities and take proactive steps towards mitigating risk before it causes damage.
Analyst Queue
In this SIEM in Seconds demo, we’ll explore the new and improved Analyst Queue in Splunk Enterprise Security 8.0. This is where security analysts spend the majority of their time triaging and investigating alerts. With our new right-hand side panel, analysts can consume all details of a finding and instantly kick off investigations and automate response.
Investigations
In this SIEM in Seconds demo, explore how changes to investigative workflows in Splunk Enterprise Security 8.0 allow for faster mean time to respond (MTTR) to incidents.
Threat Topology
Threat Topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity.
Incident Review dashboard
This is the primary interface where you can see your detections (or Notable Events). Notable Events provide a starting point for an incident you're investigating and you can easily sort them by severity, so you can prioritize security incidents and remediate them quickly.
Asset Investigator and Security Domains
The Asset Investigator dashboard aggregates events over time into swim lanes for easier threat hunting and incident forensic. Each swim lane defines high and low activity periods by color shade, revealing patterns in host and user actions.
Within Security Domains are ready-to-use dashboards with individual focuses — such as tracking login attempts, breach endpoints or network intrusions — that you can pivot and correlate across to reduce remediation time.
Risk Analysis dashboard
The Risk Analysis dashboard tracks and categorizes assets by risk. Assets with, for example, sudden increased activity are prioritized over those that merely contain confidential information, reducing alert noise.
Investigation Workbench
During an investigation, you can quickly pivot to the Investigation Workbench, which centralizes all threat intelligence, security context and relevant data, including users and devices, for fast and accurate assessments of incidents.
The Investigation Timeline allows for better collaboration and tracking of investigations. Ad-hoc searches are also easy to run from Workbench so you save time and remain focused on your investigation.
Investigation Command Line
When you're on the Splunk SOAR investigation page, there are several ways to run actions. One of the easiest ones is to use the command line, down where you would write comments in the event. If you start off with a slash (/) you get prompting for the action you would like to choose.
Case Management
Splunk SOAR orchestrates workflows and responses across your security and IT stack so that each tool is active in your defense strategy. Case management functionality uses workbooks to codify your processes into reusable templates. Whether you're using custom templates or industry standards for incident response, Splunk SOAR facilitates task segmentation, assignment, and documentation, ensuring a cohesive and collaborative investigative process.
Event Management
Analysts are often overwhelmed with a large volume of security events. Splunk SOAR makes event management easy by consolidating all events from multiple sources into one place. Analysts can sort and filter events to identify high fidelity notable events and prioritize action.
Wayfinder
Wayfinder is a dynamic navigation tool within Splunk SOAR designed to help you move around the Splunk SOAR user interface quickly and easily. By using straightforward keyboard shortcuts, you can jump directly to key incidents, automation playbooks, and other critical information without wading through multiple menus. Wayfinder enhances your experience by making navigation intuitive and efficient.
Main Dashboard
Splunk SOAR’s customizable main dashboard allows users to track key metrics such as mean time to detect and respond, time and dollars saved, and much more. You can adjust the location of dashboard panels to ensure you have the information that matters most to you right at your fingertips.
Contextual Action Launch
Splunk SOAR apps have a parameter for action inputs and outputs called "contains". These are used to enable contextual actions in the Splunk SOAR user interface. A common example is the contains type "ip". This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another.
Create Manual Event
If you haven’t done anything on your Splunk SOAR instance yet you'll see zeros across the top in what we call the ROI summary. So how do you get started creating events in Splunk SOAR? You create one manually.
Splunk Intelligence Management for Splunk SOAR
While Splunk SOAR playbooks automate security actions, they become even more powerful and easy to use with the addition of Splunk ES’s Intelligence Management. This allows users to intake prepared and normalized intelligence from internal and external sources for faster triage and more streamlined playbooks.
Unified TDIR
Splunk Enterprise Security 8.0 revolutionizes the SOC workflow experience, enabling security analysts to seamlessly detect what matters, investigate holistically, and respond rapidly. Elevate security operations with complete and unified TDIR workflows, simplified terminology, modern aggregation and triage capabilities, and enhanced detections. This comprehensive demonstration covers all features and capabilities of Splunk Enterprise Security 8.0.
Response Plans
In this SIEM in Seconds demo, see how Response Plans in Splunk Enterprise Security allow users to easily collaborate and execute incident response workflows for common security use cases. Response Plan templates allow users to see each phase of an incident response plan, assign key stakeholders to specific phases, and apply simple automation playbooks to tasks for rapid remediation.
SIEM and SOAR Unified Workflows
In this SIEM in Seconds demo, see how direct integration with Splunk SOAR playbooks and actions within the case management and investigation features of Splunk Enterprise Security and Mission Control delivers a single unified work surface. Optimize mean time to detect (MTTD) and mean time to respond (MTTR) for an incident. Analysts can detect, investigate and respond to threats from one modern interface.
Adaptive Response Actions
Adaptive Response Actions are actions that can be taken either manually or automatically against any notable event generated.
These actions can help gather context or help accelerate response and remediation when investigating notable events and are a great foundation for automating certain processes before evolving to full security orchestration, automation and response solution with Splunk SOAR.
Prompt-Driven Automation
Prompt-driven automation lets you send real-time, secure prompts to teams outside the SOC to streamline response workflows and resolve security incidents faster. Deliver prompts through any ITOps, ChatOps or Ticketing applications.
Guided Automation
Guided automation unlocks a whole new visual experience overlaying real incident data atop the logical sequencing in a playbook. Analysts can drastically reduce the time to build automation and improve accuracy.
Playbook Building with Natively Integrated SIEM and SOAR
In Splunk SOAR 6.3, SOAR features now come fully integrated with Splunk Enterprise Security 8.0. In this demo, see how to easily create a Splunk SOAR playbook in the context of your SIEM workflows. Playbooks and actions are now directly integrated within the Splunk Enterprise Security analyst queue. You can run playbooks and see the results without leaving the Splunk Enterprise Security interface. A Splunk SOAR and Splunk Enterprise Security license is required.
Visual Playbook Editor + Input Playbooks
Whether you’re new to coding or a Python expert, Splunk SOAR provides you with the means to create and customize playbooks. The Visual Playbook Editor simplifies the playbook creation process by allowing you to assemble custom workflows with prebuilt code blocks and action strings. Splunk SOAR also features input playbooks for basic IT tasks, which can be integrated into larger playbooks and security workflows. With a variety of prebuilt playbooks, you can immediately start automating.
Logic Loops
Logic Loops are a feature in Splunk SOAR that allow users to reduce the operational complexity of building and maintaining playbooks that require repeatable looping functionalities without having to write their own custom code. This iterative function allows users to automatically retry playbook actions if they fail, or continue with the rest of the playbook when the action succeeds. This function can be applied to use cases like sandbox engines for malicious URL quarantine and remediation as well as forensic investigation workflows.
Custom Functions
Splunk SOAR’s custom functions allow you to share custom code across playbooks while introducing complex data objects into the execution path. These aren’t just out-of-the-box playbooks, but out-of-the-box custom blocks that save you time and effort. These capabilities provide the building blocks for scaling your automation, even to those without coding capabilities.
Configure Third Party Tools
To get started in Splunk SOAR, you will need to configure an asset. Assets are the security and infrastructure assets that you integrate with the Splunk SOAR platform, like firewalls and endpoint products. Splunk SOAR connects to these assets through apps. Apps extend the platform by integrating third-party security products and tools.
App Editor
In addition to our out-of-the-box apps, Splunk SOAR also allows you to create custom apps to best fit the use cases that matter most to you. With Splunk SOAR's App Editor, you can easily view and add code, test actions, see log results and troubleshoot. This additional visibility into how well your app works enables you to iterate it to suit your needs and evolve as your SOC evolves.
Apps
Splunk SOAR integrates across 300+ third-party tools and supports 2,800+ automated actions via our catalog of connectors on Splunkbase. This allows you to connect and coordinate complex workflows across your teams and tools, so you don’t need to rip and replace your existing stack. All Splunk SOAR apps are available on Splunkbase.
