Splunk Enterprise Security: Event Sequencing

Focus on high fidelity threats to your environment with Event Sequencing in Splunk Enterprise Security and accelerate time to investigate and respond to incidents.


Video Transcript

Security can often feel like a race to stay ahead of and respond to threats. Legacy Security Information and Event Management, or SIEM solutions, can provide alerts. However, there is little prioritization, nor how they are related to other alerts, making it difficult for analysts to identify where to begin or where to act on potential threats coming into their environment.

Security teams need the ability to focus on high fidelity or actionable threats in order to accelerate the time to investigate and respond to incidents. Splunk enterprise security features event sequencing, where teams can improve the fidelity of detected threats by optimizing threat detection to help accelerate incident investigation. Teams can improve the fidelity of threats detected by sequencing correlation searches with risk modifiers in a specific sequence by specific attributes or both.

The event sequencing engine runs as a real time search and listens for incoming notable events and risk modifiers that are triggered by correlation searches. Sequence events are constructed by using sequence templates. Events sequencing can be set up through content management interface and creating a new sequence template. Event sequencing is based on correlation searches in Splunk enterprise security.

So when building a sequence template, you can utilize out-of-the-box correlation searches, as well as the searches within analytics stories in the use case library, or enterprise security content update. Creating a sequence template involves defining a workflow to run correlation searches in order based on your use case choice, specifying what notables would need to occur in order to advance to the next step, and which fields to extract.

Once created, sequence templates are available for execution within five minutes. Analysts can review sequence events within the incident review interface and where they now seen notable events in the sequence that is important to them. In this example, at the start of this sequence event, we see there is an email attachment with a lot of spaces. That could be suspicious, or it could be benign.

And if an analyst were to review all the notable events associated with this correlation search, they may have determined the event to be benign. However, we then see an execution of a rare process on the same system, as well as web traffic to a dynamic DNS host. These disparate notable events, without event sequence, may not have indicated to an analyst that anything malicious happened, but when put together as an event sequence, this would indicate to an analyst that they may be a target of a phishing campaign and they need to investigate and respond to this quickly.

Events sequencing within Splunk enterprise security helps security teams stay actionable and agile through the ability to stitch together events to determine high fidelity threats. Teams can scale and focus, optimizing the time it takes to investigate and respond to threats.