Splunk Enterprise (SIEM): Splunk App for Enterprise Security 3.0 (Demo)

Watch this demonstration of the Splunk App for Enterprise Security 3.0 and learn about the big data, next-generation Security Information and Event Manager (SIEM).


Video Transcript

Hello. I'm Joe Goldberg with the product marketing team at Splunk. Welcome to this demo of the Splunk App for Enterprise Security 3.0, which I'll call the app. The app contains security-related, pre-built reports, dashboards, searches, an incident review framework, and many free threat intelligence feeds to provide what's essentially a next-generation big data sim plus much more. Let's get started.

Here, you'll see we're on the Security Posture page, which provides a summarized view of the overall security posture of the organization. Notice, this page talks about notable events. Notable events are generated when one of the many correlation searches that ships with the app is violated because the search detected some sort of security incident.

You can easily modify the pre-built correlation searches or create your own. But regardless, when a notable event is generated, it's put into a logical domain, such as Access, Endpoint, Network, or Identity. What we're seeing here at the top is notable events over the last 24 hours and how they've changed. Down below, notable events by urgency, notable events over time, by domain. And then down below, top notable events by count and also by internal IP addresses.

It's worth pointing out that every panel here, and basically every panel in the app, can be clicked on. So you can drill down from a high-level visualization down to the underlying, raw, unmodified data. Also, all these panels can easily be modified. They can be dragged and dropped around the page. Or you can change the type of visualization within a panel very easily.

So this is the Security Posture page. Here, under Security Domains, there's a lot of dashboards and reports covering the different domain areas. And these report back on raw security events, not necessarily Splunk notable events. The Network domain-- here is lot of information related to firewalls, IDS systems, vulnerability scans, et cetera. The Endpoint domain here is more around malware, OS events, patch levels.

Clicking on the Malware Center page, you'll see here that at the top of the page, there's drop-downs here so that even non-technical users can easily filter the data. Pretty much all the dashboards in the app have these drop-downs. Further down below, we have information related to malware, such as malware activity by action, by signature over time, top infections, and new malware. You might want to look at these first to remediate it before they spread any further.

Also, down here on the Security domain, we have asset and identity centers. The Asset Center takes an information from an asset directory, like a CMDB. The Identity Center takes an information from some sort of a directory, like Active Directory.

And you'll see, when I click on the Identity Center, detail here on all the internal employees by [? priority ?] [? BU ?] category. And further down, for each specific internal employee, we get information on them, such as the different usernames they use, the priority, the business unit they're in, if they're privileged, their start and end dates.

So basically, Splunk can be made aware of employee information, also asset information. And then you can use that to enrich your raw events with additional context. Also, you can write [? specific ?] correlation rules to protect your most high-priority people and assets.

Now, moving ahead, Splunk also has dashboards here to help you find advanced threats that hide behind legitimate credentials and evade detection from point security products. One such report here is the Threat List Activity dashboard. This basically uses the many free threat intelligence feeds that come with the app.

Splunk takes all the destination IPs within it, applies it against all the blacklisted IPs from these threat lists, and tells you if people inside your organization are connecting out to known bad external IPs. And this, of course, sort of helps you find that needle in the haystack among all the different IPs that your employees are visiting.

And we get information on the threat list activity over time. We see people are visiting Tor servers, also sites with known web attackers. And we see the most active threat lists and IPs down below.

Additionally, another interesting report is the HTTP user agent analysis report. And what this does is it takes in user agent strings from, say, your web proxy. And it literally counts up the length of those user agent strings. And then it applies some statistics to figure out what's sort of abnormally long or rarely seen, because that's of interest to you.

This panel here shows you the plot of user agents by count and length. And you probably want to take a look at the ones here on the right, because they're rarely seen, and they have a long length. And the length is important, because oftentimes, custom hour has a long user agent string, because what's in that string is an embedded command and control instruction.

So moving ahead, I'll show you how you can do a hypothetical incident investigation in Splunk. I'm now going back to the Security Posture dashboard I showed you earlier. And let's just say, for demo purposes, I want to investigate this internal IP,, because it's generated a significant number of notable events.

So when I click on it, I basically go up here to the Incident Review page with a lot of drop-downs here at the top. In this case, we're just looking at this IP. And scrolling down, we see a time chart of the notable events. And then we see them all listed down here. We see the time, domain, title, urgency, status, owner for each of the notable events from this IP.

There's also the ability to apply some workflow to these notable events. I can click on them, click Edit Selected Events. I can change the status, the urgency, the owner, add some comments here. And this is important, because by doing things like changing these attributes, I can route incidents to the appropriate next incident responder. And also, these comments here can maintain a log of observations as an incident works through the incident review process.

Also, if I want to drill into something of interest-- like, let's say, this third notable event-- I can just click View Details. And up comes richer information. I clicked on this one, because it's especially interesting to me, because it shows activity from a user whose access has basically been disabled, because they've left the company.

Well, what happened here? If you scroll to the right, you get more information, including the original event. I can expand all the lines. And what we're looking at here is the raw, unmodified event, because Splunk, again, we don't normalize or reduce your data. It's all here for security use cases.

And what we see here is, Windows basically just saw an unknown user name that failed to authenticate from [? Haxor. ?] What Splunk actually did is we took [? Haxor. ?] We did a lookup against the identity center I mentioned earlier. And we saw that [? Haxor ?] had left the company years earlier. So it was a red flag that his user account's being used. And we escalate it from a seemingly harmless Windows event into a Splunk notable event.

If you want to do more of an investigation, because this is of special interest to you, over on the left, we have additional fields. A lot come from the asset and identity centers. And if I just click on a field I want to pivot on, like the IP address, I just click on the black arrow here. And we get additional one-click actions that we can take based off of that source.

So I could ping [? sans ?] DShield and say, have you seen anything related to this IP? Or I could simply just ping my IDS sensors and ask, basically, where has this IP address been the source of events? What I'm going to do is actually pivot over here to the Asset Investigator, click on it. And what's going to happen now is we're going to go to the Asset Investigator, which is up here in the UI, alongside a similar Identity Investigator you could use to investigate users or employees.

In this case, we're just taking a look at the IP address. And down below here, we've got some swim lanes that cover both notable events and also raw events from things like authentication systems, antivirus systems, IDS sensors, et cetera. And looking off to the right, we can see all the events related back to these different domains.

We could easily change up the swim lanes, create net new ones if we wanted to. But in any event, we see some activity over here on the right. If I wanted to home in on it, down below at the bottom, I could just use this time picker to narrow in on the time range in question, this spike right here. And then it's going to be reflected immediately above it.

Now what I'm seeing here are all the different events related to this IP address within this time range. And what I can do is, if I see bars here of interest, I can literally click on them. I can even pick multiple bars. And notice, on the right, we're sort of building out an event list. We're building out the story around all the events that have occurred in this time period. So we've got 51 total events that I've selected.

Over here on the right, a lot more information that I can expand. But basically, the point is, over here, with all this information on the right, we're building out a picture of what's happened around this IP address so we can better figure out the who, what, where, and when behind it.

What's really happening here? If it's a truly-- machine's compromised, or else, maybe, has the threat spread too? Has any data been exfiltrated? Et cetera. If we've put together a good story here, we can easily turn it to a raw Splunk search to look at the raw events. We can share this group of events with colleagues. Or we could turn it into a single notable event, which we can then process in the Incident Review framework that I showed you earlier.

So at this point, I'll wrap up the demo. Hopefully you've seen how you can use the Splunk App for Enterprise Security to continuously monitor your organization for both known and unknown security threats and also use the advanced incident workflow and investigation capabilities to drive better and much faster investigations in remediation. Thanks for your time.