Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today's enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses the search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains.
About the ES solution architecture
Before initiating the installation process, it's important to verify if your data is CIM-compliant (normalization process) for all sources using multiple methods, including:
- The "SA-cim_vladiator" app
- Add-ons documentation
- Lantern (Data Descriptors)
- Splunk Connect for Syslog (Sources)
Required Apps/Addons
- Splunk Security Essentials
- Splunk Enterprise Security
- Splunk ES Content Update
- SA-Investigator for Enterprise Security
- MITRE ATTACK App for Splunk
- ES Choreographer & Documentation & SEC1441A
Optional
-
Configure → General → General Settings:
- Distributed Configuration Management (Download Splunk "helper" applications for distributed deployments)
- Domain Analysis
- Large Email Threshold
- Microsoft 365
- Top 1M Site Source
-
Configure → CIM Setup:
- Alerts
- Application State
- Authentication
- Certificates
- Change Analysis
- Change
- Compute Inventory
- Data Access
- Databases
- DLP
- Endpoint
- Event Signatures
- Interprocess Messaging
- Intrusion Detection
- JVM
- Malware
- Network Resolution
- Network Sessions
- Network Traffic
- Performance
- Ticket Management
- Updates
- Vulnerabilities
- Web
-
Configure → Data Enrichment → Asset and Identity Management:
- Asset Lookups → New → LDAP Lookup
- Identity Lookups → New → LDAP Lookup
- Correlation Setup → Enable for all sourcetypes
-
Configure → Data Enrichment → Threat Intelligence Management:
- Sources → Enable | New --- Note: Needed to open the URLs (on firewall) for Search head to access all sources and download IoCs to keep it up to date.
- Global Settings → Parse domain from URL
-
Configure → Content:
- Content Management (Type: Correlation Search) → Enable | Create New Content
- Use Case Library
- DA-ESS-AccessProtection
- DA-ESS-EndpointProtection
- DA-ESS-IdentityManagement
- DA-ESS-NetworkProtection
- DA-ESS-ThreatIntelligence
- SA-AccessProtection
- SA-AuditAndDataProtection
- SA-EndpointProtection
- SA-IdentityManagement
- SA-NetworkProtection
- SA-ThreatIntelligence
Docs
- Administer Splunk Enterprise Security
- Manage internal lookups in Splunk Enterprise Security
- Manage assets and identities in Splunk Enterprise Security
- Manage UI issues impacting threat intelligence after upgrading Splunk Enterprise Security
- Add intelligence to Splunk Enterprise Security
Lantern
- Getting Started With Splunk Enterprise Security
- Using threat intelligence in Splunk Enterprise Security
- Configuring and optimizing Enterprise Security
- Using Enterprise Security for security investigation and monitoring
- Foundational Visibility
- Cyber frameworks
- Proactive Response
- Optimized Experiences