New Features in Splunk Enterprise Security 8.0
Splunk Enterprise Security 8.0 Comprehensive Demo
Splunk Enterprise Security 8.0 revolutionizes the SOC workflow experience, enabling security analysts to seamlessly detect what matters, investigate holistically, and respond rapidly. Elevate security operations with complete and unified TDIR workflows, simplified terminology, modern aggregation and triage capabilities, and enhanced detections. This comprehensive demonstration covers all features and capabilities of Splunk Enterprise Security 8.0.
Analyst Queue
In this SIEM in Seconds demo, we’ll explore the new and improved Analyst Queue in Splunk Enterprise Security 8.0. This is where security analysts spend the majority of their time triaging and investigating alerts. With our new right-hand side panel, analysts can consume all details of a finding and instantly kick off investigations and automate response.
Detection Versioning
In this SIEM in Seconds demo, see how detection versioning in Splunk Enterprise Security 8.0 can help you better manage detection hygiene in your SIEM. Automatic detection versioning provides native, automatic version control of ESCU and customer-owned detections. Detection engineers can easily and efficiently save new versions of detections, back up detections, roll back to prior versions of detections with a single click, and maintain custom detections.
Detections
In this SIEM in Seconds demo, learn how to leverage detections and detection content in Splunk Enterprise Security 8.0. This new version of Splunk Enterprise Security provides an easier to manage full library of detection content. Detection content is cleaner, better organized and easier to track, so detection engineers can easily identify and update out-of-date content.
Finding-Based Detections
In this SIEM in Seconds demo, learn how finding-based detections can help your security team quickly understand security incidents and respond accordingly. A finding-based detection is based on the specific detail or analytics observed, including timestamps key/value pairs, entity information, impact, risk score, threat object, and more.
Investigations
In this SIEM in Seconds demo, explore how changes to investigative workflows in Splunk Enterprise Security 8.0 allow for faster mean time to respond (MTTR) to incidents.
Response Plans
In this SIEM in Seconds demo, see how Response Plans in Splunk Enterprise Security allow users to easily collaborate and execute incident response workflows for common security use cases. Response Plan templates allow users to see each phase of an incident response plan, assign key stakeholders to specific phases, and apply simple automation playbooks to tasks for rapid remediation.
SIEM and SOAR Unified Workflows
In this SIEM in Seconds demo, see how direct integration with Splunk SOAR playbooks and actions within the case management and investigation features of Splunk Enterprise Security and Mission Control delivers a single unified work surface. Optimize mean time to detect (MTTD) and mean time to respond (MTTR) for an incident. Analysts can detect, investigate and respond to threats from one modern interface.
Features
Threat Topology
Threat Topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity.
MITRE ATT&CK Framework Matrix
The MITRE ATT&CK Framework feature in Splunk Enterprise Security allows security analysts to quickly build situational awareness around an incident in the context of the MITRE ATT&CK Matrix and pivot directly to associated MITRE documentation.
Security Posture dashboard
Built on a scalable platform, Splunk Enterprise Security (ES) delivers data-driven insights so you can gain full-breadth visibility across your organization.
The Security Posture dashboard provides high level insight into real-time notable events across your security operations center. You can configure the dashboard with the KPIs you need and monitor change over a 24-hour period.
Executive Summary dashboard
Give CISOs and other senior leaders increased visibility into the overall health of their security program, with the ability to filter security metrics over time.
SOC Operations dashboard
Get more information about the efficiency and performance of your SOC team, like MTTD and number of notables, making it more relevant for SOC managers and team leads.
Incident Review dashboard
This is the primary interface where you can see your detections (or Notable Events). Notable Events provide a starting point for an incident you're investigating and you can easily sort them by severity, so you can prioritize security incidents and remediate them quickly.
Risk Based Alerting (RBA)
Risk-based alerting, or “RBA,” builds upon the great out-of-the-box detections in Splunk ES by greatly reducing false-positive detection rates and increasing productivity in your SOC. RBA attributes risk to users and systems and generates alerts when risk and behavioral thresholds are exceeded.
In incident Review, you can easily expand to view the timeline of events that contributed to an RBA-generated Notable (or a Risk Notable).
Adaptive Response Actions
Adaptive Response Actions are actions that can be taken either manually or automatically against any notable event generated.
These actions can help gather context or help accelerate response and remediation when investigating notable events and are a great foundation for automating certain processes before evolving to full security orchestration, automation and response solution with Splunk SOAR.
Threat Intelligence and SOAR
Splunk Intelligence Management enables security teams to operationalize their internal and external security intelligence sources across their ecosystem by delivering insights directly into Splunk ES and Splunk SOAR.
Splunk SOAR can seamlessly share information with Splunk ES, helping to accelerate incident investigation and response by enriching alerts and performing actions at machine speed.
Behavior Analytics
Splunk User Behavior Analytics (UBA) integrates with ES to enhance insight, strengthen security and streamline investigations so analysts can focus on high-fidelity alerts. UBA utilizes machine learning to profile user and entity behaviors, filter out real threats and share those threats with Splunk ES.
Alternatively, the behavioral analytics service is also available for cloud-deployed Splunk ES customers to provide comprehensive security visibility to uncover hidden and unknown threats through streaming analytics.
ES Content Updates and Use Case Library
The Splunk Threat Research Team releases security content in the form of pre-packaged detections and responses to help your team stay on top of the latest threats.
Find this content in the Use Case Library in the form of Analytic Stories, where you can filter by use case or by an industry framework like MITRE ATT&CK.
Asset Investigator and Security Domains
The Asset Investigator dashboard aggregates events over time into swim lanes for easier threat hunting and incident forensic. Each swim lane defines high and low activity periods by color shade, revealing patterns in host and user actions.
Within Security Domains are ready-to-use dashboards with individual focuses — such as tracking login attempts, breach endpoints or network intrusions — that you can pivot and correlate across to reduce remediation time.
Risk Analysis dashboard
The Risk Analysis dashboard tracks and categorizes assets by risk. Assets with, for example, sudden increased activity are prioritized over those that merely contain confidential information, reducing alert noise.
Access Anomalies dashboard
Another example of security intelligence within Splunk ES is the Access Anomalies dashboard. Access Anomalies visualizes anomalies across your users' behavior, displaying concurrent authentication attempts from different IPs and unlikely travel anomalies.
Investigation Workbench
During an investigation, you can quickly pivot to the Investigation Workbench, which centralizes all threat intelligence, security context and relevant data, including users and devices, for fast and accurate assessments of incidents.
The Investigation Timeline allows for better collaboration and tracking of investigations. Ad-hoc searches are also easy to run from Workbench so you save time and remain focused on your investigation.
