Do More with Splunk Security Essentials 3.7.0

We know the time between Thanksgiving and New Year’s is typically slow so we wanted to bring some early holiday cheer to you through the most downloaded (and free) app on Splunkbase, Splunk Security Essentials (SSE). Starting Dec. 7, Splunk Security Essentials 3.7.0 is Generally Available. We have some amazing updates in the SSE 3.7.0 release, so let’s dive right in. 

Splunk Security Essentials + Splunk Enterprise Security

At Splunk, we are always looking at ways for our customers to achieve more with our products. Included in the SSE 3.7.0 release is the ability to easily integrate SSE with Splunk Enterprise Security (ES). Customers can easily view how to push MITRE ATT&CK and Cyber Kill Chain attributions to the ES Incident Review Dashboard and so much more. The simple integration between SSE and our market share leading SIEM enabled in this update will prove to be a huge winner. 

Metrics

With this release we updated the Overview dashboard to include metrics on how you have configured your Security Essentials app in the current environment. Some examples of the metrics we now include:

• # of Datasources
• Number of Datasources for all enabled Content
• Content enabled by Originating App

Originating App is a field we started using heavily in SSE v3.6.0 and describes where the content is coming from and where it has been deployed. This could be inside Splunk or in any 3rd party solution like DTEX, Sophos or Crowdstrike. With this release you can now easily get statistics and metrics on which solution is providing the most content. 

You can click on individual metrics to search through and fine tune all the details. Check out just a sample of what you can do in this update below:

Custom Threat Groups Lists

We love our customers and value their feedback in everything we do. Based on a customer’s request, we included the ability to use the MITRE ATT&CK Framework dashboard to add and track your own lists of Threat Groups in the same way as the bundled lists with SSE. Now you can track how well you are performing and covering these threat groups with content such as detections. We also added the ability to add lists of Techniques as well. Previously we only bundled some useful lists, such as “MITRE Engenuity Adversary Sightings Top 15” and “MITRE ATT&CK Ransomware Top Ten List” but now you can add your own to make reporting on what is important to you even easier. Keep the feedback coming!

Improved Search in Content Mapping

Our goal is to provide you with the most user friendly app possible and with the new ability to search for data sources using free text will enable you to accomplish more in SSE, quickly. You will now be able to enter text in the search bar for the data in saved searches through SSE content names to map data more quickly than ever before.

One last feature we want to highlight is an update to the data inventory for uberAgent ESA. The team over at uberAgent was kind enough to share details on how their new ESA product should be configured in the data inventory. Thanks to this update, SSE customers can now search for uberAgent data sources and sourcetype in Splunk Security Essentials.

There is so much more you can do with Splunk Security Essentials 3.7.0.

Be sure to check out the SSE Splunkbase page for all the feature updates coming out with this release and download version 3.7.0. If you want to read more.

As a reminder, Splunk Security Essentials is free.

Happy Splunking!

----------------------------------------------------
Thanks!
Johan Bjerke