Fueling the SOC of the Future with Built-in Threat Research and Detections in Splunk Enterprise Security

The cybersecurity threat landscape is ever-changing and evolving, with bad actors implementing increasingly sophisticated strategies to evade detection. However, many security teams struggle to adapt their detection strategies at the same pace. Supporting advanced threat detection requires organizations to invest in consistent threat research and detection engineering. Without that, they cannot develop the high-quality detections needed to target the latest threats.

Unfortunately, many security teams lack the necessary resources to support this work and the processes to do it efficiently. As a result, they struggle with insufficient security coverage and low-quality detections — making it impossible to stay ahead of advanced, time-sensitive threats.

Thankfully, the Splunk Threat Research Team is here to help. Keep reading to learn who the Splunk Threat Research Team is, what the team does, and how you can leverage their work to enhance your ability to detect and respond to advanced threats.

Expand Your Security Coverage in Splunk Enterprise Security With Sophisticated, Tested Threat Detections

The Splunk Threat Research Team is our internal threat research and detection engineering team. This group of industry-recognized experts develops cutting-edge security resources and content, including over 1,700 out-of-the-box security detections that Splunk Enterprise Security customers can use to help expand their security coverage, rapidly detect and respond to new and evolving threats, and proactively defend their organization.

But as we all know, quantity is nothing without quality. To support the efficacy of these detections, the team employs a robust threat research and detection engineering workflow to create and update detections to defend against the latest tactics, techniques, and procedures (TTPs) being used in the wild. This workflow includes:

• Studying threats: The team identifies and analyzes emerging threats to understand how they operate.
• Generating datasets: The team collects and parses relevant data, identifying patterns that can be used to help detect a threat.
• Building detections: The team builds queries designed to identify specific activity associated with the threat.
• Testing detections: The team runs the queries against a dataset that simulates attacker behavior to improve the detections’ accuracy and reduce false positives.
• Releasing detections: The team packages detections to deliver timely and effective defenses against emerging threats.

This workflow helps the Splunk Threat Research Team create high-quality out-of-the-box security detections  that customers can implement to help quickly expand their security coverage — without needing to spend extensive time studying threats and building detections from scratch.

Explore Actionable Security Content for Proactive Cybersecurity

To dive deeper into all the detections the Splunk Threat Research Team has to offer, check out research.splunk.com. This features the full repository of Splunk security content, and it was recently updated to better help security teams:

1. Find the most relevant content for their organizations

The repository has been optimized to make searching for security content easier and faster, and detections can be filtered by associated data source(s), MITRE ATT&CK technique, and more.

^{Figure 1: List of detections in filterable table}

2. Understand how individual detections operate

Detailed listings provide a wealth of information about individual detections, including any specific data sources or applications required to power the detection; how the detection aligns to industry frameworks like MITRE ATT&CK, NIST CSF 2.0 and Cyber Kill Chain®; the detection’s default configuration; and more.

^{Figure 2: Detailed listing for an individual detection}

3. Stay up-to-date on the latest releases

Search results can be sorted by date added, and a new interactive timeline lets visitors click through the latest releases from the Splunk Threat Research Team, including product updates, new research, and more.

^{Figure 3: Clickable timeline featuring the latest content and releases from the Splunk Threat Research Team}

And that’s not all. Head over to research.splunk.com to peruse all the latest features and content — now available in both light and dark mode!

Integrate Top-Tier Detections and Defenses Into Your Security Operations Today

Ready to improve your detection strategy with the help of Splunk’s out-of-the-box detections? Download the Enterprise Security Content Update (ESCU) or Splunk Security Essentials (SSE) apps to start enabling content today.

For additional guidance, check out our in-depth documentation for both ESCU and SSE, and share feedback directly with the Splunk Threat Research Team by joining the #security-research user group channel on Slack.