Get started with Splunk Enterprise Security
Use Splunk Enterprise Security to triage, investigate, and respond to security incidents. You can identify and remediate findings and investigations while collaborating with others on your team.
Use Splunk Enterprise Security to complete the following tasks:
- Triage findings. See Triage findings and finding groups in Splunk Enterprise Security.
- Start investigations. See Start investigations in Splunk Enterprise Security.
- Respond to investigations with response plans. See Respond to investigations with response plans in Splunk Enterprise Security.
- Automate your investigation response. See Automate your investigation response with actions and playbooks in Splunk Enterprise Security.
- Analyze risk with risk-based alerting. See Analyze risk with risk-based alerting in Splunk Enterprise Security.
- Investigate observables with threat intelligence management. See Investigate observables related to an investigation in Splunk Enterprise Security.
To get started, select the Mission Control tab in Splunk Enterprise Security, and then select a finding and start investigating.
Splunk Enterprise Security terminology
The main components of Splunk Enterprise Security each play a role in delivering security triage, investigation, and response. Some of these components are present in other Splunk security software.
Term | Definition |
---|---|
Analyst queue | A list of findings and investigations that analysts can triage. Intermediate findings are not displayed in the analyst queue. |
Detection | A scheduled correlation search that runs analytics on Splunk events, third-party alerts, or findings and generates findings, intermediate findings, or finding groups. |
Detection editor | An editor to configure event-based and finding-based detections. Using the detection editor, you can also configure time range to run the detection searches, configure adaptive response actions, and so on. |
Entity | Asset, identity, user, or device in your network that generates machine data. Entities are the subject of suspicious, anomalous, or malicious activity and help to identify potential security threats. Entities are normalized in lookups against known assets and identities using the Assets and Identities framework in Splunk Enterprise Security. Entities also carry weighted risk scores that are updated automatically in real time. |
Event | A contributing event or raw data associated with an investigation or finding. It can represent the finding itself or a series of activities that resulted in the creation of the finding. |
Event-based detection | A type of detection that reviews raw events ingested into the Splunk platform and creates findings, which might or might not indicate a potential security threat. Event-based detections generate findings or intermediate findings depending on how the user configures the detection. |
Finding | One or more anomalous incidents or alerts generated by event-based detections. A finding contains all the relevant information about what was observed and which entity was impacted. |
Finding-based detection | A type of detection that reviews the findings in the risk index and the notable index for anomalous events and threat activities and uses an aggregation of findings impacting a single entity, or other group type and criteria, to generate finding groups that indicate a security risk. |
Finding group | A group of findings and intermediate findings created by finding-based detections. Finding groups can be manually included in an investigation and triaged by the SOC. Finding groups are stored in KV Store collections. |
Intermediate finding | A record or observation created by event-based detections that indicate an anomaly but might not be a standalone security incident. Intermediate findings in conjunction with other findings might be used as input by advanced finding-based detections to discover potential security incidents with high fidelity and confidence. Intermediate findings might look identical to findings based on the data stored in the index. However, intermediate findings are not displayed in the analyst queue and are not triaged by analysts. The style and format of an intermediate finding is identical to that of a traditional finding and contains fields such as timestamp, key/value pairs, an entity, risk score, threat objects, and other metadata. |
Investigation | A case that has been manually or automatically flagged and is displayed in the analyst queue of the Mission Control page in Splunk Enterprise Security. Investigations are a collaborative process for security personnel such as analysts, SOC managers, automation engineers, security architects and so on to identify, collect, and examine findings or finding groups. |
Investigation type | A category of investigations that share common characteristics, such as source or severity. After creating an investigation type, you can associate the investigation type with a response plan to automate and personalize your response workflow. |
Note | Additional information such as PDFs, slide decks, reference materials, screenshots, extracts of log files, notes, Splunk events, email messages, and so on that can be attached to an investigation or finding. |
Threat list | A list of threat-indicators published by your threat intelligence management (cloud) data sources for use in Splunk Enterprise Security threat-matching searches and investigation enrichment. You can set up multiple threat lists to pinpoint responses or target data to specific tools in your cybersecurity setup. |
Response plan | A template of guidelines for analysts to follow so that they can provide a standardized response for investigations of the same type. You can use response plans provided by Splunk Enterprise Security, such as NIST 800-61 or Vulnerability Disclosure, or you can create your own custom response plan. |
Licensing for Splunk Enterprise Security | Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!