What is Splunk’s SIEM?
This post will examine Splunk Enterprise Security, Splunk’s SIEM Product. We’ll explore what SIEMs are and how Security Operation Centers use them. We’ll see how to enable content and how to find additional content. We’ll discuss incident review, investigations, and risk-based alerting (RBA). Lastly, we’ll explore how I like to explore Correlation Searches.
What is a SIEM?
Security Information and Event Management (SIEM) is the centerpiece of many SOCs. There are a few alternate explanations of the acronym; my favorite is Security Incident and Event Management because it sounds Splunk-centric. But we’ll use Information for the I.
The key to a SIEM is that it has access to all the relevant security data. Which leads to the question, what is security data? Certainly, security logs off servers, firewalls, etc., are security data, as are proxy logs, application logs, webserver logs, email logs, and chat logs. Then specialized systems such as anti-malware and intrusion detection along with vulnerability scanners. The more complete coverage of systems and possibilities, the more likely that incidents will be found quickly.
SIEM can either extend to encompass or integrate with EDR (endpoint detection and response), XDR (extended detection and response), and a scrabble bag full of vendor-created categories.
What is Enterprise Security?
Splunk Enterprise Security (Splunk ES) is Splunk’s SIEM offering. Splunk ES is built upon Splunk Enterprise granting SIEM features along with the flexibility and power of Splunk search. To an end user, Splunk ES looks like a webpage with a ton of dashboards to use. To an admin, Splunk ES is a collection of apps working together to create an environment where security analysts can locate incidents.
Splunk ES is a premium product. It is deployed on a separate search head or search head cluster and uses the same indexers as Ad Hoc Splunk Search Heads.
Splunk ES uses particular scheduled searches named correlation searches to find evidence of malicious activity. Once found, the correlation searches create notable events, the term for an incident. Analysts then work through findings in the Incident Review system or via Risk-Based Alerting.
Splunk ES includes an investigation system to manage patterns and larger-scale attempts that span many incidents or other proof of coordinated or advanced attacks. Your SOC can achieve success without using built-in investigations. Some customers use tools like Service Know or dedicated security investigation management tools.
How to conceptualize Splunk ES:
I present Splunk ES as a fantastic starting spot for customers. Picture all the different security threats that customer face. Some are under malware attacks, and some web-based attacks. The sizes range from small instances with a dozen assets to protect to huge environments with hundreds of thousands of systems. This variety led Splunk to design Splunk ES to solve the needs of most customers, but by doing so, they knew it must be extensible.
Splunk ES was originally named Splunk Enterprise Security Suite (ESS), and thinking of it that way helps with one of the significant thought concepts: That you don’t have to use it all. Say there is a part that doesn’t work how your SOC likes. Okay, then, don’t use that feature. You can still obtain value from a wood shop without using each tool.
Splunk ES is not going to work perfectly for your SOC without customization. A classic example is locating too many DNS results. The shipping correlation search (at publication time) has a hard-coded threshold of 100 fails; exceeding that threshold creates an incident. What is the possibility that the default will be what your company needs? Unlikely. Any manually set thresholds should be changed to adaptive thresholds (based on your data) or altered by personnel who understand the threats and posture of your enterprise.
Create new dashboards and reports to make your effective searches repeatable. Better create them as dashboards, then convert them to forms so users can interact without knowing Splunk search. Create dashboard studio glass tables for better-looking dashboards and to create attractive displays that display nicely on the big screens in the SOC.
You may also adjust the default dashboards. The sage wisdom says to clone the dashboard (click the ellipses in the upper right of a dashboard and clone) and then modify the navigation. Place the original dashboard into a collection (think menu item) for original dashboards and replace it with your dashboard that works how your SOC wants. Don’t like a dashboard’s visualization, great, change it. Do you want to use IQR with median instead of standard dev off mean, have fun.
The incident review system is built in Splunk ES using correlation searches, scheduled searches with specialized alert actions. Splunk ES ships with sixty-one or so (version dependent), and the free Splunk ES Content Update application (https://splunkbase.splunk.com/app/3449) includes several hundred more. Reading through each correlation search to determine which ones match your needs is time-consuming in the configuration management interface. Instead, I recommend using an enhanced version of the REST API call in Splunk docs. Save the search as a report or a dashboard, so it is available whenever needed. Better convert it into a form so you can more easily filter.
The enhanced REST API calls for analyzing correlation searches:
| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain, action.notable.param.severity as severity | eval AAAseverity = case(severity=="critical","5",severity=="high","4",severity=="medium","3",severity=="low","2",severity=="informational","1",1==1,"0") | sort - AAAseverity | eval status = case(disabled=="0","Enabled",1==1,"Disabled") | table severity, status, search, csearch_name, description, security_domain, app
Play around with the fields in the table above. You may find other fields useful.
Splunk SEIM FAQs
Can’t I just create my own SIEM?
You can, so long as you have experience, a team of developers, and a large enough budget. Some customers use Splunk Core as their SIEM. If you are at that level, then good luck. Consider using Splunk Security Essentials as a time saver if you cannot afford a SIEM.
Can’t I replicate everything Splunk ES does on my own?
Many have tried. So long as you set your sites low, it is possible to replicate parts. You could make correlation searches and event actions if you have a security wizard and an SPL guru. The features that would be near impossible are the swim lanes, the incident review process, and investigations.
Would you advise me to build our version of Splunk ES?
We explored Splunk Enterprise Security, how it is Splunk’s SIEM, and several of its features. We addressed several of the more common questions around Splunk ES. Best, we saw how to analyze the correlation searches more efficiently to match your use cases—best of luck and good threat hunting.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below: