Splunk ES APP
Splunk App for Enterprise Security
Splunk ES APP Analytics-Driven Security and Continuous Monitoring for Modern Security Threats
The modern enterprise requires security technologies that can adapt to a dynamic threat landscape, evolving adversary tactics, advanced threats and changing business demands. To meet these new requirements, security teams need to have advanced analytics capabilities to rapidly implement new threat detection techniques.
The Splunk App for Enterprise Security runs on top of Splunk Enterprise to identify and address these emerging security threats through the use of monitoring, alerts and analytics. Suitable for a small security team or an enterprise security operations center, the app is the primary data interface for the security professional faced with a growing list of challenges.
Splunk ES APP is a software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. Splunk Enterprise takes in data from websites, applications, sensors, devices, and so on. After you define the data source, Splunk Enterprise indexes the data stream and parses it into a series of individual events that you can view and search.
Most users connect to Splunk Enterprise with a web browser and use Splunk Web to administer their deployment, manage and create knowledge objects, run searches, create pivots and reports, and so on. You can also use the command-line interface to administer your Splunk Enterprise deployment.
You can extend the Splunk Enterprise environment to fit the specific needs of your organization by using apps. An app is a collection of configurations, knowledge objects, views, and dashboards that runs on the Splunk platform. A single Splunk Enterprise installation can run multiple apps simultaneously.
Out-of-the-box features include:
- Incident Review and Classification included as part of a comprehensive incident review capability, classification allows for bulk event reassignment, changes in status and criticality classification
- Automated Correlation Searches for cross data-type correlations that give the user an understanding of evolving threat scenarios in real time
- Reports and Security Metrics leverage dozens of out-of-the box reports, dashboards and metrics; any search result can be created as a graphic, dashboard or table to turn raw unstructured data into analytics; export raw data as a PDF or CSV
- Risk-based analysis to help align your security posture with the business by discovering relationships and applying a risk score to any data while transparently exposing the score’s contributing factors
- Threat intelligence framework to integrate, de-duplicate and assign weights to any number of open, proprietary or local threat intelligence feeds to simplify threat intelligence and make it a core component of your security operations workflow
- Unified search editor for a user-friendly, consistent search creation experience including guided searches for key security indicator (KSI) or key performance indicator (KPI) correlation searches and identity and asset visualizations
- User identity and asset correlation help you to answer questions about a specific user’s activity across multiple identities and assets
Security Posture Dashboard
The security posture dashboard provides a SOC-style, fully customizable view of key security metrics across security domains. The Splunk App for Enterprise Security contains a library of prebuilt security metrics widgets that support situational awareness and continuous monitoring of security domain-based risk. All graphics support drill-down into the incident review dashboard.
The Incident Review section provides the analysis workflows required to understand the priority of the incident, incident context, its type and which hosts were involved. One click and you’re exploring the raw data or viewing a journal of incident activities. Pivot on any piece of data known about the host to find out additional information or see related events.
Use risk analysis to identify the sources and magnitude of risk in your environment. Risk scores can assist in the hunt for unusual activities.
Features of Splunk Enterprise
Splunk Enterprise indexes the data that makes up your IT infrastructure. You can source data from websites, applications, servers, databases, operating systems, and more. The maximum indexing volume of your Splunk instance depends on your Splunk Enterprise license.
Search is the primary way users navigate their data in Splunk Enterprise. You can save a search as a report and use it to power dashboard panels. Searches provide insight from your data, such as:
- Retrieving events from an index
- Calculating metrics
- Searching for specific conditions within a rolling time window
- Identifying patterns in your data
- Predicting future trends
Alerts notify you when search results for both historical and real-time searches meet configured conditions. You can configure alerts to trigger actions like sending alert information to designated email addresses, posting alert information to an RSS feed, and running a custom script, such as one that posts an alert event to syslog.
Dashboards contain panels of modules like search boxes, fields, charts, and so on. Dashboard panels are usually connected to saved searches or pivots. They display the results of completed searches and data from real-time searches that run in the background.
Pivot refers to the table, chart, or data visualization you create using the Pivot Editor. The Pivot Editor lets users map attributes defined by data model objects to a table, chart, or data visualization without having to write the searches in the Search Processing Language (SPL) to generate them. Pivots can be saved as reports and added to dashboards.
Splunk Enterprise allows you to save searches and pivots as reports, and then add reports to dashboards as dashboard panels. Run reports on an ad hoc basis, schedule them to run on a regular interval, or set a scheduled report to generate alerts when the result meets particular conditions.
Data models encode specialized domain knowledge about one or more sets of indexed data. They enable Pivot Editor users to create reports and dashboards without designing the searches that generate them.