Presentation for the Stockholm User Group around what you can do and see in Splunk Security Essentials.

1. © 2022 SPLUNK INC.
Splunk Security
Essentials
Johan Bjerke
Principal Security Strategist | SURGe

2. During the course of this presentation, we may make forward-looking statements
regarding future events or the expected performance of the company. We caution you
that such statements reflect our current expectations and estimates based on factors
currently known to us and that actual events or results could differ materially. For
important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the
time and date of its live presentation. If reviewed after its live presentation, this
presentation may not contain current or accurate information. We do not assume any
obligation to update any forward-looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be
incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionality described or to include any such feature
or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud,
Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the
United States and other countries. All other brand names, product names, or
trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
© 2022 SPLUNK INC.

3. © 2022 SPLUNK INC.
Agenda
1. What is Splunk Security Essentials (SSE)
2. Finding Content
3. How do you deploy Content?
4. Dashboarding and Reporting

4. © 2022 SPLUNK INC.
What Is SSE?

5. © 2022 SPLUNK INC.
Widely Deployed Today
120k
Over 12,000
downloads
14k
Over 14,000
reporting installs
40
40 releases
4
Essentials has been
around for four years
Proven and Stable

6. © 2022 SPLUNK INC.
Four Pillars
Finding
Content
Learning
Splunk Security
Improve
Production
Measure Your
Success
Four ways in which SSE has delivered value to users

7. © 2022 SPLUNK INC.
Finding
Content

8. © 2019 SPLUNK INC.
Security
Content
Library
Browse, bookmark, and
deploy 900+ security
detections and analytic
stories
● Repository of Security Content
for Splunk Cloud, Enterprise
Security, UEBA, and Phantom
● Deploy security content within
clicks
● Enrich notable events and run
analytics with context from
content library
● Stay up to date on existing and
emerging threats

9. © 2022 SPLUNK INC.
How do you
deploy
content?

10. © 2019 SPLUNK INC.
How do you
deploy
content?
● Showcase page with all details
for content
● List and configure all
prerequisites
● Run search
● Schedule content

11. © 2022 SPLUNK INC.
Dashboarding
and Reporting

12. © 2022 SPLUNK INC.
MITRE ATT&CK Throughout App
ATT&CK
Descriptions in
Incident Review
and risk
framework
Enrich
Enterprise
Security
View which
detections handle
techniques used
by which Threat
Groups, w/
MITRE's
evidence
MITRE
Threat
Groups
Content
Recommendations
tied to techniques
popular amongst
many threat groups
MITRE-based
Content
Advice
Drilldown to a
customized
ATT&CK Matrix,
correlate risky
events across
Tactics, Techniques
Analyze ES
Risk w/
ATT&CK
ATT&CK Matrix
highlighting gaps
and showing
content you can
enable for free
with existing data
View Your
ATT&CK
Coverage
Utilization Made Easier

13. © 2022 SPLUNK INC.
MITRE
ATT&CK
Matrix
See what techniques you have
or don't have coverage for.
Drill-down to see those
detections.
Annotate with threat groups
that target you, or filter for
techniques popular with many
groups.
Considering a new data
source? Highlight the
techniques it supports.

14. © 2022 SPLUNK INC.
Automatic
Dashboards
Alternative to Alerts
Driven by what data is in your
environment, and follows all of
Splunk's dashboard technical
best practices

15. © 2022 SPLUNK INC.
Monitor
Data Ingest
Understand Lag, and
Impacted Detections
Powered by Splunk's Machine
Learning Toolkit

16. © 2022 SPLUNK INC.
Track CIM
Compliance
Ensure Data Formatting
SSE will analyze the most
important CIM fields and
evaluate whether your data
matches.

17. © 2022 SPLUNK INC.
How do you
report
enhancements or
bugs?

18. © 2022 SPLUNK INC.
Feedback
● If you are a customer - file a support ticket to get help. https://www.splunk.com/support
● If you want to report enhancements, use https://ideas.splunk.com/
● Use the public Slack workspace,
https://splunk-usergroups.slack.com/archives/C1S5BEF38

19. © 2022 SPLUNK INC.
What’s New by
version

20. © 2022 SPLUNK INC.
What’s new in 3.3
● New showcase template for content coming from Security Content API (ESCU)
● Custom bookmark status support
● Official documentation site on docs.splunk.com launched
● Added Zero Trust as a category
● Search multiple MITRE ATT&CK techniques on the Security Content page
● The ES Use Case Library is now populated and maintained by the app.
● Now a fully supported app!
Full release notes

21. © 2022 SPLUNK INC.
What’s new in 3.3
Easy to operationalize New fields from API included
Security Content fully represented in SSE

22. © 2022 SPLUNK INC.
Custom status for Bookmarks
What’s new in 3.3
Official Docs site on Splunk.com

23. © 2022 SPLUNK INC.
Zero Trust as category
What’s new in 3.3
Search multiple MITRE ATT&CK
techniques on the Security Content page

24. © 2022 SPLUNK INC.
What’s new in 3.3
The ES Use Case Library is now populated and maintained by SSE

25. © 2022 SPLUNK INC.
What’s new in 3.3
Now fully supported!

26. © 2022 SPLUNK INC.
What’s new in 3.2
MITRE ATT&CK Sub-Techniques fully supported for the content and the Analytics
Advisor
ATT&CK Software object added to Analytics Advisor and Security Content
Support for Annotations framework in ES 6.3+
Security Content from the Splunk Research team (i.e. ESCU) is automatically
downloaded into SSE using the Splunk Security Content API. SSE will automatically be
up to date with the latest content.
NIST/CIS mapping support for the detections
Major UI improvements for mapping Content in SSE to local correlation searches

27. © 2022 SPLUNK INC.
MITRE ATT&CK Sub-Techniques
What’s new in 3.2
ATT&CK Matrix Security Content
All content have been re-mapped to the new Sub-Technique IDs
Sub-Techniques provide a more granular link
between a detection a

28. © 2022 SPLUNK INC.
● Sub-Techniques makes the ATT&CK Framework more closely
linked to the methods and procedures that attacker will actually
perform.
● You can better create detections that map to a specific
Sub-Technique.
● Detection coverage (like the ATT&CK Matrix in SSE) should in
theory become more honest about the current coverage state.
MITRE ATT&CK Sub-Techniques
Why is this important?

29. © 2022 SPLUNK INC.
Support for MITRE ATT&CK Software
ATT&CK Matrix Security Content
Available in SSE 3.2.2
Filter content list directly in Security Content
Allows you to do Threat Modelling for things
like ransomware and hacker tools

30. © 2022 SPLUNK INC.
Support for ES Annotations
ES Correlation Search Page Attached to ES Risk Objects
Available in ES 6.3+
The annotations are stored in
action.correlationsearch.annotations in
JSON format in the savedsearches.conf file.
Enrichment data will be added to the
Annotations Framework when scheduling a
search through SSE.

31. © 2022 SPLUNK INC.
Automatic Content Updates
Update Notification Content Updated
Using the Splunk Security Content API. No need to update any apps to have the latest
detections.
1
2

32. © 2022 SPLUNK INC.
NIST and CIS Mapping
Better Industry Framework support Available on Content and Showcase Pages

33. © 2022 SPLUNK INC.
Improvements to Content Mapping
Showcase page
Supports 1-Many Links
Manage mappings directly on showcase
page.
Link multiple saved searches to one content
card.
Supports 1-Many Mappings

34. © 2022 SPLUNK INC.
Improvements to Content Mapping
Create Custom Content from saved search
Content Mapping made more robust and supporting more scenarios
Use saved search as a template for new
content in SSE.
This will ensure notable event enrichment
works on more scenarios.
More robust enrichment lookup behavior

35. © 2022 SPLUNK INC.
Improvements to Content Mapping
Showcase page
Why is this Important?
Provides enrichment fields for Notable and Risk
Events which are displayed on the ES Incident
Review page.
Incident Review
Content Mappings are the link between the
SSE repository and what is actually running
in production.

36. © 2022 SPLUNK INC.
Minor 3.1 Content Improvements
Added MITRE ATT&CK Platform (Cloud, SaaS etc.) to the Content and the MITRE
Matrix dashboard
Word export improved
Major UI improvement for mapping Content in SSE to local correlation searches
Many small UI improvements

37. © 2022 SPLUNK INC.
Splunk Security Essentials 3.0
Understands your data and your enabled content to make recommendations on what to
deploy next.
Helps you learn Splunk, learn security, and learn how most people start using Splunk
for security.
Improves your production deployments with MITRE ATT&CK and other tools.
Documents and shows off your successes
The Splunk app that makes security easier

38. © 2022 SPLUNK INC.
Appendix

39. © 2022 SPLUNK INC.
Connecting Products to Data to
Detections
Data Source
Categories
(e.g.,
App-Aware
FW)
Sources /
Sourcetypes
/ Indexes
• Event Volume
• Avg Event Size
• # of Hosts
• CIM Compliance
• Ingest Latency
Logical
Products
(e.g., PAN
FW)
• Description
• Coverage Level
• (Configurable
Metadata)
Content
• MITRE ATT&CK
• Kill Chain
• Categories
Active Saved
Search on
System
<Push Content
Metadata to ES>
Data Inventory
Introspection
Data Inventory
Content
Dashboards
Correlation Search
Introspection