This document provides an overview and demo of Splunk Security Essentials. It begins with an introduction to the app and its capabilities for detecting threats both external and internal. It then demonstrates how to install and navigate the app to evaluate security use cases and review analytics methods. A scenario of a malicious insider exfiltrating data is presented and it shows how the app's searches could be used to detect anomalous activity related to Salesforce and Box downloads. The summary concludes by emphasizing how the app teaches detection use cases that can then be customized and integrated with Splunk's security products.
9. First Time Seen
powered by stats
Time Series Analysis with
Standard Deviation
General Security
Analytics Searches
Analytics Methods
Types of Use Cases
11. Analytics Methods
Types of Use Cases
First Time Seen
powered by stats
Time Series Analysis with
Standard Deviation
General Security
Analytics Searches
12. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules
13. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules
14. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules
16. Identify bad guys:
• 450+ security analytics methods
• Free on Splunkbase – use on Splunk Enterprise
• Target external and insider threats
• Advanced threat detection, compliance, and more
• Scales from small to massive companies
• Data source onboarding guidance
• MITRE ATT&CK and Kill Chain mappings
• Save from app, send hits to ES / UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.
22. • Download from apps.splunk.com
• Install on your Search Head, standalone
Splunk server, or even a laptop
• Browse use cases that match your needs
• Data Source Check shows other use
cases for your existing data
• Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials
23. Open the Splunk Security Essentials App
First Open Splunk
Security Essentials
Then Open
Use Cases
24. • For those just starting out, it can be
hard to know what data you need
• Every use case comes with pre-req
checks to show if you have the data
• If you don’t, follow the links
Pre-requisite Checks
25. • Data Source Check tells you what’s possible
• Runs all pre-req checks
Or Check EVERYTHING
Click “Start
Searches”
26. Create Posture Dashboards
• Run the data
source check
first
• Allow it to
complete the
check
• Then click
“Create Posture
Dashboards”
button
27. Posture Dashboards (cont’d)
If You Don’t Have
Live Data Yet,
Click “Demo Datasets”
Number of Available
Visualizations will
Update Accordingly
29. Posture Dashboards (cont’d)
• Essential Account Security
• Data sources include General Authentication, Windows 10,
and Active Directory
• Essential Host Security
• Data sources include Windows Endpoint, Anti-virus
• Essential Network Security
• Data sources include Firewall, Next-Gen Firewall, and
Web Proxy
30. • Read through a few of the use cases
• Filter for use cases you care about
Take a Minute to Review Use Cases
31. Let’s Start With a Simple Example
Click on “Concentration of
Hacker Tools by Filename”
34. • Phishing is a big
risk
• Many approaches
to mitigating with
Splunk
An Advanced Splunk Search
Click on ‘Emails with
Lookalike Domains’
From Journey
Select Stage 4
From Data Sources,
Filter to Email Logs