Getting Started with Security

Splunk Enterprise Security (ES) solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of organizations’ security postures with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises or hybrid deployment models. Splunk ES enables you to: - Conquer alert fatigue with high-fidelity Risk-Based Alerting. - Bring visibility across your hybrid environment with multicloud security monitoring. - Conduct flexible investigations for effective threat hunting across security, IT and DevOps data sources. Splunk ES is a premium security solution requiring a paid license.

Get started with Splunk for Security with Splunk Security Essentials (SSE). Explore security use cases and discover security content to start address threats and challenges. Security Content Library Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Cybersecurity Frameworks Identify gaps in your defenses and take control of your security posture with automatic mapping of data and security detections to MITRE ATT&CK® and Cyber Kill Chain® framework. Data and Content Introspection Gain visibility of the data coming into your environment to add context and telemetry to security events. Enrich your security detections with metadata and tags from the Security Content Library. Security Data Journey Get prescriptive security and data recommendations and establish a data strategy to develop a security maturity roadmap. We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0. Learn more: Download the Product Brief : https://www.splunk.com/pdfs/product-briefs/splunk-security-essentials.pdf Try out Splunk Security Essentials: https://www.splunk.com/en_us/form/splunk-security-essentials-online-demo.html Check out the Documentation site: https://docs.splunk.com/Documentation/SSE

SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a specific entity without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included. NOTE: If you modify any of the five investigators (views), any modifications will be written to the local directory. Upgrades will NOT overwrite the local directory so if you are upgrading, the local views will need to be deleted. To ensure you do not lost any customizations, please backup your local directory views prior to upgrading and then apply your modifications after upgrade.

This is a Splunk application containing several hunting dashboards and over 120 reports that will facilitate initial hunting indicators to investigate. You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found in the details Required actions after deployment: Make sure the threathunting index is present on your indexers Edit the macro's to suit your environment Install the required addons Install the lookup csv's or create them yourself, empty csv's are here > https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz More documentation is available at > https://github.com/olafhartong/threathunting/wiki This app is maintained on GitHub > https://github.com/olafhartong/threathunting

This app is used to supplement your data with information from VirusTotal. The custom command ` | virustotal ` (bundled with this app) uses the `https://www.virustotal.com/vtapi/v2/file/report` endpoint to communicate with the VirusTotal API. This TA can be installed on the search head. No additional manual steps are required in distributed environments, as the app only interacts with search-time functionality ( lookups and scheduled searches ). This Add-on has been tested (and installed) on Splunk Cloud. We're using GitLab to both share our source code and track issues (bugs or feature requests), please use it freely: https://gitlab.com/ecs_public_projects/splunk/TA-VirusTotal

TruSTAR integration for TruSTAR + Enterprise Security Customers. Note: The TruSTAR product is no longer sold by Splunk. Support for the TruSTAR product and this app is per policy stated here: https://www.splunk.com/en_us/legal/splunk-software-support-policy.html [see section titled, "Splunk Intelligence Management (TruSTAR Legacy System)"] Installation Docs: https://docs.splunk.com/Documentation/SIM/current/Apps/Splunk#Integrate_Splunk_Intelligence_Management_with_Splunk_Enterprise_Security_deployments_to_improve_detection_and_triage (video) Using this app to improve detection & triage: https://lantern.splunk.com/Splunk_Product_Learning_Guides/Splunk_Int_Mgmt/UnifiedApp_UseCase?mt-learningpath=intelmgmtunifiedappconfig# This app is compatible with both Splunk ES Cloud and "on-prem" / "self-managed" deployments. This app is not certified for installation / use on FEDRAMP ES Cloud deployments. The TruSTAR platform is not FEDRAMP certified. ** Notes to SplunkCloud SRE: - This app must be installed on Enterprise Security searchheads (NOT IDM), and includes a modinput, which must be allowed to run on the searchhead. This app will not work on an IDM, indexer, or a search head which does not have Enterprise Security. - This app's modinput contains checks to ensure that it will only run on the cluster Captain when installed on an ES SHC. - The modinput fetches cyber threat observables from TruSTAR's REST API and posts them to the searchheads' kvstores using the kvstore "batch_save" endpoint, not an index as most modinputs do. This is why it must run on the searchheads, not an IDM. There is no config option that would allow the user to tell the modinput to post the observables to that endpoint on a different host, it's hard-coded to post to "localhost". - This app is compatible with ES SHC, but its ES SHC compatibility is implemented in a way which requires replicating "inputs.conf" from all Splunk apps on the stack to all nodes in the SHC by setting "conf_replication_include.inputs = true" in "server.conf". This is standard for all Splunk apps created using Splunk's Addon Builder. If this behavior is problematic for other Splunk apps on the user's SHC, user will need to decide which app they prefer to use: TruSTAR Unified or the app with which that conflicts. See SINT-3685 for more details / information. - The app contains modactions that need to be available on all ES SHC nodes, so the app needs to be installed on all SHC nodes. References for exceptions to "no modinputs on SHs policy": - Case #1685202 "Vet and Install TruSTAR App for Splunk ES." (Circa April 7, 2020) (TruSTAR App for Splunk ES was this app's predecessor) - Case # 2646540

This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

This app supports email ingestion and various investigative actions over IMAP

This app integrates with JIRA to perform several ticket management actions

This app connects to Office 365 using the MS Graph API to support investigate and generic actions related to the email messages and calendar events

This app provides the ability to send email using SMTP

This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions

This app supports executing investigative actions to analyze files and URLs on Joe Sandbox

This app supports various identity management actions on Okta

This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response