SlideShare a Scribd company logo

SSE Overview Deck - Swedish User Group.pdf

Ulf Thornander
Ulf Thornander

Presentation for the Stockholm User Group around what you can do and see in Splunk Security Essentials.

1 of 39
© 2022 SPLUNK INC. Splunk Security Essentials Johan Bjerke Principal Security Strategist | SURGe
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements © 2022 SPLUNK INC.
© 2022 SPLUNK INC. Agenda 1. What is Splunk Security Essentials (SSE) 2. Finding Content 3. How do you deploy Content? 4. Dashboarding and Reporting
© 2022 SPLUNK INC. What Is SSE?
© 2022 SPLUNK INC. Widely Deployed Today 120k Over 12,000 downloads 14k Over 14,000 reporting installs 40 40 releases 4 Essentials has been around for four years Proven and Stable
© 2022 SPLUNK INC. Four Pillars Finding Content Learning Splunk Security Improve Production Measure Your Success Four ways in which SSE has delivered value to users
© 2022 SPLUNK INC. Finding Content
© 2019 SPLUNK INC. Security Content Library Browse, bookmark, and deploy 900+ security detections and analytic stories ● Repository of Security Content for Splunk Cloud, Enterprise Security, UEBA, and Phantom ● Deploy security content within clicks ● Enrich notable events and run analytics with context from content library ● Stay up to date on existing and emerging threats
© 2022 SPLUNK INC. How do you deploy content?
© 2019 SPLUNK INC. How do you deploy content? ● Showcase page with all details for content ● List and configure all prerequisites ● Run search ● Schedule content
© 2022 SPLUNK INC. Dashboarding and Reporting
© 2022 SPLUNK INC. MITRE ATT&CK Throughout App ATT&CK Descriptions in Incident Review and risk framework Enrich Enterprise Security View which detections handle techniques used by which Threat Groups, w/ MITRE's evidence MITRE Threat Groups Content Recommendations tied to techniques popular amongst many threat groups MITRE-based Content Advice Drilldown to a customized ATT&CK Matrix, correlate risky events across Tactics, Techniques Analyze ES Risk w/ ATT&CK ATT&CK Matrix highlighting gaps and showing content you can enable for free with existing data View Your ATT&CK Coverage Utilization Made Easier
© 2022 SPLUNK INC. MITRE ATT&CK Matrix See what techniques you have or don't have coverage for. Drill-down to see those detections. Annotate with threat groups that target you, or filter for techniques popular with many groups. Considering a new data source? Highlight the techniques it supports.
© 2022 SPLUNK INC. Automatic Dashboards Alternative to Alerts Driven by what data is in your environment, and follows all of Splunk's dashboard technical best practices
© 2022 SPLUNK INC. Monitor Data Ingest Understand Lag, and Impacted Detections Powered by Splunk's Machine Learning Toolkit
© 2022 SPLUNK INC. Track CIM Compliance Ensure Data Formatting SSE will analyze the most important CIM fields and evaluate whether your data matches.
© 2022 SPLUNK INC. How do you report enhancements or bugs?
© 2022 SPLUNK INC. Feedback ● If you are a customer - file a support ticket to get help. https://www.splunk.com/support ● If you want to report enhancements, use https://ideas.splunk.com/ ● Use the public Slack workspace, https://splunk-usergroups.slack.com/archives/C1S5BEF38
© 2022 SPLUNK INC. What’s New by version
© 2022 SPLUNK INC. What’s new in 3.3 ● New showcase template for content coming from Security Content API (ESCU) ● Custom bookmark status support ● Official documentation site on docs.splunk.com launched ● Added Zero Trust as a category ● Search multiple MITRE ATT&CK techniques on the Security Content page ● The ES Use Case Library is now populated and maintained by the app. ● Now a fully supported app! Full release notes
© 2022 SPLUNK INC. What’s new in 3.3 Easy to operationalize New fields from API included Security Content fully represented in SSE
© 2022 SPLUNK INC. Custom status for Bookmarks What’s new in 3.3 Official Docs site on Splunk.com
© 2022 SPLUNK INC. Zero Trust as category What’s new in 3.3 Search multiple MITRE ATT&CK techniques on the Security Content page
© 2022 SPLUNK INC. What’s new in 3.3 The ES Use Case Library is now populated and maintained by SSE
© 2022 SPLUNK INC. What’s new in 3.3 Now fully supported!
© 2022 SPLUNK INC. What’s new in 3.2 MITRE ATT&CK Sub-Techniques fully supported for the content and the Analytics Advisor ATT&CK Software object added to Analytics Advisor and Security Content Support for Annotations framework in ES 6.3+ Security Content from the Splunk Research team (i.e. ESCU) is automatically downloaded into SSE using the Splunk Security Content API. SSE will automatically be up to date with the latest content. NIST/CIS mapping support for the detections Major UI improvements for mapping Content in SSE to local correlation searches
© 2022 SPLUNK INC. MITRE ATT&CK Sub-Techniques What’s new in 3.2 ATT&CK Matrix Security Content All content have been re-mapped to the new Sub-Technique IDs Sub-Techniques provide a more granular link between a detection a
© 2022 SPLUNK INC. ● Sub-Techniques makes the ATT&CK Framework more closely linked to the methods and procedures that attacker will actually perform. ● You can better create detections that map to a specific Sub-Technique. ● Detection coverage (like the ATT&CK Matrix in SSE) should in theory become more honest about the current coverage state. MITRE ATT&CK Sub-Techniques Why is this important?
© 2022 SPLUNK INC. Support for MITRE ATT&CK Software ATT&CK Matrix Security Content Available in SSE 3.2.2 Filter content list directly in Security Content Allows you to do Threat Modelling for things like ransomware and hacker tools
© 2022 SPLUNK INC. Support for ES Annotations ES Correlation Search Page Attached to ES Risk Objects Available in ES 6.3+ The annotations are stored in action.correlationsearch.annotations in JSON format in the savedsearches.conf file. Enrichment data will be added to the Annotations Framework when scheduling a search through SSE.
© 2022 SPLUNK INC. Automatic Content Updates Update Notification Content Updated Using the Splunk Security Content API. No need to update any apps to have the latest detections. 1 2
© 2022 SPLUNK INC. NIST and CIS Mapping Better Industry Framework support Available on Content and Showcase Pages
© 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Supports 1-Many Links Manage mappings directly on showcase page. Link multiple saved searches to one content card. Supports 1-Many Mappings
© 2022 SPLUNK INC. Improvements to Content Mapping Create Custom Content from saved search Content Mapping made more robust and supporting more scenarios Use saved search as a template for new content in SSE. This will ensure notable event enrichment works on more scenarios. More robust enrichment lookup behavior
© 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Why is this Important? Provides enrichment fields for Notable and Risk Events which are displayed on the ES Incident Review page. Incident Review Content Mappings are the link between the SSE repository and what is actually running in production.
© 2022 SPLUNK INC. Minor 3.1 Content Improvements Added MITRE ATT&CK Platform (Cloud, SaaS etc.) to the Content and the MITRE Matrix dashboard Word export improved Major UI improvement for mapping Content in SSE to local correlation searches Many small UI improvements
© 2022 SPLUNK INC. Splunk Security Essentials 3.0 Understands your data and your enabled content to make recommendations on what to deploy next. Helps you learn Splunk, learn security, and learn how most people start using Splunk for security. Improves your production deployments with MITRE ATT&CK and other tools. Documents and shows off your successes The Splunk app that makes security easier
© 2022 SPLUNK INC. Appendix
© 2022 SPLUNK INC. Connecting Products to Data to Detections Data Source Categories (e.g., App-Aware FW) Sources / Sourcetypes / Indexes • Event Volume • Avg Event Size • # of Hosts • CIM Compliance • Ingest Latency Logical Products (e.g., PAN FW) • Description • Coverage Level • (Configurable Metadata) Content • MITRE ATT&CK • Kill Chain • Categories Active Saved Search on System <Push Content Metadata to ES> Data Inventory Introspection Data Inventory Content Dashboards Correlation Search Introspection
Ad

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
cisco-and-splunk-innovation-through-the-power-of-integration.pdf
cisco-and-splunk-innovation-through-the-power-of-integration.pdfcisco-and-splunk-innovation-through-the-power-of-integration.pdf
cisco-and-splunk-innovation-through-the-power-of-integration.pdf
LonJames2
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1
yulitasarahhh
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Vikram Kumar Yadav
 
Splunk and Multicloud
Splunk and MulticloudSplunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk und Multi-Cloud
Splunk und Multi-CloudSplunk und Multi-Cloud
Splunk und Multi-Cloud
Splunk
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdfSplunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024
Becky Burwell
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data InDeploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Ad

More Related Content

Similar to SSE Overview Deck - Swedish User Group.pdf (20)

Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1
yulitasarahhh
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Vikram Kumar Yadav
 
Splunk and Multicloud
Splunk and MulticloudSplunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk und Multi-Cloud
Splunk und Multi-CloudSplunk und Multi-Cloud
Splunk und Multi-Cloud
Splunk
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdfSplunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024
Becky Burwell
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data InDeploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1Splunk Solution overview testing versi 1
Splunk Solution overview testing versi 1
yulitasarahhh
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024SFBA Splunk Usergroup meeting Nov 20, 2024
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Vikram Kumar Yadav
 
Splunk and Multicloud
Splunk and MulticloudSplunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk und Multi-Cloud
Splunk und Multi-CloudSplunk und Multi-Cloud
Splunk und Multi-Cloud
Splunk
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdfSplunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024SFBA Splunk Usergroup meeting July 17, 2024
SFBA Splunk Usergroup meeting July 17, 2024
Becky Burwell
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data InDeploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 

Recently uploaded (20)

Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Ad

SSE Overview Deck - Swedish User Group.pdf

  • 1. © 2022 SPLUNK INC. Splunk Security Essentials Johan Bjerke Principal Security Strategist | SURGe
  • 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements © 2022 SPLUNK INC.
  • 3. © 2022 SPLUNK INC. Agenda 1. What is Splunk Security Essentials (SSE) 2. Finding Content 3. How do you deploy Content? 4. Dashboarding and Reporting
  • 4. © 2022 SPLUNK INC. What Is SSE?
  • 5. © 2022 SPLUNK INC. Widely Deployed Today 120k Over 12,000 downloads 14k Over 14,000 reporting installs 40 40 releases 4 Essentials has been around for four years Proven and Stable
  • 6. © 2022 SPLUNK INC. Four Pillars Finding Content Learning Splunk Security Improve Production Measure Your Success Four ways in which SSE has delivered value to users
  • 7. © 2022 SPLUNK INC. Finding Content
  • 8. © 2019 SPLUNK INC. Security Content Library Browse, bookmark, and deploy 900+ security detections and analytic stories ● Repository of Security Content for Splunk Cloud, Enterprise Security, UEBA, and Phantom ● Deploy security content within clicks ● Enrich notable events and run analytics with context from content library ● Stay up to date on existing and emerging threats
  • 9. © 2022 SPLUNK INC. How do you deploy content?
  • 10. © 2019 SPLUNK INC. How do you deploy content? ● Showcase page with all details for content ● List and configure all prerequisites ● Run search ● Schedule content
  • 11. © 2022 SPLUNK INC. Dashboarding and Reporting
  • 12. © 2022 SPLUNK INC. MITRE ATT&CK Throughout App ATT&CK Descriptions in Incident Review and risk framework Enrich Enterprise Security View which detections handle techniques used by which Threat Groups, w/ MITRE's evidence MITRE Threat Groups Content Recommendations tied to techniques popular amongst many threat groups MITRE-based Content Advice Drilldown to a customized ATT&CK Matrix, correlate risky events across Tactics, Techniques Analyze ES Risk w/ ATT&CK ATT&CK Matrix highlighting gaps and showing content you can enable for free with existing data View Your ATT&CK Coverage Utilization Made Easier
  • 13. © 2022 SPLUNK INC. MITRE ATT&CK Matrix See what techniques you have or don't have coverage for. Drill-down to see those detections. Annotate with threat groups that target you, or filter for techniques popular with many groups. Considering a new data source? Highlight the techniques it supports.
  • 14. © 2022 SPLUNK INC. Automatic Dashboards Alternative to Alerts Driven by what data is in your environment, and follows all of Splunk's dashboard technical best practices
  • 15. © 2022 SPLUNK INC. Monitor Data Ingest Understand Lag, and Impacted Detections Powered by Splunk's Machine Learning Toolkit
  • 16. © 2022 SPLUNK INC. Track CIM Compliance Ensure Data Formatting SSE will analyze the most important CIM fields and evaluate whether your data matches.
  • 17. © 2022 SPLUNK INC. How do you report enhancements or bugs?
  • 18. © 2022 SPLUNK INC. Feedback ● If you are a customer - file a support ticket to get help. https://www.splunk.com/support ● If you want to report enhancements, use https://ideas.splunk.com/ ● Use the public Slack workspace, https://splunk-usergroups.slack.com/archives/C1S5BEF38
  • 19. © 2022 SPLUNK INC. What’s New by version
  • 20. © 2022 SPLUNK INC. What’s new in 3.3 ● New showcase template for content coming from Security Content API (ESCU) ● Custom bookmark status support ● Official documentation site on docs.splunk.com launched ● Added Zero Trust as a category ● Search multiple MITRE ATT&CK techniques on the Security Content page ● The ES Use Case Library is now populated and maintained by the app. ● Now a fully supported app! Full release notes
  • 21. © 2022 SPLUNK INC. What’s new in 3.3 Easy to operationalize New fields from API included Security Content fully represented in SSE
  • 22. © 2022 SPLUNK INC. Custom status for Bookmarks What’s new in 3.3 Official Docs site on Splunk.com
  • 23. © 2022 SPLUNK INC. Zero Trust as category What’s new in 3.3 Search multiple MITRE ATT&CK techniques on the Security Content page
  • 24. © 2022 SPLUNK INC. What’s new in 3.3 The ES Use Case Library is now populated and maintained by SSE
  • 25. © 2022 SPLUNK INC. What’s new in 3.3 Now fully supported!
  • 26. © 2022 SPLUNK INC. What’s new in 3.2 MITRE ATT&CK Sub-Techniques fully supported for the content and the Analytics Advisor ATT&CK Software object added to Analytics Advisor and Security Content Support for Annotations framework in ES 6.3+ Security Content from the Splunk Research team (i.e. ESCU) is automatically downloaded into SSE using the Splunk Security Content API. SSE will automatically be up to date with the latest content. NIST/CIS mapping support for the detections Major UI improvements for mapping Content in SSE to local correlation searches
  • 27. © 2022 SPLUNK INC. MITRE ATT&CK Sub-Techniques What’s new in 3.2 ATT&CK Matrix Security Content All content have been re-mapped to the new Sub-Technique IDs Sub-Techniques provide a more granular link between a detection a
  • 28. © 2022 SPLUNK INC. ● Sub-Techniques makes the ATT&CK Framework more closely linked to the methods and procedures that attacker will actually perform. ● You can better create detections that map to a specific Sub-Technique. ● Detection coverage (like the ATT&CK Matrix in SSE) should in theory become more honest about the current coverage state. MITRE ATT&CK Sub-Techniques Why is this important?
  • 29. © 2022 SPLUNK INC. Support for MITRE ATT&CK Software ATT&CK Matrix Security Content Available in SSE 3.2.2 Filter content list directly in Security Content Allows you to do Threat Modelling for things like ransomware and hacker tools
  • 30. © 2022 SPLUNK INC. Support for ES Annotations ES Correlation Search Page Attached to ES Risk Objects Available in ES 6.3+ The annotations are stored in action.correlationsearch.annotations in JSON format in the savedsearches.conf file. Enrichment data will be added to the Annotations Framework when scheduling a search through SSE.
  • 31. © 2022 SPLUNK INC. Automatic Content Updates Update Notification Content Updated Using the Splunk Security Content API. No need to update any apps to have the latest detections. 1 2
  • 32. © 2022 SPLUNK INC. NIST and CIS Mapping Better Industry Framework support Available on Content and Showcase Pages
  • 33. © 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Supports 1-Many Links Manage mappings directly on showcase page. Link multiple saved searches to one content card. Supports 1-Many Mappings
  • 34. © 2022 SPLUNK INC. Improvements to Content Mapping Create Custom Content from saved search Content Mapping made more robust and supporting more scenarios Use saved search as a template for new content in SSE. This will ensure notable event enrichment works on more scenarios. More robust enrichment lookup behavior
  • 35. © 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Why is this Important? Provides enrichment fields for Notable and Risk Events which are displayed on the ES Incident Review page. Incident Review Content Mappings are the link between the SSE repository and what is actually running in production.
  • 36. © 2022 SPLUNK INC. Minor 3.1 Content Improvements Added MITRE ATT&CK Platform (Cloud, SaaS etc.) to the Content and the MITRE Matrix dashboard Word export improved Major UI improvement for mapping Content in SSE to local correlation searches Many small UI improvements
  • 37. © 2022 SPLUNK INC. Splunk Security Essentials 3.0 Understands your data and your enabled content to make recommendations on what to deploy next. Helps you learn Splunk, learn security, and learn how most people start using Splunk for security. Improves your production deployments with MITRE ATT&CK and other tools. Documents and shows off your successes The Splunk app that makes security easier
  • 38. © 2022 SPLUNK INC. Appendix
  • 39. © 2022 SPLUNK INC. Connecting Products to Data to Detections Data Source Categories (e.g., App-Aware FW) Sources / Sourcetypes / Indexes • Event Volume • Avg Event Size • # of Hosts • CIM Compliance • Ingest Latency Logical Products (e.g., PAN FW) • Description • Coverage Level • (Configurable Metadata) Content • MITRE ATT&CK • Kill Chain • Categories Active Saved Search on System <Push Content Metadata to ES> Data Inventory Introspection Data Inventory Content Dashboards Correlation Search Introspection