Splunk Security Essentials
Overview
Details
Find more detail on the SSE Website: https://www.splunksecurityessentials.com/
And the docs site: https://docs.splunksecurityessentials.com/
FIND THE BEST CONTENT
The #1 goal of Splunk Security Essentials is to help you find the best content. SSE ships with 120+ correlation searches spanning from basic SIEM to detecting advanced adversaries. Everything is mapped to the Kill Chain and MITRE ATT&CK. But we didn’t stop there! SSE includes all of the content from Enterprise Security, ES Content Update, and User Behavior Analytics, all mapped to the same frameworks and other filters as everything in the app. The Analytics Advisor shows gaps where you could immediately turn on detections for the data you already have. We even include a customized MITRE ATT&CK Matrix that overlays active detections and what is available to deploy with the data already onboard!
LEARN SPLUNK FOR SECURITY
Whether you’re new to Splunk or new to security, Splunk Security Essentials helps you get up to speed faster by providing you useful information at the right time. The detections in the app include line-by-line SPL documentation that show why they use the search commands they do, and each detection includes lots of context such as the security impact, how to implement it, how to respond when it fires, and known false positives.
IMPROVE YOUR PRODUCTION DEPLOYMENT
We built a variety of tools into SSE to help your deployment be successful. The app enables you to understand your active security detections whether they're out-of-the-box, or custom content specific to your organization. The Data Introspection feature tracks what data is present in your environment and helps connect those products to the detections they enable. We'll even look at check your CIM compliance, data latency, and we’ll improve your ES installation with MITRE ATT&CK detail and a dashboard using the ES Risk Framework to find high risk users or systems.
MEASURE YOUR ENVIRONMENT
For those of us more used to technical work, demonstrating the business value of security can be tricky. Splunk Security Essentials can help all users by enabling simple audit-friendly reports on enabled correlation searches (even including your custom content) and tying bytes of data ingest to the detections they power. Some customers have used the MITRE ATT&CK Matrix to justify bringing on new data sources, and SSE has dashboards that specifically let you show how you could fill gaps by bringing on new data sources.
Splunk Security Essentials now has a full Docs site:
- Main Website: https://www.splunksecurityessentials.com/
- Main Docs Site: https://docs.splunksecurityessentials.com/
- Installation Docs: https://docs.splunksecurityessentials.com/install/
- User Guides: https://docs.splunksecurityessentials.com/user/
- Release Notes: https://docs.splunksecurityessentials.com/release-notes/changelog/
Release Notes
Version 3.0.6
Fix for mitremap command content_available flag
Fix for loading partner content from external sources
Version 3.0.5
* Fixed a bug relating to introspection button not appearing
* Fixed DS mapping bug
* Fixed bug loading partner content from external sources
* Few other small fixes and tweaks
Version 3.0.3
Version 3.0.3 Release Notes:
* Hopefully knocked out the last big data introspection bug, which impacted environments with lots of cardinality in the source field. Please see the troubleshooting link below if your system is in an unhappy state.
* Also knocked out lots of other bugs!
If your data inventory wouldn't complete successfully with version 3.0.2 or earlier, upgrade to 3.0.3 and then reset your configuration by walking through the steps detailed here: https://docs.splunksecurityessentials.com/technical-details/troubleshooting/#data-inventory-introspection
Version 3.0.2
3.0.2 Release Notes:
* Critical Bug Fix for Older Splunk Releases (Linux/OSX 7.0 and earlier, Win maybe all 7.3 and earlier)
* Fix for minor error that threw a warning on all releases
* Improved debugging capability
Version 3.0.1
3.0.1 Release Notes
* Python3 Compatibility in anticipation of future Splunk releases
* Numerous bug fixes
* A Partner Framework
Version 3.0.0
Release Notes:
SSE 3.0 is a huge release! Check https://docs.splunksecurityessentials.com/whatsnew for all the details, and check out https://www.splunksecurityessentials.com/ for the new website!
Here are some of the highlights:
* New Home Page and major UX overhaul, with tours showing you how to configure everything in the app
* Extensive documentation and detail of UBA and ESCU content
* Content recommendation dashboards for MITRE ATT&CK and RBA
* Azure and GCP content
* Promoting Beta functionality, including the Analytics Advisor dashboards, and Data Inventory
* MLTK-powered Data Availability Dashboard
* CIM Compliance Check Dashboard
* Enough bug fixes to qualify us as entomologists
* Docs site and Web Site! https://www.splunksecurityessentials.com
This release had a ton of contributors. Thank you to all of them! https://docs.splunksecurityessentials.com/release-notes/contributors/
Version 2.5.2
Release Notes:
* 2.5.1 introduced a bug that slowed page load significantly. 2.5.2 undoes that, and also halves earlier page load times!
* Misc other small bug fixes
Version 2.5.1
2.5.1 Release Notes:
- Two important bug fixes related to data introspection (issue with migration from 2.4, and a race condition if you clicked Start Introspection very quickly)
- Ten new sourcetypes auto-detected!
- Modal from the showcase pages for MITRE tactics / techniques / groups. Click on the MITRE buttons to get details and drill-downs.
- Fix for ESCU drilldown if ES was version 5.0 or 5.1
- Fix for auto-update navigation. (Previously would have missed “custom content” and maybe not worked for some edge cases)
Version 2.5.0
Release Notes for 2.5.0:
- Updated Data Inventory Dashboard
- Correlation Search Introspection
- Data Availability Dashboard (MLTK!)
- Inclusion of Phantom Content
- Updates to the Analytics Advisor Content
- MITRE ATT&CK Integration into ES
- Automatic Update of MITRE ATT&CK
- Setup Menu
Version 2.4.2
2.4.2 Release Notes:
* Added MITRE Threat Groups as a custom filter on the main contents page! This is based on MITRE ATT&CK Techniques -> Groups, defined in MITRE Enterprise ATT&CK
* Several bug fixes:
* One user reported that no content would load across the entire app due to kvstore query issues
* Three users reported that some javascript would not load due to inexplicably requesting files over http instead of https
* Also fixed the cosmetic on-restart warnings created by the sankey app
* Add a check for local default.xml and manually add beta content if present
* Other small fixes
* Added support for users who host Splunk on a custom root endpoint e.g. https://ssloffload/splunk/ (you whacky kids)
Version 2.4.1
SSE 2.4 Release Notes:
* Major New Feature (Beta): Data Inventory
* Major New Feature (Beta): Analytics Advisor Dashboards
* Major Enhancements: Bookmarking
* MITRE ATT&CK Technique-level Mapping
* Improved the Security Contents local Search Engine
* Re-implementation of | sseanalytics search command
* Security Data Journey now goes up and to the right!
* Numerous bugs fixed
* 2.4.1: Accidental Google Translated Japanese files removed!
See full release notes: https://davidveuve.com/apps/splunk-security-essentials/release-notes/ or the "What's New in 2.4" in the app!
Major thank you to everyone who contributed to this release!
Version 2.4.0
SSE 2.4 Release Notes:
* Major New Feature (Beta): Data Inventory
* Major New Feature (Beta): Analytics Advisor Dashboards
* Major Enhancements: Bookmarking
* MITRE ATT&CK Technique-level Mapping
* Improved the Security Contents local Search Engine
* Re-implementation of | sseanalytics search command
* Security Data Journey now goes up and to the right!
* Numerous bugs fixed
See full release notes: https://davidveuve.com/apps/splunk-security-essentials/release-notes/ or the "What's New in 2.4" in the app!
Major thank you to everyone who contributed to this release!
Version 2.3.1
2.3.1 Release Notes
* Numerous Windows TA 5 bug fixes (missed a specific format before, thank you to those on answers who pointed out the problem!)
* Few Bug Fixes for the new 2.3 Dashboarding feature
* The main page no longer says "What's New in 2.2" with outdated info, it now says "What's New in 2.3" with updated info!
Version 2.3.0
Version 2.3 Release:
* Dashboard Panels! Not only will you find a collection of dashboard panels on several commonly used examples, but from the Data Source Check you can click the new "Create Posture Dashboards" button and it will guide you through creating a series of dashboards that provide visibility into your environment based on the data sources you already have. Great for those who want to periodically look at dashboards instead of getting alerts!
* More complete mapping of Mitre and Kill Chain
* Several bug fixes
Version 2.2.0
Version 2.2 Release Notes:
* 25 New Detections, many focused around Insider Threat, but including two for ES Risk, and that new Microsoft Scheduler Zero-Day reported on twitter!
* Improved Print-to-PDF Export from the Bookmarked Content page!
* Improved integrations with ES and ESCU, and content from UBA, for users who also have those products.
* Many bugs resolved and functionality improved!
Version 2.1.1
Version 2.1.1 Release Notes:
- Splunk 7.1 Compatibility!
- New search bar (type in the name of something you're looking for, such as "lockout" to find everything related to Account Lockouts) courtesy of elasticlunr.js add-in.
- Bookmark "Print" view now dramatically cleaner and better
- Several UI tweaks
- Several bugs squashed
Version 2.1.0
Version 2.1.0 Release Notes:
- New Bookmark Feature! Track content that you would like to implement, and even your implemenation status. Security Essentials is no replacement for a full project tracking system, but we'll help you remember what you care about, and help you get started with building it out!
- Four New Examples:
- Public S3 Buckets (CloudTrail)
- Connection to a new Domain
- Old Passwords in Use
- Unusual AWS Regions
- New Use Case Analytics dashboard (called simply: Overview)
- Expanded GDPR Content (description, screenshots, visualizations, oh my!)
- Many bug fixes and formatting improvements
Version 2.0.0
Major overhaul for Splunk Security Essentials 2.0.
* All content mapped to meaningful use cases. No more looking at log sources, now focus based on Security Monitoring or Insider Threat!
* 10+ Data Onboarding Guides to walk you through getting data in, including the configuration of third party systems
* 40+ new examples, with live and usable searches covering AWS, GDPR, basic Security Monitoring, and Ransomware!
* Integrated mapping of entire Splunk Security ecosystem, including analytics in ES, ESCU, UBA, and Professional Services.
* All examples oriented to a Security Journey, to help you focus on what to do first, second, and after that.
* Complete overhaul of the UI to be more usable and intuitive.
Note: There are a *ton* of code changes in this release, and sometimes splunkweb gets funny with that. If you do notice any behavior that doesn't seem right, try telling Splunk to use the latest copy by going to /en-US/_bump.
Version 1.4.6
Version 1.4.6 Release Notes:
* Fixed a couple of major 7.0 bugs (sorry)
* One outstanding issue with saving High Cardinality use cases
Version 1.4.5
Splunk 7.0 Note: There are a couple of big bugs with the app in Splunk 7.0. 1.4.5 doesn't work in 7.0, but 1.4.6 will! It's awaiting review at the moment, and we will have it out shortly.
Version 1.4.5 Release Notes:
* Several small bug fixes, including the pre-requisite checks for the demo data on distributed environments (thank you to tkreiner on answers for the bug report!)
* A checkbox now requires that you acknowledge "I Understand" instead of "I Do Not Understand" before continuing, in one of the most unusual bug reports of my career.
Version 1.4.4
Version 1.4.4 Release Notes:
* Several small bug fixes, including the pre-requisite checks for the demo data on distributed environments (thank you to tkreiner on answers for the bug report!)
* A checkbox now requires that you acknowledge "I Understand" instead of "I Do Not Understand" before continuing, in one of the most unusual bug reports of my career.
Version 1.4.3
1.4.3 Release Notes:
* Now doesn't trigger virus scanners! (Turns out a lot of vbscript can confuse some scanners)
* Adjusted the user for SFDC data to Chris, instead of Chuck
* Few small bug fixes
Version 1.4.2
1.4.2 Release Notes
* Fixed a bug with the Schedule Alert functionality in the Search Based Use Cases where the expected box didn't appear.
Version 1.4.1
1.4.1 Release Notes:
* Added anonymized_box_logs.csv -- this is an orphaned dataset you can use to generate a custom Detect Spikes use case. Go explore, or come to SplunkLive DC this Thursday (03/23) to walk through it with me live.
* Fixed a few live searches, and many pre-req searches that were missing index=* -- thank you {I didn't ask permission to use your name} for reporting that bug on the recent downloader survey!
* Fixed the broken pre-reqs for the Emails with Lookalike Domains use case.
Version 1.4.0
1.4.0 Release Notes
- New Data Source Check dashboard showcased! See what use cases you can run with the data you have today -- explore if there are use cases you can't run that you would like to!
- Added Docs + Support to the Nav Menu
- Wide array of small fixes and adjustments.
Version 1.3.2
1.3.2 Release Notes:
- Added a debug capability to the new Data Source Check dashboard -- just add ?debug=true to the URL (e.g., /app/Splunk_Security_Essentials/data_source_check?debug=true) to get a text box that you can send me to help debug. (SSE Diags are on the roadmap)
- Added docs and support links to the nav -- support just pointing to Splunk Answers
- Small bug fixes to six pre-req searches (Thank you Andreas!)
1.3.1 New Features:
- Six new use cases for Salesforce.com Event Log Format data!
- New Data Check dashboard (currently in beta) that will look through all of your data and then run all of the data source pre-req checks. It's not currently on the dashboard, but if you're interested check out the details page to see more. https://splunkbase.splunk.com/app/3435/#/details
1.3.0 New Features:
- Added Filters that breakdown use cases not just by security domain, but also by data source, alert volume, and the app version when that use case was added.
Version 1.3.1
1.3.1 Release Notes:
- Six new use cases for Salesforce.com Event Log Format data!
- New Application Accessing Salesforce.com API for User
- New High Risk Event Types for Salesforce.com User
- New Tables Queried by Salesforce.com Peer Group
- New Tables Queried by Salesforce.com User
- Spike in Downloaded Documents Per User from Salesforce.com
- Spike in Exported Records Per User from Salesforce.com
- New Data Check dashboard (currently in beta) that will look through all of your data and then run all of the data source pre-req checks. It's not currently on the dashboard, but if you're interested check out the details page to see more. https://splunkbase.splunk.com/app/3435/#/details
- Misc Bug Fixes
Version 1.3.0
Happy #RSAC Everyone!
Version 1.3.0 Release Notes:
- Added Filters that breakdown use cases not just by security domain, but also by data source, alert volume, and the app version when that use case was added.
- Fixed a few small display bugs
- Fixed a bug where the app had an embarrassingly error leading to pre-req checks marked as present when they weren't
Version 1.2.0
1.2.0 Release:
* Four new email use cases centered around phishing victims
* One new use case that detects if a particular sourcetype (e.g., security software) goes offline while the rest of the system is online.
* Major enhancement to the new lookup caching, in the form of the "Create Blank Lookup" button
* Several small bug fixes
Version 1.1.1
1.1.1 Release Notes:
* Changed the Success/Error/Processing for the data checks to icons, so that people won't accidentally miss them!
* Fixed bug with the demo lookup cache, along with a few other small UI bugs.
Version 1.1.0
1.1.0 Release Notes:
* Major New Feature: For First Seen Detections, you can cache historical results in a lookup, allowing searches to run dramatically faster in exchange for disk space. (30x performance improvement would be common)
* Several bugs fixed (thank you to andreasz for finding, and also proposing fixes to a few errors!)
Version 1.0.3
1.0.3 Release Notes:
* Removed two features that weren't actually implemented. Thank you andreasz for the discovery!
Version 1.0.2
1.0.2 Release Notes:
* New Logo
* Enhancement: you can now click Show SPL even if you don't have the data models (or data) present, to make it easy to copy-paste searches into production.
Version 1.0.1
1.0.1 Release Notes:
* Fixed a bug that affected distributed deployments (no impact to the deployment, but prevented the app from working)
* New Logo
Version 1.0
Initial Release