security

Splunk Enterprise Security (ES) solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of organizations’ security postures with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises or hybrid deployment models. Splunk ES enables you to: 

- Conquer alert fatigue with high-fidelity Risk-Based Alerting.
- Bring visibility across your hybrid environment with multicloud security monitoring.
- Conduct flexible investigations for effective threat hunting across security, IT and DevOps data sources.

Splunk ES is a premium security solution requiring a paid license.

Splunk Enterprise Security

Get started with Splunk for Security with Splunk Security Essentials (SSE). Explore security use cases and discover security content to start address threats and challenges. 

Security Content Library
Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. 

Cybersecurity Frameworks
Identify gaps in your defenses and take control of your security posture with automatic mapping of data and security detections to MITRE ATT&CK® and Cyber Kill Chain® framework.

Data and Content Introspection
Gain visibility of the data coming into your environment to add context and telemetry to security events. Enrich your security detections with metadata and tags from the Security Content Library.

Security Data Journey
Get prescriptive security and data recommendations and establish a data strategy to develop a security maturity roadmap. 

Learn more:
Download the Product Brief : https://www.splunk.com/pdfs/product-briefs/splunk-security-essentials.pdf
Try out Splunk Security Essentials: https://www.splunk.com/en_us/form/splunk-security-essentials-online-demo.html
Check out the Documentation site: https://docs.splunk.com/Documentation/SSE

Splunk Security Essentials

SA-Investigator is an extension that integrates with Splunk Enterprise Security.  It provides a set of views based on the asset, identity or file/process values.  Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a specific entity without having to open multiple dashboards and enter in criteria to start a search.  Workflow actions that allow pivoting from Incident Review are also included.

NOTE: If you modify any of the five investigators (views), any modifications will be written to the local directory. Upgrades will NOT overwrite the local directory so if you are upgrading, the local views will need to be deleted. To ensure you do not lost any customizations, please backup your local directory views prior to upgrading and then apply your modifications after upgrade.

SA-Investigator for Enterprise Security

This is a Splunk application containing several hunting dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.

You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found in the details

Required actions after deployment:
Make sure the threathunting index is present on your indexers
Edit the macro's to suit your environment
Install the required addons
Install the lookup csv's or create them yourself, empty csv's are here >  https://github.com/olafhartong/ThreatHunting/raw/master/files/ThreatHunting.tar.gz

More documentation is available at >  https://github.com/olafhartong/threathunting/wiki

This app is maintained on GitHub > https://github.com/olafhartong/threathunting

ThreatHunting

detect

This app is used to supplement your data with information from VirusTotal.
The custom command ` | virustotal ` (bundled with this app) uses the `https://www.virustotal.com/vtapi/v2/file/report`
endpoint to communicate with the VirusTotal API.

This TA can be installed on the search head. No additional manual steps are required in distributed environments,
as the app only interacts with search-time functionality ( lookups and scheduled searches ).

This Add-on has been tested (and installed) on Splunk Cloud.

We're using GitLab to both share our source code and track issues (bugs or feature requests), please use it freely: https://gitlab.com/ecs_public_projects/splunk/TA-VirusTotal

VirusTotal Malware Lookup for Splunk

TruSTAR integration for TruSTAR + Enterprise Security Customers.   

Note:  The TruSTAR product is no longer sold by Splunk.  

Installation Docs:  

https://docs.splunk.com/Documentation/SIM/current/Apps/Splunk#Integrate_Splunk_Intelligence_Management_with_Splunk_Enterprise_Security_deployments_to_improve_detection_and_triage

(video) Using this app to improve detection & triage:  https://lantern.splunk.com/Splunk_Product_Learning_Guides/Splunk_Int_Mgmt/UnifiedApp_UseCase?mt-learningpath=intelmgmtunifiedappconfig#


** Notes to SplunkCloud SRE:
- This app must be installed on Enterprise Security searchheads  (NOT IDM), and includes a modinput, which must be allowed to run on the searchhead.  This app will not work on an IDM, indexer, or a search head which does not have Enterprise Security.  
- This app's modinput contains checks to ensure that it will only run on the cluster Captain when installed on an ES SHC.  
- The modinput fetches cyber threat observables from TruSTAR's REST API and posts them to the searchheads' kvstores using the kvstore "batch_save" endpoint, not an index as most modinputs do.  This is why it must run on the searchheads, not an IDM.  There is no config option that would allow the user to tell the modinput to post the observables to that endpoint on a different host, it's hard-coded to post to "localhost".
- This app is compatible with ES SHC, but its ES SHC compatibility is implemented in a way which requires replicating "inputs.conf" from all Splunk apps on the stack to all nodes in the SHC  by setting "conf_replication_include.inputs = true" in "server.conf".   This is standard for all Splunk apps created using Splunk's Addon Builder.  If this behavior is problematic for other Splunk apps on the user's SHC, user will need to decide which app they prefer to use:  TruSTAR Unified or the app with which that conflicts.  See SINT-3685 for more details / information. 
- The app contains modactions that need to be available on all ES SHC nodes, so the app needs to be installed on all SHC nodes. 


References for exceptions to "no modinputs on SHs policy":  
- Case #1685202 "Vet and Install TruSTAR App for Splunk ES."   (Circa April 7, 2020) (TruSTAR App for Splunk ES was this app's predecessor)
- Case # 2646540

TruSTAR Unified

enrich

This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

CrowdStrike OAuth API

This app supports email ingestion and various investigative actions over IMAP

IMAP

This app integrates with JIRA to perform several ticket management actions

Jira

This app connects to Office 365 using the MS Graph API to support investigate and generic actions related to the email messages and calendar events

MS Graph for Office 365

This app provides the ability to send email using SMTP

SMTP

This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions

Splunk

This app supports executing investigative actions to analyze files and URLs on Joe Sandbox

Joe Sandbox v2

This app supports various identity management actions on Okta

Okta

This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response