Splunk Security

Splunk Security


Cisco Umbrella DNS


Splunk Security 

The product set offering Splunk Security has several well-integrated products, such as Splunk Enterprise Security, also known as Splunk ES, which is the Splunk SIEM, Splunk SOAR, and User Behavior Analytics (UBA), to a variety of Observability tools at your disposal. In addition, SOAR Splunk brings a lot of power, especially when you push the boundaries of automation to fully automated detect and respond to scenarios with multiple phases and tasks. Finally, consider Splunk, the platform in the middle of your infrastructure that removes all the complexity.

Splunk security consists of a security detection and monitoring platform that leverages machine data and other data sources, including non-security data, to gain helpful security insights to improve your security posture. One significant benefit to using Splunk security is that it can ingest data from every source and combine it into one platform that will fully satisfy all of your security requirements.


Preliminary Information: Useful Links to Relevant Content

For pre-information, you may find the following helpful:

  1. Security Automation
  2. Observability vs. Monitoring
  3. Network Visibility
  4. Ansible Architecture
  5. Ansible Tower


Splunk Security 

Splunk Product 

Splunk Enterprise Security ( Splunk ES )

 This is the Splunk SIEM 

Splunk SOAR

Low-code Playbooks

Observabilty Tools


Splunk Enterprise 

Search and Ingest


  • A key point: Video on Splunk Security

In this product demonstration video, we are going to address Splunk Security. Notably, we will look at the Splunk SIEM and also Splunk SOAR. Both of these products are well blended and abstract a lot of complexity you have with security. So we will first look at today’s challenging landscape that security teams encounter. And how you can use Splunk Products to overcome these challenges.



A Key Point: Knowledge Check 

  • A key point: Back to basics with Splunk Monitoring

Splunk is software for monitoring, searching, analyzing, and visualizing real-time machine-generated data. This tool can monitor and read several log files and store data as events in indexers. In addition, it uses dashboards to visualize data in various forms. Splunk is commonly thought of as “a Google for log files” because, like Google, you can use Splunk to define the state of a network and the activities taking place within it. It is a centralized log management tool but works well with structured and unstructured data.


Security Challenges

Security Teams are under pressure.

Security teams face diverse challenges, from repetitive tasks and cumbersome processes. They often need help with constant alerts, with the time-consuming nature of manual investigations, not to mention the array of tools distributed throughout the organization. Hundreds of security alerts overpower analysts to investigate and resolve each day fully. As a result, security operations work is rife with monotonous, routine, and repetitive tasks with a complete lack of integration and process.


Lack of integration and process

Some security teams built their log analytics and incident response capabilities from the ground up. However, such a custom-made logging tool requires manually assembling correlated logs with too many custom-built and siloed point products. Teams are expected to juggle disconnected security tools, consisting of static, independent controls with little or no integration.

In the current environment, many security teams must establish workflows and standard operating procedures for different security events. As a result, analysts can only act quickly and decisively when responding to an attack with it. However, the real problem is the manual process, especially with manual scripting. 


Issues of scripting 

When using traditional scripting for automation, challenges will arise with carrying out this capability across many security vendors. In addition, each vendor may change the API for its product. As a result, the automation scripts must change, leading to management and maintenance challenges. Most will only partially be able to integrate and create an automated workflow. The difficult-to-maintain processes lead to a need for more context. 


Splunk Security
Diagram: Splunk Security


Security Threats

Phishing, Ransomware, and Supply Chain

We have a rapidly changing threat landscape that includes everything from Phishing to the proliferation of Malware, Supply Chain, and Ransomware. In addition, there is a pervasive nature of Ransomware to when it started, and it has grown considerably since the early Ransomware strains such as Wanna Cry. So we have a Ransomware wave with loads of Ransomware families that encrypt in different ways. 

Remember that Ransomware applies Malware to many endpoints simultaneously, so if you have a network design of extensive macro segmentation with no intra-segment filtering. Ransomware can compromise all hosts that have valuable assets. It will endeavor to destroy backups, perform data exfiltration, and then corrupt the data. Once the Ransomware binaries have been executed, encryption starts its game over. 

How might the adversary hop from one machine to another without exploiting vulnerabilities? Some long-established tactics are well known; remotely creating WMI processes, scheduling tasks, and building services. However, they often go unseen. It would help if you focused on the detection. For Ransomware, we have about a 5-day window. You will not catch them with the manual process within such a short time.


Splunk Enterprise Security
Diagram: Splunk Enterprise Security. The threats.


  • A key point: Easy to evade; Malware is polymorphic 

Despite innovations like next-generation anti-malware solutions, threat intelligence feeds, and government collaboration initiatives and mandates such as zero trust, many of these attack techniques evade even the most innovative security tools today. For example, malware is polymorphic and programmed to avoid common signatures and rules, and we know that the perimeter-based defense mechanisms have not worked for a while now.


  •  A key point: Hard to do things quickly and thoroughly understanding

Fast detecting and responding to security events takes a lot of work. A security analyst can spend hours on an alert. Multiply that by the hundreds of security alerts they deal with daily. For example, it’s common for an analyst to spend 90 minutes on average to investigate and contain a single phishing alert.

On top of that, a SOC could receive hundreds of phishing emails in a given day. Security analysts are overwhelmed with many phishing alerts to investigate and respond to. It takes too long to process each before the potential threat could cause damage manually. Phishing emails are a great starting point for Splunk SOAR to reply with low-code playbooks automatically.

Splunk ES
Diagram: Splunk ES.


Not to mention that businesses frequently add contractors and others with privileged access to networks, it becomes tough to understand whether everyone complies with the security policies and best practices or if there are any hidden risks in these activities. As a result, they face new challenges around secure configuration, software vulnerabilities, compliance, and maintaining an audit trail of access and activity.


Splunk Security & Splunk ES: The Way, Forward

Data Integration and Automated Response

So you need to design security around data and build an approach to detect and respond to those risks. And this requires a platform that can not online collect the data but gain valuable insights. Of course, many platforms can collect data, but turning this data into valuable insights for security is an entirely different challenge. Therefore, data integration and an automated response will recreate a more significant role in security. This is where Splunk Enterprise Security ( Splunk ES), Splunk SIEM, and Splunk SOAR products can assist.

So we can’t stop attacks, and you will get breached even by adopting the most robust zero-trust principles. All we can do is find ways to mitigate the risk and mitigate risks promptly. And Splunk has a variety of security products that can help you do this.

One of the most critical ways to evolve and stay ahead is to look at data and derive helpful security insights that can help you detect and respond to known, unknown, and advanced threats and fully use automation and orchestration to improve your security posture.


Cisco Umbrella DNS


Splunk Enterprise Security and Splunk SOAR

Automation is changing how teams traditionally use a Splunk SIEM. Splunk SOAR and Splunk Enterprise Security ( Splunk ES ) complement each other very well and allow us to improve security capabilities. So now we have a platform approach to security to fulfill diverse security use cases.


Introduction to Splunk SOAR

Splunk SOAR: Orchestration and automation  

The prime components of Splunk SOAR are automation and orchestration. With orchestration and automation, you will better support product-level workflows that allow security teams to automate complex processes across disparate products.

Introducing automation and orchestrating workflows and responses across your security stack will enable each previously siloed security product to participate more seamlessly in your defense strategy actively. So we still have the unique tools, but Splunk SOAR is in the middle of orchestrating the events for each device with Playbooks.

A Splunk SOAR tool can easily thread the intelligence from multiple devices within the SOC, enriching alert data and surfacing it into a single interface. In addition, there is a playbook visualizer, so you can easily stick together security tasks.


Splunk SOAR
Diagram: Splunk SOAR


  • A key point: Integrating existing security infrastructure

By automating the data collection and enrichment process from various sources, the analyst can see valuable details related to the alert as soon as it surfaces. This boosts your defenses by integrating existing security infrastructure, creating a mesh of more difficult-to-penetrate protection.

Splunk SOAR supports 350+ third-party tools and 2,400+ actions so that you can connect and coordinate workflows across teams and tools. This increases the speed of your investigation and response and unlocks value from previous investments. We will have a look at these playbooks in just a moment.


Introduction to Splunk Enterprise Security ( Splunk ES & Splunk SIEM )

Splunk Enterprise Security, the Splunk SIEM technology, is typically deployed to do the following security activities.


Splunk Enterprise Security 

Best Choice

  • Discover external and internal threats.

  • Monitor users' activities

  • Monitor server and database resource

  • Support compliance requirements 

  • Provide analytics and workflow


  1. Discover external and internal threats. This will help you detect compromised credentials and privileged attacks.
  2. Monitor users’ activities and specific types of users, such as those with privileged access and access to critical data assets. For example, this will help you see if users use the sysadmin tool called Psexec or other tools to move throughout the network laterally.
  3. Monitor server and database resource access and offer some data exfiltration monitoring capabilities. This can help you detect moments before Ransomware starts to encrypt your files.
  4. Support compliance requirements and provide compliance reporting.
  5. Provide analytics and workflow to support incident response, orchestrate and automate actions and workflows by integrating with other tools such as the SOAR.


Splunk ES & Splunk SIEM: The Value of Machine Data for Security

Splunk ES can complete these activities by gathering and turning unstructured data into valuable meaning. For example, to understand the evidence of an attack and the movement of an attack in an organization, we need to turn to machine data. Armed with that data, security teams can remediate known threats better and proactively respond to new threats in real time to minimize any potential damage to the organization.


  • Machine data and monitoring

Data can come in many forms, such as standard logs. So by ingesting your application logs into Splunk SIEM, you can determine what is, for example, the latency in your application or what is the raw error rate of your web server. This can be carried out by using a simple SPL query against the. Then we have a security use case, which is our main concern. Machine data can tell you where a specific attack is coming from or how many login attempts result from invalid user names.

Machine data is everywhere and flows from all the devices we interact with, making up around 90% of today’s data. And harnessing this data can give you powerful security insights. However, machine data can be in many formats, such as structured and unstructured. As a result, it can be challenging to predict and process.


Splunk SIEM. How Splunk can leverage Machine Data

This is where Splunk SIEM comes to play, and it can take any data and create an intelligent, searchable index—adding structure to previously unstructured data. This will allow you to extract all sorts of insights, which can be helpful for security and user behavior monitoring. In the case of Splunk Enterprise Security ( Splunk ES ), it helps you know your data very quickly. Splunk is a big data platform for machine data. It collects raw unstructured data and converts them into searchable events.


  • Splunk ES and Splunk SIEM Stage: Aggregates and Analyzes event data 

SIEM technology aggregates and analyzes the event data produced by networks, devices, systems, and applications. The primary data source has been time-series-based log data, but SIEM technology is evolving to process and leverage other forms of data. SIEM technology aggregates event data produced by security devices, network infrastructure, systems, and applications. 


  • Any source of data

The Index collects data from virtually any source. As data enters Splunk Enterprise Security, it will examine data and understand how to process it. When they find a match, they label the data with source types. At the heart of Splunk is the Index. And data gets ingested into the Index. The Index contains your machine data from various servers, network devices, and web applications.

These events are then stored in the Splunk index. Once the events are in the Index, they can be searched. So you can find events that contain values across multiple data sources so that you can run analysis and statistics on events using the Splunk search language.

SOAR Splunk
Diagram: SOAR Splunk


Splunk ES and Splunk SIEM Stage: Searching and Analysis

Once data gets ingested into the Index, it is available for searching and analysis. Then you can save search results into reports that can then be used to power dashboard panels. And that comes not just from tools that can sift through the volume of alerts and distractions. Analysts must find the cause, impact, and best resolution from all infrastructure elements. This will include the applications, networks, devices, and human users.


Splunk ES and Splunk SIEM Stage: Notable Events and Incident Review

Splunk Enterprise Security allows you to streamline the incident management process. Consolidating incident management will enable effective lifecycle management of security incidents. This, in turn, enables rapid decision-making. Here we automatically align all security contexts together for fast incident qualification. 


Splunk ES and Splunk SIEM Stage: Event Correlation Rule Management

With Splunk Security, we have a framework for rule management where we can manage all correlation rules across the system.


Detailed Information on Splunk SOAR 

Low-code playbooks

With automated playbooks to orchestrate and execute actions across different point products. Splunk SOAR can automate repetitive tasks, investigation, and response. To carry out the automation, we have several playbooks that are considered to be low-code. So, implementing low-code “playbooks” allows for the codification of processes where automation can be applied to improve consistency and time savings. 


  • A key point: Actions based on the Playbooks

Then we could have a list of actions based on playbook results. This could include further investigation tasks or notifying users. Finally, when you want to push the borders of automation, we could have several steps to isolate or quarantine hosts depending on the results of the previous playbooks, which would be integrated with multi-factor authentication to ensure the action is appropriately authorized. 


  • A key point: Phases and Task

So we have noted low-code playbooks and how they can be used to automate tasks and merge with security tools and other Spunk products. All of which are done with Workbooks and phases. So we can have a single workbook with several tasks to complete, and on executing these tasks, we can quickly start a separate phase or even a different workbook.


Diagram: Splunk SOAR


Splunk SOAR Integration with Other Products

So, you want to perform a containment action. This is where the SOAR platform can, for example, use Carbon Black. Here you can have manual, semi-automatic, or fully automatic. Or you can use Zscaler for containment. So there are several additional products that SOAR can integrate with.

In this scenario, there will be one phase. And several playbooks in a single phase. First, some playbooks can be triggered automatically, and some are invoked manually. Then some are being invoked manually but will have prompts for additional information.

These tasks will be semi-automatic because they can automatically import data for you and enrich events. Furthermore, they can import this data and enhance events from several platforms. So this phase which consists of a Risk Investigate workbook, is used as your initial triage.


Splunk SOAR Playbook Examples

Splunk SOAR Example: Phishing Investigation and Response

A typical phishing email investigation begins with analyzing the initial data and searching for artifacts. Some artifacts to investigate include attachments within the email, phishing links disguised as legitimate URLs, email headers, the sender’s email address, and even the entire email content.


  • Phishing Investigate and Respond Playbook 

In this use case, we will highlight the Phishing Investigate and Respond Playbook that automatically investigates and contains incoming phishing emails. The Playbook has a total of 15 actions available. Once Splunk SOAR receives a phishing email alert from a third-party source (e.g., fetching email directly from the mail server), it will automatically kick off the Playbook and begin analyzing the following artifacts: file reputation, URL reputation, and Domain Reputation.

Suppose during the investigation phase, the file, URL, IP address, or domain seems suspicious. In that case, the Playbook will use the predetermined parameters to decide to contain the threat by deleting the email from the user’s inbox.


  • Phishing Investigate and Respond Playbook

  • Crowdstrike Malware Triage Playbook

  • C2 Investigate and Contain Playbook

  • Recorded Future Indicator Enrichment Playbook

  • Recorded Future Correlation Response Playbook


Splunk SOAR Example: Endpoint Malware Triage

Although endpoint detection and response (EDR) or endpoint protection platform (EPP) tools can help monitor any suspicious activity within endpoints in your organization’s systems, these tools can generate many alerts — some of which could be false positives, while others are legitimate threats. Fortunately, a SOAR tool can orchestrate decisions and actions to investigate, triage quickly, and respond to this high volume of alerts, filtering out the false positives, determining the risk level, and reacting accordingly.


  • Crowdstrike Malware Triage Playbook 

It enriches the alert detected by Crowdstrike and provides additional context in determining the severity. Once all the information is collected, the analyst prompts to review. Based on the analyst’s choice, the file in question can be added to the custom indicators list in Crowdstrike with a detection policy of “detect” or “none,” The endpoint can be optionally quarantined from the network by the analyst. 


Splunk SOAR Example: Command and Control with Investigation and Containment

  • C2 Investigate and Contain Playbook

As soon as an alert for a command and control attack surfaces, Splunk SOAR will start the C2 Investigate and Contain Playbook. This Playbook is designed to perform the investigative and potential containment steps to handle a command-and-control attack scenario properly. It will extract file and connection information from a compromised virtual machine, enrich it, and then take containment actions depending on the significance of the information. Significant information includes files with threat scores greater than 50 and IP addresses with reputation status “MALICIOUS,” among other attributes.


Splunk SOAR Example: Alert Enrichment

Indicators of Compromise

When investigating security alerts, you must first look at the indicators of compromise (IOCs), such as IP address, URL, user name, domain, hash, and other relevant criteria. This helps determine the severity of the alert. Many analysts manually dive into the data to search for additional context or hop between different threat intelligence platforms to gather more information.


  • Recorded Future Indicator Enrichment Playbook 

The Recorded Future Indicator Enrichment Playbook enriches ingested events that contain file hashes, IP addresses, domain names, or URLs. Contextualizing these details around relevant threat intelligence and IOC helps accelerate the investigation. Recorded future is a security intelligence platform that provides additional context for analysts to respond to threats faster. 


  • Recorded Future Correlation Response Playbook 

The Recorded Future Correlation Response Playbook gathers more context about the relevant network indicators in response to a Splunk correlation search. Once there’s enough context, the Playbook automatically blocks access upon an analyst’s approval. By comparing traffic monitoring data with Recorded Future bulk threat feeds, Splunk identifies high-risk network connections and forwards them to Splunk SOAR. 

Splunk SOAR queries Recorded Future for details about why the network indicators are on the threat list and present a decision to the analyst about whether the IP address and domain names should be blocked.

This example uses Layer 4 Traffic Monitoring by Cisco WSA as the network monitoring data source. Cisco Firepower NGFW and Cisco Umbrella can enforce blocking actions at the perimeter using DNS sinkholes. Once the analyst can secure the network access via the Recorded Future Correlation Response Playbook, Splunk SOAR can trigger a second playbook to investigate, hunt, and block a URL. 


  • Zscaler Hunt and Block URL Playbook

When a suspicious URL is detected, the Zscaler Hunt and Block URL Playbook can identify internal devices that have accessed that URL and triage the organizational importance of those devices. 

Then, depending on the maliciousness of the URL and whether or not the affected device belongs to an executive in the organization, the URL will be blocked, and an appropriate ServiceNow ticket will be created. This Playbook is supported via VirusTotal, Zscaler, Microsoft Exchange, ServiceNow, Splunk, and Carbon Black. Use these pre-built playbooks to help your team save time by tracking down malicious indicators, so they can spend more time addressing critical tasks.


Cisco Umbrella DNS

Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)

Comments are closed.