https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413959#M9876 <P>Keep in mind that Splunk Enterprise Security and Splunk Security Essentials are two different things.</P> <UL> <LI><A href="https://splunkbase.splunk.com/app/263/">Splunk Enterprise Security</A> - Splunk Enterprise Security is the nerve center of the security ecosystem, giving teams the insight to quickly detect and respond to internal and external attacks, simplify threat management minimizing risk. </LI> <LI><A href="https://splunkbase.splunk.com/app/3435/">Splunk Security Essentials</A> - Showcase of many security examples possible with Splunk</LI> </UL> Mon, 29 Jul 2019 16:25:34 GMT sloshburch 2019-07-29T16:25:34Z https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413957#M9874 <P>Just curious if there is any documentation to help understand the best practices to use Splunk Enterprise as a SIEM for Security Professionals / SOC analysts.</P> <P>Or if anyone has any input, that would be appreciated as well. </P> <P>I have been evaluating Splunk Security Essentials, which I've been using to create dashboards.</P> Thu, 25 Jul 2019 17:14:17 GMT https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413957#M9874 aking76 2019-07-25T17:14:17Z https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413958#M9875 <P>You might find some relevant information about best practices and use cases in the recordings of previous Splunk user conference sessions: <A href="https://conf.splunk.com/watch/conf-online.html?search=siem#/">https://conf.splunk.com/watch/conf-online.html?search=siem#/</A> .</P> Thu, 25 Jul 2019 17:20:38 GMT https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413958#M9875 ChrisG 2019-07-25T17:20:38Z https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413959#M9876 <P>Keep in mind that Splunk Enterprise Security and Splunk Security Essentials are two different things.</P> <UL> <LI><A href="https://splunkbase.splunk.com/app/263/">Splunk Enterprise Security</A> - Splunk Enterprise Security is the nerve center of the security ecosystem, giving teams the insight to quickly detect and respond to internal and external attacks, simplify threat management minimizing risk. </LI> <LI><A href="https://splunkbase.splunk.com/app/3435/">Splunk Security Essentials</A> - Showcase of many security examples possible with Splunk</LI> </UL> Mon, 29 Jul 2019 16:25:34 GMT https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413959#M9876 sloshburch 2019-07-29T16:25:34Z https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413960#M9877 <P>Lots of splunk searches, explanations, and mappings to MITRE ATT&amp;CK here: <A href="https://splunkbase.splunk.com/app/3449/">https://splunkbase.splunk.com/app/3449/</A></P> <P>the app is updated regularly by splunk's security research team.</P> Mon, 29 Jul 2019 19:33:01 GMT https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413960#M9877 mmerza_splunk 2019-07-29T19:33:01Z https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413961#M9878 <OL> <LI>Enrich your data with asset &amp; user information where possible (Enterprise Security has this built in)</LI> <LI>Build alerts with a specific use case in mind - mmerza mentioned MITRE ATT&amp;CK and rightfully so, but it doesn't contain all uses cases you may want to look for</LI> <LI>Use the CIM &amp; datamodel acceleration</LI> <LI>Link alerts to playbooks/response plans</LI> <LI>It's only as good as the data you feed it but don't just put data in without an idea of how it will be used</LI> </OL> <P>I guess the overall theme is whatever you do, do it with a plan.</P> Mon, 29 Jul 2019 21:16:15 GMT https://community.splunk.com/t5/Security/Splunk-as-a-SIEM-Best-Practices-for-Security-Professionals/m-p/413961#M9878 wenthold 2019-07-29T21:16:15Z