Looking to adopt splunk as SIEM tool for my company

cloudinfra — Sun, 05 May 2024 21:30:13 GMT

Hello community members,

I am looking to use splunk as a SIEM tool for my company. Let me brief about our IT infra.

1) We use Azure , AWS & some onpremise servers. Most of our resources like VMs and services are on Azure.

2) Want a security kind of dashboard where SOC team can view and report on threats of network, web, servers etc.

3) I am not sure on the products that offers by splunk which is most relevant to me.

4) I am definitely want to go with cloud based solution instead of setting up splunk on virtual machine.

I am not sure if splunk has cloud based colsole or not.

5) Please help me with some best industry practices to deploy splunk. Also, share the way steps, guide, video to deploy the same.

6) Is there any way I can setup a zoom(online) meeting call with splunk to understand product. On support page of splunk page I did not find any option to request for product understanding.

looking to get community support.

Re: Looking to adopt splunk as SIEM tool for my company

deepakc — Mon, 06 May 2024 09:57:16 GMT

This is very high level, I would suggest you really need a workshop with Splunk/Sales/Architect/pre-sales for this, but here's some Splunk food for thought

I am looking to use splunk as a SIEM tool for my company. Let me brief about our IT infra.

Splunk ES (SIEM) is most likely what you’re looking for, note, this a premium application, so additional licence. ES is mainly for SOC's use, it has many of the functions they need, and provides visibility for your security events, intelligence, and stats and then some!

The other alternative is Splunk's free InfoSec App(this not a SIEM in the sense, but it can also provide some good visibility into security aspects)

These links will help you find out more information.

Splunk ES

https://www.splunk.com/en_us/products/enterprise-security.html

Splunk ES SIEM App

https://splunkbase.splunk.com/app/263

Splunk Info Sec App

https://splunkbase.splunk.com/app/4240

Splunk Use Case Library

https://splunkbase.splunk.com/app/3435

1) We use Azure , AWS & some on premise servers. Most of our resources like VMs and services are on Azure.

Splunk supports many common data sources, so the ones you have listed will be fine, the data will need to be onboarded correctly for ES SIEM to search the data. Use Splunk base to find the various data source add-ons that Splunk supports

https://splunkbase.splunk.com/

2) Want a security kind of dashboard where SOC team can view and report on threats of network, web, servers etc.

This will show you various dashboards ES provides https://docs.splunk.com/Documentation/ES/7.3.1/User/Domaindashboards

3) I am not sure on the products that offers by splunk which is most relevant to me.

What products are most relevant to you? well this depends on your use cases, and how your SOC operates, I would suggest you contact Splunk and run perhaps a workshop to discovery your business requirements. There are many apps, Splunk ES, Mission Control, UBA, Soar. For you it sounds like ES, due to complexity ,integrations business requirements, a workshop would be better for you to thrash out all the details and have a strategy.

4) I am definitely want to go with cloud based solution instead of setting up splunk on virtual machine.

Splunk cloud removes admin overheads for the management of Splunk local instances, you just manage the data forwarding tier and feed that into Splunk cloud, so depends on for business strategy On premise -Vs Cloud.

I am not sure if splunk has cloud based colsole or not.

For Splunk cloud, login is known as a search head, this provides you with various apps like ES and various other Splunk features.

5) Please help me with some best industry practices to deploy splunk. Also, share the way steps, guide, video to deploy the same.

Start here

Splunk basic concepts

https://www.splunk.com/en_us/blog/learn/splunk-tutorials.html

When deploying Splunk, it's important to follow best practices to ensure a successful implementation. Some key steps include:

Define your use cases and objectives for using Splunk.

Plan your data collection strategy, including identifying sources of data to ingest into Splunk.

Design your Splunk environment, considering factors such as data volume, retention requirements, and performance needs.

Install and configure Splunk components according to your design, ensuring proper integration with your IT infrastructure.

Test your deployment to verify functionality and performance.

Train your users and administrators on how to use Splunk effectively for monitoring, analysis, and reporting.

Continuously monitor and optimize your Splunk deployment to meet evolving business needs and security requirements.

For detailed guidance on deploying Splunk, you can refer to Splunk documentation, online resources, and training courses available from Splunk. Additionally, Splunk's professional services team can provide expert assistance with deployment planning, implementation, and optimization.

topic Re: Looking to adopt splunk as SIEM tool for my company in Feedback

Looking to adopt splunk as SIEM tool for my company

Re: Looking to adopt splunk as SIEM tool for my company