Splunk Dev

General SIEM questions. (GUI, Response & Action, etc.)

Lmccully10
New Member

I was wondering if anyone could offer any help to a newcomer to the tech industry some answers about splunk?! I'm trying to compare SIEM's on the market to Splunk but can't find enough data relating to some of splunks features. So if anyone could offer any assistance to any question, it would be much much appreciated.

  1. Explain Splunk's log correlation in laymen's terms
  2. What is the Underlying DB?
  3. Is there Network Forensics? Network Behavioral Analysis?
  4. Splunk's response & actions? Is it automated?
  5. The way the SIEM transmits events - e.g. events from the source are sent in clear text?
  6. How does Splunk handle EPS Bursts?
  7. What is there filtering operation?
  8. Log Aggregation solution?
  9. Out-of-the-box use cases?
  10. Is there any case management?
  11. Type of GUI?
  12. Pattern Discovery?
  13. Is there Identity monitoring?

It's a hefty list so if anyone could answer anything, their time would be appreciated.

0 Karma
1 Solution

masonmorales
Influencer

I would strongly recommend you get in touch with a Splunk sales rep to answer your questions in detail, but I can give you a quick version here:

Explain Splunk's log correlation in laymen's terms
- Splunk uses fields (key/value pairs) that you can use when searching. If you give your fields the same name (e.g. src_ip in both your firewall logs and proxy logs), you can search across both data sets using the common field name and do whatever kind of correlation you like.

What is the Underlying DB?
- There is no DB. Splunk is "schema on the fly" (defined at search time). Raw data is compressed into GZIP format and stored as flat files with a metadata file describing each GZIP file. Splunk uses the metadata file (and a few other things) to determine which GZIP files should be uncompressed when you search for data.

Is there Network Forensics? Network Behavioral Analysis?
- You can fulfill both of these use cases with Splunk. They have options for some paid apps (e.g. Enterprise Security, User Behavior Analytics) that you can purchase to get functionality out of the box, or you can choose to build it yourself.

Splunk's response & actions? Is it automated?
- Yes, you can make both automated. There are a variety of apps and integrations available for Splunk (check out splunkbase.com), or you can develop your own.

The way the SIEM transmits events - e.g. events from the source are sent in clear text?
- Splunk is the SIEM. All events stay local to the Splunk instance, but again, you can choose to integrate it with whatever you want, and send data in whatever format you want. It's a very flexible platform.

How does Splunk handle EPS Bursts?
- CPU will increase a bit on the indexers. Assuming you have the IOPS for it on your disk subsystem, this is usually not a problem.

What is there filtering operation?
- You can filter on anything. You can even choose to not index events if they contain specific text in the log lines.

Log Aggregation solution?
- Yes.

Out-of-the-box use cases?
- There are many. If you contact Splunk sales, they will can you a PDF listing a ton of them.

Is there any case management?
- No, but you can build it, or integrate it with your own.

Type of GUI?
- Web

Pattern Discovery?
- Yes, out of the box. Super easy to use.

Is there Identity monitoring?
- You can build it or use Splunk Enterprise Security for this. There are probably some apps on splunkbase.com for it as well that you could use.

Hope this helps!

View solution in original post

masonmorales
Influencer

I would strongly recommend you get in touch with a Splunk sales rep to answer your questions in detail, but I can give you a quick version here:

Explain Splunk's log correlation in laymen's terms
- Splunk uses fields (key/value pairs) that you can use when searching. If you give your fields the same name (e.g. src_ip in both your firewall logs and proxy logs), you can search across both data sets using the common field name and do whatever kind of correlation you like.

What is the Underlying DB?
- There is no DB. Splunk is "schema on the fly" (defined at search time). Raw data is compressed into GZIP format and stored as flat files with a metadata file describing each GZIP file. Splunk uses the metadata file (and a few other things) to determine which GZIP files should be uncompressed when you search for data.

Is there Network Forensics? Network Behavioral Analysis?
- You can fulfill both of these use cases with Splunk. They have options for some paid apps (e.g. Enterprise Security, User Behavior Analytics) that you can purchase to get functionality out of the box, or you can choose to build it yourself.

Splunk's response & actions? Is it automated?
- Yes, you can make both automated. There are a variety of apps and integrations available for Splunk (check out splunkbase.com), or you can develop your own.

The way the SIEM transmits events - e.g. events from the source are sent in clear text?
- Splunk is the SIEM. All events stay local to the Splunk instance, but again, you can choose to integrate it with whatever you want, and send data in whatever format you want. It's a very flexible platform.

How does Splunk handle EPS Bursts?
- CPU will increase a bit on the indexers. Assuming you have the IOPS for it on your disk subsystem, this is usually not a problem.

What is there filtering operation?
- You can filter on anything. You can even choose to not index events if they contain specific text in the log lines.

Log Aggregation solution?
- Yes.

Out-of-the-box use cases?
- There are many. If you contact Splunk sales, they will can you a PDF listing a ton of them.

Is there any case management?
- No, but you can build it, or integrate it with your own.

Type of GUI?
- Web

Pattern Discovery?
- Yes, out of the box. Super easy to use.

Is there Identity monitoring?
- You can build it or use Splunk Enterprise Security for this. There are probably some apps on splunkbase.com for it as well that you could use.

Hope this helps!

Lmccully10
New Member

Thanks Mason I truly appreciate the answers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...