Security: Enterprise Security (ES) - 10/25/23

Community Office Hours
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security: Enterprise Security (ES) - 10/25/23

Security: Enterprise Security (ES) - 10/25/23

2 Comments
Cover Images - Office Hours (2).png
Published on ‎08-09-2023 11:40 AM by Splunk Employee | Updated on ‎11-11-2023 08:08 AM

Register here. This thread is for the Community Office Hours session on Splunk Enterprise Security (ES) on Wed, October 25, 2023 at 1pm PT / 4pm ET. 

 

This is your opportunity to ask questions related to your specific Enterprise Security (ES) challenge or use case, including:

  • What’s new in Enterprise Security 7.2
  • Enterprise Security Content Update (ESCU) app and the latest security content
  • Implementing use cases like RBA, incident management, threat hunting, etc.
  • Implementing threat detections (including 6 new ML-powered detections)
  • Enhancing notable events (e.g., using threat intelligence feeds)
  • Adding adaptive response actions
  • Recommended Splunkbase apps and add-ons for ES use cases
  • Anything else you’d like to learn!

 

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here)

 

Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.

 

Look forward to connecting!


Labels (2)
0 Karma
adepp
Splunk Employee
Splunk Employee
‎10-11-2023 03:39 PM
‎10-11-2023 03:39 PM

Hi Everyone!

Please be sure to submit your questions at registration or post a comment here for any topics you'd like to see discussed in the Community Office Hours session. You can also head to the #office-hours user Slack channel to ask questions and join the discussion (request access here).

0 Karma
adepp
Splunk Employee
Splunk Employee
‎11-11-2023 08:08 AM
‎11-11-2023 08:08 AM

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

 

Q1: How long would you expect an initial RBA deployment to take for customers with say between 200 - 400 detection rules?

  • This would be dependent on the detection rules. More information on the deployment process is here on Splunk Lantern 
  • Here are some guidelines: initial basic deployment of RBA (10-15 risk rules) is typically done in 4 weeks, scaling to 200-400 higher fidelity detection rules takes 1-3 years to grow the deployment properly.
  • Check out a good .conf talk on taking a program approach to your Splunk RBA deployment - https://conf.splunk.com/files/2022/recordings/SEC1358B_1080.mp4

Q2: Deployment and pricing over a distributed cluster environment (implementation)

  • We recommend reaching out to your account manager who can help with pricing based on your environment after an assessment

Q3: How do you manage the number of false positives when an ESCU detection is very noisy?

  • We recommend that you leverage the `<detection-name>_filter` macros that are shipped and configured for each detection. With this method you can still get an updated version of the detection and the false positive exclusions are preserved.
  • We also recommend that before enabling a specific detection, run it in an ad-hoc fashion over the last 24 hours and asses the number of results that are returned. This way, you have a rough estimate of what amount of work a specific detection will require in terms of tuning.
  • Github content: https://github.com/splunk/security_content

 

Other Questions (check the #office-hours Slack channel for responses):

  • How can I sign up for a Splunk ES trial?
  • How to enrich notable events in ES before they are sent onto Mission control?
  • Best ways to use the Threat Intelligence Framework for detections?
0 Karma