Security: Enterprise Security (ES) - Wed 11/13/23

Community Office Hours
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security: Enterprise Security (ES) - Wed 11/13/23

Security: Enterprise Security (ES) - Wed 11/13/23

1 Comment
Cover Images - Office Hours (1).png
Published on ‎10-22-2024 11:18 AM by Splunk Employee | Updated on ‎11-14-2024 11:37 AM

Register hereThis thread is for the Community Office Hours session on Security: Enterprise Security (ES) on Wed, Nov 13, 2024 at 1pm PT / 4pm ET. 

 

This is your opportunity to ask questions related to your specific Splunk Enterprise Security needs, including:

  • What are some tips and tricks for getting started and becoming an expert in ES?
  • What to expect in Enterprise Security 8.0, including the Mission Control interface and SOAR integration?
  • What is the new Enterprise Security 8.0 workflow?
  • What are the best practices for implementing threat detection, and what is the latest security content from the threat research team?
  • How to implement use cases like RBA, incident management, and threat hunting?
  • Which Splunkbase apps and add-ons are recommended for ES use cases?
  • Anything else you’d like to learn!

 

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here). 

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (1)
0 Karma
loriexi
Splunk Employee
Splunk Employee
‎11-14-2024 11:41 AM
‎11-14-2024 11:41 AM

Q1: Is ES 8.0 available to everybody now? I only see ES 7.3 on the download page?

A: 

  • Enterprise Security is generally available for cloud deployments now and upgrades are in progress.
  • ES on-prem (CMP) deployment will be GA in about 1-2 weeks from now (late November) and at that time available via Splunkbase

 

Q2: How is risk based alerting/detection look like in ES 8.0?

A:

  • Risk-based alerting (RBA) as it existed in ES 7.x is fully supported in ES 8.0 (i.e. fully backwards compatible)
  • With 8.0 we have the following key enhancements
    • Risk Events are now referred to as Intermediate Findings
    • Entity and risk score modifiers are required fields going forward for both Findings (Notable Events) and Intermediate Findings (Risk Events) whenever an Event-based Detection is created or updated
    • The two Risk Incident Rules (7 Day ATT&CK Tactic Threshold Exceeded and 24 Hour Risk Threshold Exceeded) continue to exist and be supported
    • Finding-based Detections are a new (Preview) innovation that enable simpler ways to track risk and group similar findings

 

Q3: Is there a way to search ES investigations artifacts? Could you talk more about the ES and SOAR integration, and case management capabilities in ES 8.0? 

A:

  • Explained via live demo screen share.
  • With ES 8.0, the Incident Review is being replace with Mission Control’s Analyst Queue.  Within this area, one can open an investigation and browser through all attached artifacts. 
  • For more details on case management and SOAR integration, see the high-level summary at the start of the deck, or feel free to look at the Additional Resources slide for more details. 
0 Karma