Large Security Operations Centers (SOCs) with multiple teams need help to make fast decisions when overwhelmed with security events.
A few short weeks ago in our Splunk Enterprise Security 7.2 release, we introduced optional enhancements to the Incident Review Dashboard that provide a more customizable experience when investigating notable events. This allows analysts to customize and configure the Incident Review Dashboard with table filters and columns to help isolate and rapidly investigate events that matter to them. Additionally, analysts can create saved views of their customized Incident Review Dashboard and share them with other Enterprise Security analysts. Saved Views allows analysts with different use cases to share their tailored views of notable events with other incident investigators in order to collaborate on notable events seamlessly. Splunk Enterprise Security Administrators also have access to a new level of control over the analyst experience in Incident Review, including configuring default views for all users.
This refined analyst experience is now on by default in Splunk Enterprise Security 7.3!
In order to ease customers into these new workflows, we’ve also launched an interactive, in-product onboarding experience that will guide users through these new features.
Splunk Ideas continues to be front and center in Splunk Enterprise Security
Customer feedback continues to drive innovation and enhancements in Splunk Enterprise Security. In this release, we added Drill-Down Dashboards to Incident Review, allowing content engineers to drill-down into a Splunk dashboard directly from the incident workflow. Users can now create multiple drill-down dashboard links and then use them to investigate a specific notable event. This enables analysts to seamlessly access critical details during an investigation, while reducing manual workloads.
Content engineers can now customize the text of the drill-down link and also configure the fields that will be passed as tokens to the dashboard. The use cases for custom dashboards are endless with this new flexibility, and we can’t wait to see how the world’s most advanced SOCs leverage it.
Additionally, customers tell us that there are rare instances outside their control where data is not forwarded to Splunk in real-time, but that they still want Enterprise Security to check those data feeds for threats and anomalies. In this release, we’ve added Index Time Correlation Searches that allow administrators to run specific correlation rules on index time instead of event time for the data sources that routinely arrive after real-time. With this enhancement, Splunk continues to ensure complete visibility no matter where, or when, the data originates.
Risk-Based Alerting is now even more powerful
Risk-Based Alerting is an innovative approach to help organizations prioritize security threats, aligned to the MITRE ATT&CK framework and an entity risk score. The SOC can reduce false positive investigations by up to 80% and speed the time needed to investigate and remediate true positive incidents by 50%. In Splunk Enterprise Security 7.3, the Risk Event Timeline is updated to include Drill-down Searches, Drill-down Dashboards, and Contributing Events so that analysts can quickly gather contextual information about risk events as they respond to Risk Notables.
With Splunk Enterprise Security 7.3 you’ll get to experience the following enhancements:
Additionally, risk events generated by cloud-based streaming analytics, included with Splunk Enterprise Security for customers operating in Splunk Cloud, will also benefit from the Contributing Events refinement for Risk Event Timeline.
Upgrade today to Enterprise Security 7.3!
Splunk Enterprise Security 7.3 updates are available now in both cloud and on-prem environments.
We’re listening! If you have ideas and requests, please submit them to Splunk Ideas.
To learn more about Splunk Enterprise Security 7.3, check out the release notes.
Happy Splunking!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.