Splunk Enterprise Security | See more, act faster, and simplify investigations with customizable workflows

In our latest release of Splunk Enterprise Security 7.2, we are excited to introduce capabilities that deliver an improved workflow experience for simplified investigations; enhanced visibility and reduced manual workload; and customized investigation workflows for faster decision-making. The majority of these updates and new features were requested directly from Splunk Enterprise Security (ES) users and submitted through the Splunk Ideas portal! Keep the great ideas and suggestions coming - we’re listening!

With these new capabilities, ES helps you see more, act faster, and simplify your investigations. 

Improved workflow experience for simplified investigations 

• Multiple Drill-down Searches on Correlation Rules: Users can now create multiple drill-down searches on correlation rules to quickly narrow their investigation stemming from a notable event.  
• Enhanced Risk Analysis Dashboard: With the enhanced risk analysis dashboard, security analysts have a deeper, more holistic layer of visibility across all detection events. The SOC can assess organizational risk faster from users and entities, and analysts can drill down on specific users and entities for additional context on risk contributions. 
• Dispositions in Incident Review: With ES 7.2, ES Administrators can require disposition when closing notables. This provides a feedback loop into detection engineering, allowing efficient review of security detections.
  
• Hyperlinks in Correlation Search “Next Steps”: This new capability enables ES administrators to include a link to resources such as wiki pages, runbooks, Splunk dashboards, or even third party websites, as part of an analysts’ response workflow. Analysts are able to view details as part of an event’s “Next Steps” which enhances and accelerates the analyst’s investigation process.

Enhanced visibility and reduced manual workload

With the new Auto Refresh in Incident Review, ES will automatically showcase the most up-to-date events for the SOC. Administrators can now customize and control the frequency of the auto refresh. 

Security analysts can currently prioritize notable events within Splunk Enterprise Security, but often want to visualize it by date and time. That’s why we brought back the Timeline function in Incident Review. This interactive timeline for notables supports analysts by enabling the SOC to quickly gain insight into anomalous activity, such as an unusually high number of notables around a certain time, and therefore prioritize time-sensitive critical incidents. 

Customize investigation workflows for faster decision-making

ES 7.2 introduces optional enhancements to the Incident Review dashboard that provides a more customizable experience when investigating notable events. Analysts are now able to customize and configure the Incident Review dashboard with table filters and columns that provide the capability for practitioners to look at events that matter to them.  Additionally, they can now create saved views of their customized Incident Review Dashboard and share them with other Enterprise Security analysts.  

Upgrade today to Splunk Enterprise Security 7.2! 

Ready to get hands on with Enterprise Security 7.2? Register for our Tech Talk!

If you have ideas and requests, please submit them to Splunk Ideas!