- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: What Splunk apps would be most useful for a Se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am wondering what the general thoughts of the Splunk community are in terms of which apps would you most recommend for use within a Security Operations Centre (SOC)?
We do have the Splunk App for Enterprise Security which I would think is a pretty good starting point, however, I'm certain there would be a bunch of others some of you would find invaluable!?!
I look forward to hearing your thoughts.
many thanks,
P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lot will depend on how your SOC does it's workflow. If the notable event workflow in Splunk is how security events/incidents are managed then you really don't need to do much to expand beyond it from an analyst's perspective for the meat of their work.
Most other "apps" that are key outside ES itself (and it's bundle of TAs and SAs) are any other relevant TAs to ensure that the data you are putting into splunk conforms to the Common Information Model (CIM) since the CIM and the accelerated data models are the backbone of how ES will see the data in Splunk.
One app I found handy, though not a security app itself, was the Lookup File Editor: https://splunkbase.splunk.com/app/1724/ for locally defined lists analysts wanted to edit that weren't the core ES asset/identities/etc... lists
I would also highly recommend the newly released Knowledge Object Explorer: https://splunkbase.splunk.com/app/2871/ to better understand the sometimes complex knowledge objects that live in an ES installation
But beyond some utility apps like that, it's usually best to keep an ES Search Head as pared down as you can so that there's not a bunch of apps exporting tons of knowledge objects to the whole system -- those can really start to slow down search performance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lot will depend on how your SOC does it's workflow. If the notable event workflow in Splunk is how security events/incidents are managed then you really don't need to do much to expand beyond it from an analyst's perspective for the meat of their work.
Most other "apps" that are key outside ES itself (and it's bundle of TAs and SAs) are any other relevant TAs to ensure that the data you are putting into splunk conforms to the Common Information Model (CIM) since the CIM and the accelerated data models are the backbone of how ES will see the data in Splunk.
One app I found handy, though not a security app itself, was the Lookup File Editor: https://splunkbase.splunk.com/app/1724/ for locally defined lists analysts wanted to edit that weren't the core ES asset/identities/etc... lists
I would also highly recommend the newly released Knowledge Object Explorer: https://splunkbase.splunk.com/app/2871/ to better understand the sometimes complex knowledge objects that live in an ES installation
But beyond some utility apps like that, it's usually best to keep an ES Search Head as pared down as you can so that there's not a bunch of apps exporting tons of knowledge objects to the whole system -- those can really start to slow down search performance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent advice! I will be sure to look into these apps further.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have a specific app to recommend. I suggest you install the apps written for the devices and products you use in your company. You'll then probably want to consider writing your own dashboards to combine the most relevant data from each app.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good advice re: custom dashboards consolidating info across apps. thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Enterprise Security App would be the primary choice, and offering from Splunk for SOC environments. The other app choices would be dependent on what components are in your environment that you would like to monitor. Some folks deploy Security Onion appliances in their environment for IDS purposes, There is a Splunk app for That which provides good visualizations of the data. If you have Cisco ASA firewalls and Ironport mail security devices, the Cisco Security Suite is decent. There is a Bit9 app out there. There is also a Tripwire app. What other security tools and components do you have in your environment that you need to monitor?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some excellent suggestions there much appreciated!
As a matter of interest, I have been going through the following book which discusses the use of Security Onion in some detail:
The Practice of Network Security Monitoring: Understanding Incident Detection and Response (https://booko.com.au/9781593275099/The-Practice-of-Network-Security-Monitoring-Understanding-Inciden...)
So far, this seems a pretty good resource.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
