Splunk Enterprise Security

What Splunk apps would be most useful for a Security Operations Centre (SOC)

pjb2160
Path Finder

Hello,

I am wondering what the general thoughts of the Splunk community are in terms of which apps would you most recommend for use within a Security Operations Centre (SOC)?

We do have the Splunk App for Enterprise Security which I would think is a pretty good starting point, however, I'm certain there would be a bunch of others some of you would find invaluable!?!

I look forward to hearing your thoughts.

many thanks,
P

0 Karma
1 Solution

StewGoin1
Explorer

A lot will depend on how your SOC does it's workflow. If the notable event workflow in Splunk is how security events/incidents are managed then you really don't need to do much to expand beyond it from an analyst's perspective for the meat of their work.

Most other "apps" that are key outside ES itself (and it's bundle of TAs and SAs) are any other relevant TAs to ensure that the data you are putting into splunk conforms to the Common Information Model (CIM) since the CIM and the accelerated data models are the backbone of how ES will see the data in Splunk.

One app I found handy, though not a security app itself, was the Lookup File Editor: https://splunkbase.splunk.com/app/1724/ for locally defined lists analysts wanted to edit that weren't the core ES asset/identities/etc... lists

I would also highly recommend the newly released Knowledge Object Explorer: https://splunkbase.splunk.com/app/2871/ to better understand the sometimes complex knowledge objects that live in an ES installation

But beyond some utility apps like that, it's usually best to keep an ES Search Head as pared down as you can so that there's not a bunch of apps exporting tons of knowledge objects to the whole system -- those can really start to slow down search performance.

View solution in original post

StewGoin1
Explorer

A lot will depend on how your SOC does it's workflow. If the notable event workflow in Splunk is how security events/incidents are managed then you really don't need to do much to expand beyond it from an analyst's perspective for the meat of their work.

Most other "apps" that are key outside ES itself (and it's bundle of TAs and SAs) are any other relevant TAs to ensure that the data you are putting into splunk conforms to the Common Information Model (CIM) since the CIM and the accelerated data models are the backbone of how ES will see the data in Splunk.

One app I found handy, though not a security app itself, was the Lookup File Editor: https://splunkbase.splunk.com/app/1724/ for locally defined lists analysts wanted to edit that weren't the core ES asset/identities/etc... lists

I would also highly recommend the newly released Knowledge Object Explorer: https://splunkbase.splunk.com/app/2871/ to better understand the sometimes complex knowledge objects that live in an ES installation

But beyond some utility apps like that, it's usually best to keep an ES Search Head as pared down as you can so that there's not a bunch of apps exporting tons of knowledge objects to the whole system -- those can really start to slow down search performance.

pjb2160
Path Finder

Excellent advice! I will be sure to look into these apps further.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't have a specific app to recommend. I suggest you install the apps written for the devices and products you use in your company. You'll then probably want to consider writing your own dashboards to combine the most relevant data from each app.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pjb2160
Path Finder

Good advice re: custom dashboards consolidating info across apps. thanks!

0 Karma

tskinnerivsec
Contributor

The Enterprise Security App would be the primary choice, and offering from Splunk for SOC environments. The other app choices would be dependent on what components are in your environment that you would like to monitor. Some folks deploy Security Onion appliances in their environment for IDS purposes, There is a Splunk app for That which provides good visualizations of the data. If you have Cisco ASA firewalls and Ironport mail security devices, the Cisco Security Suite is decent. There is a Bit9 app out there. There is also a Tripwire app. What other security tools and components do you have in your environment that you need to monitor?

pjb2160
Path Finder

Some excellent suggestions there much appreciated!

As a matter of interest, I have been going through the following book which discusses the use of Security Onion in some detail:

The Practice of Network Security Monitoring: Understanding Incident Detection and Response (https://booko.com.au/9781593275099/The-Practice-of-Network-Security-Monitoring-Understanding-Inciden...)

So far, this seems a pretty good resource.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...