Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, Investigation, and Response

Here are a few more resources you might find helpful:

Splunk Docs

• Admin Guide
• Install Guide
• User Guide
• Troubleshooting Guide

Guided Lantern : Installing and Upgrading to Splunk Enterprise 8x

YouTube: Splunk Enterprise Security 8.0 Workflows

Guided Tour: Splunk Enterprise Security

Self-paced e-Learning

• ES 8 Updates for the Splunk SOC
• SOC Essentials: Introduction to Threat Hunting
  
  

PDF Presentation: Splunk Enterprise Security 8.x Presentation

Talk to us if you have any questions: Talk to an expert

View all the top of mind questions from the live event!

Q. Are there controls in place that would allow an analyst to develop and create a new version of a detection but the ability to deploy is given to another user group (peer review)?

A. With Splunk Enterprise Security 8.x we offer detection versioning with a lot of git-like features, but I do not believe there is any kind of dedicated merge request sort of flow.

Q. I've attended previous Tech Talks from Splunk about Risk-based Alerting. Does Finding-based detections tie into that?

A. Yep! It is basically the next evolution of Risk Based Alerting making it far more natively integrated with the product.

Q. Does the investigations workbench handle multi-tenancy?

A. There are tools you can use to make separate queues and views for different teams but ES8's Analyst Queue does not yet include multi-tenancy as an out of the box feature.

Q. Does the investigations workbench handle multi-tenancy?

A. There are tools you can use to make separate queues and views for different teams but ES8's Analyst Queue does not yet include multi-tenancy as an out of the box feature.

Q. How would ingestion of third party alerts that are already correlated into incidents (e.g. Defender XDR), be ingested and turned into findings? And is there functionality that mirrors the existing correlation from the source?

A. There's a lot of flexibility that comes with Findings and Intermediate Findings. You can ingest things to 'alert' straight away or you can ingest things to not show up as an alert but build towards one. This means you can decide how to treat those alerts from a third party tool, and if the "pre-correlated" alerts include the context you could ingest that as well.

Q. Can a finding group get more findings after the group is initially created?

A. Yes! So Finding Groups are made to be added to within their window. You can also always add more Findings to an Investigation once you make one.

Q. Can additional findings be added to a detection based on a reference number (e.g. 3rd party incident id) automatically?

A. This is a very achievable thing leveraging Automation, e.g., the SOAR block for "add finding to investigation" or "add finding." There are some SPL-first mechanisms that may work.

Come find me on Community Slack : @Drew Church and we can try and figure out more together.

Q. What is the recommended process to restoring the nav bar after an upgrade?

A. Post app install, you will need to go into the post-install upgrade routine. It will prompt you to reset to default. From there, you will need to use the Navigation Menu editor inside of Enterprise Security to add back in the customizations.

Q. Any changes to Git Integration within Splunk Enterprise Security or Splunk SOAR on prem?

A. Enterprise Security 8 does not have a git integration. There are no changes to Splunk SOAR (on-prem) or Splunk SOAR (Cloud) in terms of the git integration.