Security

Splunk Security Apps: Splunk Security Essentials vs Enterprise Security + Splunk ES Content update

koshyk
Super Champion

I had encoutered an interesting question from my client/security SME

1. Which one is better. To have Splunk Security Essentials or to retain Enterprise Security + Content updates?

2. Where are the detection rules kept in Splunk Security Essentials kept?

 

As far as I understand the Splunk ES content update is quite easy to understand and we can customise the savedsearches.conf (rules) to fit our environment. On other hand, Splunk security Essentials, we couldn't figure out where the rules exist and modify them.

Any ideas how to get the detection rules of Splunk Essentials?

Also what would be the future direction of these developments? wanted to stick to one of them if possible

Labels (3)
0 Karma

gcusello
Legend

Hi @koshyk,

At first they have different scopes:

  • ES is a complete SIEM with all the features of a modern SIEM: with Noteble Events managent, Investigations, Risk analysis, Threat Intelligence, Asset and Identity monitoring, etc...; it uses Datamodels so it's more performant than the others and it has a great number of turn key Use Cases; but it's a Premium App (to pay);
  • Content Updates is an additional library for ES (it cannot be used bu itself) that gives to it additional turn key Use Cases and it's a free app;
  • Security Essential, is a very interesting free App that gives to Splunk developers many samples (the most are the same of ES and CU) to use to develop own custom Use Cases; in addition it gives very interesting informations about the log sources for each Use Case than I don't understand why Splunk don't put in ES!

Which is better? 

ES has a cost but it's surely better than Security Essentials and requires less develop services, but requires a Splunk Specialist to install and configure.

If you need a SIEM or if you have many Use Cases to develop and many logs to monitor, ES is better than Security Essentials that requires develop activities and doesn't give all the features of ES.

To take the searches of Security Essentials, you have only to install and it gives you all the informations you need to use the searches.

About future development, only Splunk can answer to you! anyway ES is one of the most important components of Splunk offering, so I'm sure that it will be improved, CU is an additional component of ES so I think the same, Security Essentials is a free app that probably will maintaind and improved, but I'm not sure, there are other specialized Security Essentials that are in end of life (e.g. SE for fraud).

I hope to answer to alla your questions.

Ciao.

Giuseppe

koshyk
Super Champion

Thanks Giuseppe. I've configured ES at client site and have all been working good for few years. But in practice client is not able to map everything to CIM as lot of effort is required and their core Splunk team cannot do all application style data thus relying on application team who don't have an idea about CIM or splunk fields.

This goes back to customising use-cases which is available in backend (currently we couldn't figure out how to get the savedsearches/use-cases from Splunk ES Content update ) to modify it to fit non-CIM fields.

I feel other large companies will also experience the same as not everyone would be able to map all fields to CIM and has to rely on SME providing search based on raw data which they understand.

 

 

 

0 Karma

gcusello
Legend

Hi @koshyk,

if your customers haven't the capabilities to CIM normalize their data flows, it's an opportunity for your business!

Anyway, if the customers have only standard flows, you can use the TAs from Splunk baseline and you haven't CIM compatibility problems.

If instead your customers have custom flows, you can use tools from Splunk baseline to normalize these flows, I usually use SA-cim_validator (https://splunkbase.splunk.com/app/2968/) and Splunk Add-On Builder (https://splunkbase.splunk.com/app/2962/).

Ciao.

Giuseppe

0 Karma

koshyk
Super Champion

Remember we are talking about "custom" applications and my estimate is around 1200+ applications/sourcetypes and understanding every bit and data types is not what the Splunk team at client site is not pursuing. Also the format of logs and version changes all the time and hence the small splunk content team can never catchup. So it has to be outsourced to the Application SME.

I'm external consultant who will be called only during important or urgent requirements, so not fully into TA development these days. I've recommended few options that organisation should pursue logging standards as JSON so atleast key-value fields are present

0 Karma

gcusello
Legend

Hi @koshyk,

I understand, but CIM normalization is the base for ES and, I'd say, also for every correlation rule to create: if the customer doesn't correctly extract fields, they cannot use any search!

So my hint is a deep analysis of data flow and planning of a CIM normalization, as I said, it could be an opportunity for you!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...