Security Detection Basics

Table of Contents

Introduction

When you’re getting started with Security Detections, you don’t need to be overwhelmed with everything that Splunk can do. This guide helps you view the key content that drives the most value, and also suggests pages and docs that provide the context to help accelerate success.

Other Recommendations

Security Data Journey

Splunk’s security experts analyzed a typical path that Splunk customers take through their Splunk Journey and formed it into six maturity stages. These will help you understand what data to ingest when, and what challenges and milestones are typically faced as organizations move forward.

  1. The Security Data Journey walks you though the path that we typically see newer customers walk as the mature. It details each stage with milestones and common challenges.

  2. The Journey also includes the data sources that we commonly seen at each stage of the journey for users pursuing Security Monitoring.

  3. Drag the slider-bar on the right side to view the details for other stages of the Journey.

  4. All of the content in Splunk Security Essentials is oriented towards this journey, so that if you’re just getting started you can limit yourself to just Stage one.

Data Source Onboarding Guides

Nine data source onboarding guides that are simple enough to use, but also blessed by Splunk’s professional services. These will tell you not only how to ingest data into Splunk, but also how to configure the systems in order to send the right data in the first place!

  1. This app contains 9 Data Source Onboarding Guides. You can find the full list at the top of the page.

  2. You can also choose to look at the categories below, and find a variety of products that Splunk commonly sees for each type of data.

  3. That data onboarding guides are written by Splunk field engineers, working in conjunction with Splunk Professional Services to make them as easy to use as possible while supporting your long term growth.

  4. You will see a variety of Splunk recommendations, usually with download-able apps or conf files.

  5. These guides step beyond just Splunk though, telling you how to configure the products to generate the data required to fire our detections.

Data Source Check

The data source check dashboard will look in your environment not just for the expected data, but also for the actual field extractions used by the free searches in Splunk Security Essentials, and provide you a list of checkboxes for what searches you can use.

  1. The Data Source Check dashboard tells you what searches would be ready to run in your environment. Click Start Searches to get started.

  2. The dashboard will launch 60+ pre-req tests. Each is really quick – the whole set should take less than 10 minutes and won’t overwhelm your Splunk.

  3. As the searches run, you will get back Green Checks or Red Explanation Points. A green check indicates that the pre-req test found the exact data, sourcetypes, and fields that the detection is expecting.

  4. If you’ve run the dashboard checks in the past, you can always re-run them on your current data, or you can click Retrieve Result to pull back your last result.

Security Posture Dashboards

Once you complete the Data Source Check, you can click “Create Posture Dashboards” in the upper right corner. That will let you create up to 50 dashboard panels looking at your actual data, and following Splunk best practices!

  1. The Security Posture dashboards only run on the data you have in your system, so make sure you run the Data Source Check searches first (or if you’ve run them before, click Retrieve Last Result.

  2. Once the checks are in place, you can click Create Posture Dashboards.

  3. There are three dashboards you can choose. Within each, some panels are enabled by default, some disabled, and some unavailable as you don’t have the required data.

  4. If you want to see the intended result, you can click Use Demo Datasets and all the dashboards will use CSV demo data.

  5. After clicking Create Dashboards, you will get a link to each dashboard. They’ll also be added to navigation.

  6. These are SimpleXML dashboards using Splunk best practices (with post-processing and using accelerated data models if possible). That makes them easy to customize, or copy-paste into your dashboards.