Using Splunk Enterprise Security Flashcards
ES use cases
Malware protection
Insider threat
User behaviour
Who uses ES
Security analysts
SOC staff
Security execs/managers
Security auditors
How ES Works
Raw events are indexed
Data model summary searches run (normalization is applied, key/value pairs stored in DM TSIDX)
Data is available for ES
ES background searches process data
ES searches for threats and anomalies
Data models
Normalize data
ES depends heavily on accelerated data models
Use | tstats searches with summariesonly = true to search accelerated data
What happened when a correlation search detects any Indicators of Compromise (IOC)
ES creates an alert called a notable event
How notable event is called when it’s assigned to an analyst
incident
What index is used by Correlation searches
Notable
ES roles
ES User - ess_user - Runs real-time searches and views all ES dashboards
ES Analyst - ess_analyst - Owns notable events and performs notable event status changes
ES Admin - ess_admin - Configures ES system- wide, including adding ES users, managing correlation searches, and adding new data sources
Urgency of notable event is a combination of two factors
Severity
Priority
What happens when more than one asset or identity is involved in a single notable event
one with the highest priority determines the urgency
expand an event until the search is complete
Not possible
Send to UBA adaptive response action
UBA must be installed on the ES search head for this Response Action to be available.
Manual notable event creation
useful when you have source event data that has not (yet) been identified by ES as suspicious, and you want to create a notable event that will identify the issue and allow you to track it
Suppressing Notable Events
useful if you are getting false positives from a host or a user
Who allowed to create and suppress notable events
ES Admin must give the ess_analyst and ess_user roles the Edit Notable Event Suppressions permission
