Configure and administer Splunk Enterprise Security

Splunk Enterprise Security uses the Splunk Platform's searching and reporting capabilities to provide the security practitioner with an overall view of their organization's security posture. Splunk Enterprise Security uses detections to provide visibility into security-relevant threats and generate findings to track identified threats. You can capture, monitor, and report on data from devices, systems, and applications across your environment.

Splunk Enterprise Security can be paired with Splunk SOAR (Cloud) to provide additional orchestration, automation, and response capabilities.

Use this manual to learn how to customize, maintain, audit, and administer Splunk Enterprise Security.

For an overview of the app and the analyst workflow, refer to the Use Splunk Enterprise Security manual.

For information on how to plan, install, deploy, upgrade, and pair Splunk Enterprise Security with other apps, refer to the Install and Upgrade Splunk Enterprise Security manual.

For information on telemetry, fixed issues, known issues, third party software credits, and so on, refer to the Splunk Enterprise Security Release Notes.

For information on troubleshooting common issues in Splunk Enterprise Security, refer to the Troubleshooting Splunk Enterprise Security manual.

Audience for this guide

The following table summarizes the various users of Splunk Enterprise Security and how they can use the information in this manual to achieve their goals:

User type or security mindset Primary goals or administration tasks
Security analyst or incident response analyst
  • Create and monitor dashboards for findings
  • Create and monitor security investigations
  • Respond, resolve, and escalate findings and investigations
  • Compose security alert notifications and other communication
  • Explore and deploy tools within the security infrastructure
  • Learn about the latest vulnerabilities, exploits and other threat information
  • Build predictive capabilities by detecting patterns
  • Support auditing and compliance through effective reporting
  • Develop, customize, and implement threat detection analytics
  • Collaborate with other analysts, users, and organizations to mitigate threats
SOC manager or incident response manager
  • Manage the resources and personnel for the smooth functioning of the security operations center (SOC)
  • Prevent cyber-attack and protect end users
  • Measure the effectiveness of the safeguards through audits and risk analysis
  • Define strategies for analysts and incident responders
Threat hunter
  • Proactive and advanced threat hunting that evades traditional security solutions
  • Build predictive capabilities in tools
  • Learn about the constantly evolving threat landscape
  • Respond to cyber incidents using the shortest mean time to detect and remediate (MTDR), reviewing threat intelligence feeds, and patching old or new vulnerabilities
Security tools engineer
  • Identify, provide, and customize the best tools and infrastructure for the SOC
  • Maintain all systems in optimal run state
  • Provide improved reports for management using existing visualization libraries
  • Configure and adjust thresholds for tools and dashboards
  • Collaborate with product teams to design new solutions
  • Collect data and implement solutions for analysts or management
  • Detect, analyze, and prevent high risk threats from impacting the SOC
Security architect
  • Identify security requirements, design, and implementation across the business unit
  • Define SOC architectures and safety-roadmaps for an organization.
  • Design comprehensive security tools, implement security protocols, audit networks to prevent cyber-attacks
  • Create disaster recovery plans
Chief Information Security officer (CISO)
  • Get executive buy-in for the security strategy using innovative solutions
  • Review visualizations, reports, and timelines to identify big risks and successes
Detection engineer
  • Limit the response time to alerts and reduce attack surface
  • Create detections to reduce excessive alerting and develop informed responses
Threat researcher
  • Develop and deploy awareness of evolving industry and malware threats and how it might impact your SOC to help in network defense
  • Share intelligence with the intended audience by combining contextual knowledge with the overall threat landscape
  • Track threat infrastructure, run queries against databases, and support active security investigations by collaborating with incident response teams