The 3.0 release is the biggest release ever, with a new interface, expanded MITRE, better explanations of UBA and ESCU content, content recommendation dashboards, Azure and GCP content, CIM Compliance checks, docs, this website, and we sat down with users and worked to made the app more intuitive for them.Release Notes Contributors
Splunk Security Essentials (SSE) shows available security content, explains how it works, and helps you deploy that content.
Below, find a quick description for the four key goals for the app: to help you find the right content, learn how to be successful, improve your deployment, and measure your success.
The #1 goal of Splunk Security Essentials is to help you find the best content. SSE ships with 120+ correlation searches spanning from basic SIEM to detecting advanced adversaries. Everything is mapped to the Kill Chain and MITRE ATT&CK. But we didn’t stop there! SSE includes all of the content from Enterprise Security, ES Content Update, and User Behavior Analytics, all mapped to the same frameworks and other filters as everything in the app. The Analytics Advisor shows gaps where you could immediately turn on detections for the data you already have. We even include a customized MITRE ATT&CK Matrix that overlays active detections and what is available to deploy with the data already onboard!
Whether you’re new to Splunk or new to security, Splunk Security Essentials helps you get up to speed faster by providing you useful information at the right time. The detections in the app include line-by-line SPL documentation that show why they use the search commands they do, and each detection includes lots of context such as the security impact, how to implement it, how to respond when it fires, and known false positives.
We built a variety of tools into SSE to help your deployment be successful. The app enables you to understand your active security detections whether they're out-of-the-box, or custom content specific to your organization. The Data Introspection feature tracks what data is present in your environment, and helps connect those products to the detections they enable. We'll even look at check your CIM compliance!
Security personnel will benefit from live dashboards looking at unexpected data latency (powered by Splunk Machine Learning), and they will be able to find gaps by measuring their coverage against common frameworks like MITRE ATT&CK.
Finally, ES users will have faster investigations thanks to pushing MITRE ATT&CK Tactics, Techniques, and Technique Descriptions, alongside Kill Chain phases, all into the Incident Review dashboard in ES. They can also analyze the ES Risk Framework to find users or systems with an unusually high level of risk or activity across multiple ATT&CK Tactics.
For those of us more used to technical work, demonstrating the business value of security can be tricky. Splunk Security Essentials can help all users by enabling simple audit-friendly reports on enabled correlation searches (even including your custom content) and tying bytes of data ingest to the detections they power. Some customers have used the MITRE ATT&CK Matrix to justify bringing on new data sources, and SSE has dashboards that specifically let you show how you could fill gaps by bringing on new data sources.
Splunk Security Essentials was built by Splunk's security practice team as a free tool to make our customers more powerful, regardless of their size, maturity, or what products they have.
"This is the tool I needed when I got started with Splunk Security "
Ryan Kovar Principal Security Strategist, Splunk
"I got the security essentials tool loaded and did a basic overview with the SOC. They lit up like christmas trees. "
Security Tools Engineer, Fortune 100 Healthcare
"We received more value from Splunk Security Essentials in three days than we got in years from our old SIEM. "
Security Analyst, Fortune 100 Financial
"I can take the content library off my list of projects for this year. It's already built! "
Director of Security, Small Financial Services