Splunk Enterprise Security Integration with Incident Management

Home Top

• Overview
• Support Statement
• Limitations
• Solution Overview
• What is Splunk Enterprise Security?
• Solution Configuration in Splunk Enterprise and Defender Zero Trust
• Prerequisites
• Configuration in Splunk Enterprise Security
• How to View Incidents in Splunk ES and map to investigations

 

Overview

Customers using Splunk Enterprise Security can leverage this integration to send real time zero trust alerts using Content Library correlation searches to populate incidents in Splunk Enterprise Security dashboard.  These incidients can then be added to investigations and leverage the Zero trust specific data that Superna Security Edition.

Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

1. 
   

Solution Overview

Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR and XDR platforms.   Automation begins with data that summarizes the threat and places that information into a security tools to be acted on by Secops and run playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.   The Splunk platform can dynamically search fields on a continuous basis and expose Security Edition alerts as incidents as a data source for Investigations within Splunk ES.

What is Splunk Enterprise Security?

Splunk Enterprise Security (ES) is a data-centric, modern security information and event management (SIEM) solution that delivers data-driven insights for full-breadth visibility into your security posture so you can protect your business and mitigate risk at scale.

Solution Configuration in Splunk Enterprise and Defender Zero Trust

Prerequisites

1. Installed Security Edition
2. Installed Splunk Enterprise Security
3. Integration configured with Superna Zero trust.  See the integration guide here.​
4. Eyeglass OS appliance version 15.5
   1. cat /etc/os-release    

Configuration in Splunk Enterprise Security

1. Login to Splunk ES application as administrator
   1. Open the Content Management under the Configure menu
   2.  
   3. Click to create a new Content --> Correlation Search
   4.   
   5. Provide a search name that will show up on incidents.  REcommended Search parameters are below.
      1.   
      2.  
      3. Click to create an action to run on a match and select Notable
         1. 
            
         2. Notable Event configuration below.
         3.   
         4. Click Save
2. Done.   This will default to 5 minute searches to locate new incidents to raise within Spunk ES.

How to View Incidents in Splunk ES and map to investigations

1. Before you begin, ensure Zero trust events have been raised to validate the search correlation is working.
2. Once zero trust events have been parsed by Splunk indexes, they can be found by the correlation search and shown in the Incident Databoard.
   1.  
   2. Once an investigation is open these incidents can be assigned to the open investigation.
   3.  
   4. 
      

© Superna Inc