Splunk Enterprise Security Integration with Incident Management
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
Customers using Splunk Enterprise Security (ES) can leverage this integration to send real-time Zero Trust alerts using Content Library correlation searches to populate incidents in the Splunk ES dashboard. Those incidents can then be added to investigations and use the Zero Trust-specific data that Superna Security Edition provides.
Solution Overview
Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into a security tool to be acted on by SecOps teams. The Splunk platform can dynamically search fields on a continuous basis and expose Security Edition alerts as incidents as a data source for investigations within Splunk ES.
What Is Splunk Enterprise Security?
Splunk Enterprise Security (ES) is a data-centric, modern security information and event management (SIEM) solution that delivers data-driven insights for full-breadth visibility into your security posture so you can protect your business and mitigate risk at scale.
Solution Configuration in Splunk Enterprise and Defender Zero Trust
Prerequisites
- Installed Security Edition
- Installed Splunk Enterprise Security
- Integration configured with Superna Zero Trust — see the Splunk Enterprise integration guide
- Eyeglass OS appliance version 15.5 — verify with
cat /etc/os-release
Configuration in Splunk Enterprise Security
- Log in to the Splunk ES application as an administrator.
- Open Content Management under the Configure menu.
- Click to create a new Content → Correlation Search.
- Provide a search name that will display on incidents. Use the recommended search parameters.
- Click to create an action to run on a match and select Notable.
- Configure the Notable Event settings.
- Click Save.
The correlation search defaults to 5-minute intervals for locating new incidents to raise within Splunk ES.
How to View Incidents in Splunk ES and Map to Investigations
- Before you begin, ensure Zero Trust events have been raised to validate that the search correlation is working.
- Once Zero Trust events have been parsed by Splunk indexes, the correlation search locates them and they appear in the Incident Dashboard.
- Open an investigation — incidents from the dashboard can be assigned to the open investigation.