Skip to main content
Version: Atlas v3.14

Enterprise Security Expansion Journey

Splunk Enterprise Security (ES) is a product that requires significant configuration and preparation so that you can truly realize the value of the platform. One of the biggest challenges most encounter is onboarding the right data and aligning that data to the Common Information Model. The ES Expansion journey will walk Atlas customers through achieving ES outcomes by helping them to prioritize the data they need to onboard and make the software perform optimally in their environment.

Atlas Elements Utilized

Outcomes

Identify Common Information Model Improvements to Enhance ES

Enterprise Security (ES) utilizes the Common Information Model (CIM) to integrate various data inputs and carry out correlation searches. The ES Helper component of Atlas provides clear reporting on data ingestion according to data model and tracks the status of acceleration. While acceleration is beneficial for expediting searches, it also has the potential to increase SVC consumption. Therefore, maintaining awareness of acceleration status is crucial in any environment.

  1. Open the ES Helper Atlas element.
  2. Record the score given by the Dashboard. A higher score denotes that more actionable and useful data sets are being populated.
  3. Identify high priority data models in the report that are not being ingested. Make note on these data sets and investigate if they align to the security mission of leveraging ES.
  4. Review acceleration status of the data models. Ensure the model accelerations match assumptions. These models should be accelerated unless there are environmental constraints or SVC concerns.

Ensure Correlation Searches Are Executing

Correlation searches form the critical framework for Enterprise Security operations. Scheduled to run at regular intervals, they correlate disparate data sets through the Common Information Model to identify significant security events like failed logins, notable vulnerabilities, and various risk factors. The consistent and reliable execution of these searches is essential for ensuring a robust security posture. In Splunk, there is a risk of these searches skipping, resulting in potential security events going unrecorded in Enterprise Security.

  1. Open the Scheduling Assistant element.
  2. Filter by App and select Enterprise Security.
  3. Utilize the KPIs displayed at the top of the page to locate the scheduled searches that have high skipped ratios.
    1. High skipped ratio = skipped runs/scheduled runs > 5%
    2. Moderate skipped ratio = skipped runs/scheduled runs 0-5%
  4. Click on the KPI to isolate the searches identified by Atlas.
  5. Click on a search to perform a detailed analysis of the search.
  6. Use the Cron Schedule field and click the Submit Preview button to test a new schedule and assess the impact of the schedule change.
    1. Find a new schedule that reduces Concurrent Schedulings and Average Concurrency and minimizes changes to the limit breach ratio.
    2. Impacts are indicated by colors in the Change field.
  7. If the modeled change output is desirable, click on the Save Changes to implement the schedule change.