Skip to main content
Version: Atlas v4.0

Enterprise Security Expansion Use Case

Splunk Enterprise Security (ES) is a product that requires significant configuration and preparation so that you can truly realize the value of the platform. One of the biggest challenges most encounter is onboarding the right data and aligning that data to the Common Information Model. The ES Expansion use case will walk Atlas customers through achieving ES outcomes by helping them to prioritize the data they need to onboard and make the software perform optimally in their environment.

Atlas Elements Utilized

Outcomes

Identify Common Information Model Improvements to Enhance ES

Enterprise Security (ES) utilizes the Common Information Model (CIM) to integrate various data inputs and carry out correlation searches. Maintaining awareness of acceleration status is crucial in any environment.

  1. Review acceleration status of the data models. Ensure the model accelerations match assumptions. These models should be accelerated unless there are environmental constraints or SVC concerns.

Ensure Correlation Searches Are Executing

Correlation searches form the critical framework for Enterprise Security operations. Scheduled to run at regular intervals, they correlate disparate data sets through the Common Information Model to identify significant security events like failed logins, notable vulnerabilities, and various risk factors. The consistent and reliable execution of these searches is essential for ensuring a robust security posture. In Splunk, there is a risk of these searches skipping, resulting in potential security events going unrecorded in Enterprise Security.

  1. Open the Scheduling Assistant element.
  2. Filter by App and select Enterprise Security.
  3. Utilize the KPIs displayed at the top of the page to locate the scheduled searches that have high skipped ratios.
    1. High skipped ratio = skipped runs/scheduled runs > 5%
    2. Moderate skipped ratio = skipped runs/scheduled runs 0-5%
  4. Click on the KPI to isolate the searches identified by Atlas.
  5. Click on a search to perform a detailed analysis of the search.
  6. Use the Cron Schedule field and click the Submit Preview button to test a new schedule and assess the impact of the schedule change.
    1. Find a new schedule that reduces Concurrent Schedulings and Average Concurrency and minimizes changes to the limit breach ratio.
    2. Impacts are indicated by colors in the Change field.
  7. If the modeled change output is desirable, click on the Save Changes to implement the schedule change.