Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe Splunk App for Enterprise Security 2.4 is here! Detecting today's advanced threats can no longer be done using only rule and signature-based detection tools. It requires a comprehensive approach to security that can only be facilitated by a big data security intelligence platform that makes any data security relevant, scales to terabytes of data per day, and provides comprehensive statistical analysis capabilities to help security investigators find anomalies and outliers. The Splunk App for Enterprise Security leverages the power Splunk Enterprise to give security professionals a single solution to detect known, threats and analyze massive volumes of data to look for unknown threats in normal user activity. Equally suitable for a small security team or an enterprise security operations center, the app is a primary data interface for the security professional faced with a growing list of threats from malicious insiders and advanced threats. For more information see the Splunk ES Home Page. |
This app is really quite good! If you have a number of the products listed in their "out of the box sourcetypes" they integrate really well http://docs.splunk.com/Documentation/ES/latest/CreateTA/Out-of-the-boxsourcetypes
If you have products that don't have technology addons it's not terribly difficult to integrate by using the dashboard requirement matrix: http://docs.splunk.com/Documentation/ES/latest/CreateTA/DashboardRequirementsMatrix
really all you do is tag your data properly and then make sure that the data you tagged has the appropriate fields and ES will consume your data and correlate
I have seen a similar customized dashboard in McAfee ePolicy Orchestrator with information collected from various McAfee products deployed in the lab environment. Am yet to see Splunk ESS so far.
A preview of the app is on youtube:
http://youtu.be/HKi8J7JM068
http://youtu.be/83bG8ZIV30c
http://youtu.be/i3CUuZDlp1M
This is a great app. I'm a splunker that came from a well known SIEM company. I also have more than a decade of security practitioner experience. I have found that Splunk has done a great job at laying out the content in a way that will make a great deal of sense to anyone that follows the (ISC)2 way of thinking about security domains.
Building on the above, as you can see from the sample diagram above there are headers at the top listing seven domains. Each of which is a pulldown menu offering dashboards and content directly relevant to the domain. I personally have not seen such a smart, and succinct way of laying out content. In much of the SIEM world, simply asking the question 'ok, this is great, where is my home screen that weaves all this content together?' will produce nervous answers.
Want to know my favorite 'pet' feature of ESS? Under 'Endpoint Protection' there is actually a dashboard dedicated to time. Ever noticed how all security practitioners and SIEM companies espouse the value of accurate (read: NTP) time? When is the last time you saw a succinct, simple and effective place letting you know the status of time syncing of all your server devices? ;)
It would be nice if Splunk could offer an eval of this product. Thus far it's been a non starter. Given the price $$$$$$ tag, I'm not willing to jump before test driving.
I feel the same. I get suspicious when a vendor does not offer an eval on a very pricey product.
this is due to, with splunk, you can just copy and paste the rules (search) and build it by your own, if that possible, where goes the business? :)
anyway, i agreed that splunk control this apps, however, splunk should reduce the price because if the customer want to use ES, it will lost the money game. Splunk Enterprice License + ES apps = a heavy pricy. just my opinion :)
