SPLK-3001 ES Introduction

ES Introduction Detailed Explanation

1. What is Splunk Enterprise Security (ES)?

Splunk Enterprise Security (ES) is an advanced application that runs on top of the standard Splunk platform. While Splunk is a powerful tool for searching, monitoring, and analyzing machine-generated data (like logs), Splunk ES is specifically built to help cybersecurity teams.

Think of it this way:

• Splunk Core = General-purpose data platform (for IT operations, logs, metrics, etc.)

• Splunk ES = Specialized security "layer" on top of Splunk Core

It turns Splunk into a SIEM – Security Information and Event Management system. A SIEM collects data from many systems, identifies threats (through correlation), and helps security teams respond quickly.

2. Why is Splunk ES Important?

In today’s digital world, organizations deal with a lot of threats:

• Hackers trying to get in

• Malware infections

• Phishing attacks

• Insider threats

Splunk ES helps companies:

• Detect suspicious activity in real-time

• Investigate incidents effectively

• Meet compliance standards

• Reduce the time to detect and respond to threats (known as MTTD and MTTR)

3. Core Concept: Security Posture Dashboard

This is one of the first screens you'll see in Splunk ES.

• It shows real-time insights into your organization's security health.

• It highlights "Notable Events" – these are alerts generated when something potentially dangerous happens (we'll explain these in detail soon).

• It uses risk scoring to tell you how critical certain issues are.

Example:

If 10 failed login attempts were detected from a foreign IP address on a server, a Notable Event would be created and shown on the dashboard with a high-risk score.

You can think of this dashboard like the command center in a security operations center (SOC). Analysts use it to get a quick overview of:

• What’s happening now?

• What’s most urgent?

• What do I need to look into first?

4. Core Concept: Data Models & CIM (Common Information Model)

This is a critical concept in Splunk ES.

What is CIM?

The Common Information Model (CIM) is a set of data standards that help Splunk understand and categorize data consistently.

Different tools and devices (like firewalls, antivirus systems, or Windows logs) generate logs in different formats. That makes analysis hard.

CIM solves this by:

• Mapping raw data into standardized fields

• Making it possible to run one search or correlation rule across many types of data

What is a Data Model?

In Splunk, a Data Model is like a predefined structure that represents a specific type of data – for example:

• Authentication data

• Intrusion detection data

• Web activity data

Each data model follows CIM formatting rules.

Imagine you have firewall logs, Windows security logs, and Cisco logs. They all describe "logins", but in different ways. With CIM and data models, Splunk standardizes all those fields so you can write one search like:

| tstats count from datamodel=Authentication where action=failure by user

And it will work across all those sources.

5. Key Component: Notable Events

A Notable Event is one of the most important features in Splunk ES.

What is it?

A Notable Event is an alert that’s created when certain conditions are met in your data. These conditions are defined by something called a correlation search (we’ll discuss those more in another module).

Example:

Let’s say you have a rule that says:

“If more than 5 failed login attempts happen from the same user within 10 minutes, generate an alert.”

If that happens, a Notable Event is generated and sent to the Incident Review Dashboard for the security team to look at.

Why are they called “Notable”?

Because not all events in Splunk are important. Splunk collects millions of logs. Notable Events are the ones that stand out and need human attention.

Notable Events include:

• Risk score

• Description of the event

• Time it occurred

• Source of the data

• Links to raw data

These events help you focus only on what matters.

6. Key Component: Incident Review Dashboard

Once Notable Events are created, where do they go?

They appear in the Incident Review Dashboard.

What is it?

It’s a central workspace for security analysts. Here’s what you can do:

• View all current Notable Events

• Filter by urgency, time, type, or system

• Assign events to team members

• Change status (e.g., New, In Progress, Closed)

• Add notes or tags

This dashboard supports a triage process, which is the step-by-step investigation and decision-making process.

Example:

An analyst sees a Notable Event about multiple failed logins. They:

1. Click to view raw data.

2. Check if the user has triggered similar events in the past.

3. Look up the source IP.

4. Decide: is this a brute-force attack or just a user who forgot their password?

They then assign the case to a team member or close it with a reason.

This dashboard helps organize the security team's workflow and keeps track of every action taken.

7. Key Component: Assets and Identities

This is where things get even smarter.

What is this about?

Assets = Devices, such as laptops, servers, routers
Identities = Users, such as employees or accounts

Splunk ES uses lookup tables to map raw data (like IP addresses or usernames) to human-readable context.

Example:

Instead of just showing:

"Login failed for user123 from 10.10.5.12"

Splunk can show:

"Login failed for John Smith (Finance Dept) from IP 10.10.5.12 (assigned to Laptop123)"

This makes investigations much easier and faster, because you:

• Understand who is affected

• Know which department or device was involved

• Can prioritize alerts involving high-value assets (like domain controllers or C-suite accounts)

Bonus Feature: Contextual Enrichment

This is what we call "data enrichment" – taking simple raw data and giving it more context. It allows for:

• More accurate correlation searches

• Better risk scoring

• Smarter alert suppression (ignore low-priority systems)

ES Introduction (Additional Content)

1. Modular Composition of Splunk ES

Splunk Enterprise Security (ES) is not a single monolithic application. It is a modular platform composed of multiple content packs, each designed to address specific categories of security threats or operational domains.

a. Security Domain Modules

Each module focuses on a different security perspective and is powered by its own data model and correlation logic. Common domains include:

• Access: Monitors authentication attempts, account usage, and identity anomalies.

• Endpoint: Tracks behavior on hosts such as laptops or servers, including malware detections or file activity.

• Network: Observes traffic patterns, connection anomalies, and possible lateral movement within internal or external networks.

• Identity: Enriches event data with user identity and organizational context.

• Threat: Integrates threat intelligence indicators (IP addresses, domains, hashes) and highlights IOCs in the environment.

b. Data Model Support

Each module relies on a corresponding CIM-compliant data model, which standardizes raw log data across different technologies. This allows Splunk ES to generate consistent visualizations, correlation searches, and dashboards, regardless of the data source.

In practice, this modularity helps organizations build a structured and scalable security monitoring strategy by enabling or customizing only the modules that are relevant to their risk profile or data availability.

2. Relationship Between Splunk Apps, Add-ons, and ES

To understand how Splunk ES operates, it’s important to clarify how it works on top of Splunk Core and in conjunction with Apps and Add-ons.

a. Splunk Core vs. ES

• Splunk Core is the base platform that provides indexing, searching, and visualization capabilities.

• Splunk ES is a premium application that runs on top of Splunk Core to enable advanced security analytics and threat detection.

b. Apps vs. Add-ons

• Apps in Splunk typically include visual dashboards, saved searches, and user interfaces. They’re used to interact with the data.

• Add-ons (TAs - Technology Add-ons) are designed to normalize and parse incoming data. They extract fields, assign tags, and align logs with the Common Information Model (CIM).

c. Why Add-ons Are Crucial to ES

Splunk ES depends heavily on Add-ons because:

• Add-ons prepare the raw data by transforming it into CIM-compliant format.

• ES uses data models based on CIM. Without properly formatted input data, ES modules won’t function correctly.

• Most dashboards, correlation searches, and alerts in ES assume the underlying data is normalized through Add-ons.

d. The ES Data Pipeline

You can think of the relationship as a three-tier foundation:

• Add-on: Parses and tags raw logs (field extraction, CIM mapping).

• Data Model (CIM): Standardizes the structure and semantics of the parsed data.

• ES Modules: Use the standardized models to drive security analytics and visualizations.

This tightly integrated pipeline ensures that diverse log sources (e.g., firewall, antivirus, cloud service logs) can all be analyzed using the same searches and dashboards in Splunk ES.

Summary

Understanding the modular design of ES and its dependence on CIM-compliant data is key to effective deployment and use. Without properly structured input (via Add-ons), the full capabilities of ES cannot be realized, and many detection and visualization features will either fail or provide misleading results.