Splunk Enterprise Security

Solution Overview
Splunk Enterprise Security (ES) enables security teams to consolidate various data streams to efficiently manage their security postures. Splunk ES can be used for a wide range of threat-related activities, including incident response, SOC operations, visibility and monitoring, and executive reporting. Security analysts, operators and managers can use Splunk’s best-of-breed visualization capabilities to effectively improve their security workflows, thereby reducing risk to the enterprise.

Goals & Objectives

This lab leverages a complex virtual environment that uses Tanium and other industry-leading security tools to gather data from various flavors of servers and workstations and send that data to Splunk. Specific security events have been engineered to give the user an in-depth understanding of the overall capabilities of Splunk ES.
This Lab demonstrates how Splunk Enterprise Security can:
  • Collect data from various sources.
  • Improve security operations by driving efficiency and reducing response times.
  • Increase investigation, detection and prevention capabilities.
  • Integrate into an organization’s automation and reporting processes.
  • Improve security posture by gaining detailed visibility into enterprise activity.
  • Pivot between various security workflows to support in-depth investigative analysis.

Hardware & Software

This lab consists of the following hardware and software:

  • Splunk log collector
  • Tanium Core Platform
  • Nessus vulnerability scanner
  • Palo Alto VM-series firewall
Server Devices
  • 1x Splunk Server (CentOS 7)
  • 1x Syslog Server (CentOS 7)
  • 1x Nessus Server (CentOS 7)
  • 1x Utility Server (CentOS 7)
  • 4x Tanium Servers (Windows Server 2016)
  • 1x Windows Jumphost (Windows Server 2016)
Client Devices
  • 4x Windows 10 Clients (Windows 10 Enterprise)
  • 3x Windows 7 Clients (Windows 7 Enterprise)
  • 3x Red Hat Clients (Red Hat Enterprise Linux 7)
  • 1x Attack Host (Kali Linux)