Log management tools and SIEMs are not fire-and-forget tools that can be unboxed turned on and “just work”. Splunk is no exception. It needs to be cared for continuously to get the most out of the data. Correlation searches must be fine-tuned constantly to match the current threat landscape and should use all the nooks and crannies of the search language.
Take a minute to think about how to correlate end point logs with firewall logs to determine which end points visited a malicious URL over a span of 30 days. Done? Now account for end points changing ip addresses during those 30 days.
Just as important is alignment of use cases with log sources to make sure no visibility gaps exist. It is not enough to “just collect Windows logs”. If the correct events are not logged, no SIEM can fix that. Field discoveries must be verified, fields must be validated, data outages and drops detected, and overall coverage must be monitored.
At NIL815 we bring the security knowledge to the table that will make Splunk shine in your unit. Dip into a pool of extensive knowledge and get help with implementation of use cases, creation and verification of correlation searches, or an overall implementation health check.