Under the Lens — Splunk

In this section, we take a deep dive into specific security platforms and their evolving capabilities, examining how major vendors are adapting to the changing threat landscape and what their product roadmaps signal for the broader market.

Expanding your organization's security playbook can appear daunting at times. With so many tools, platforms, and integration options available, it's not always clear where the most immediate benefits lie.

Fortunately, numerous providers offer comprehensive, multi-tool suites that can cover a range of security needs. In this month's edition, we're taking a closer and curated look at the Splunk suite of security products.

Splunk is a provider of security and observability solutions that turns machine data into actionable insights across security and IT operations. The name applies both to the company and their comprehensive range of products that form an integrated platform for enterprise resilience.

It delivers comprehensive data analytics through its Splunk Enterprise platform for on-premises deployments and Splunk Cloud Platform for scalable cloud-native analytics. Splunk Enterprise Security provides advanced SIEM capabilities, while Splunk SOAR automates security orchestration and response. Splunk Observability Cloud ensures full-stack monitoring, and Splunk IT Service Intelligence delivers operational intelligence for IT service management.

Together, these solutions create a unified data-to-everything platform.

Let's examine the key security solutions within Splunk's portfolio:

• Core Data Analytics Platform:

  • Splunk Enterprise serves as the foundational data platform that ingests, indexes, and analyzes machine-generated data from any source, providing real-time search capabilities, customizable dashboards, and advanced analytics to transform raw data into operational intelligence across the enterprise.

  • Splunk Cloud Platform delivers all the capabilities of Splunk Enterprise as a fully managed cloud service, offering elastic scalability, automatic updates, and reduced infrastructure overhead while maintaining the same powerful search and analytics capabilities for organizations embracing cloud-first strategies.

• Security Operations:

  • Splunk Enterprise Security (ES) provides comprehensive SIEM functionality with correlation rules, threat intelligence integration, and investigation workflows, enabling security teams to detect threats, conduct forensic analysis, and maintain regulatory compliance through unified security monitoring.

  • Splunk SOAR (Security Orchestration, Automation and Response) streamlines security operations by automating incident response workflows, integrating disparate security tools, and standardizing playbooks, allowing security teams to respond to threats faster and more consistently while reducing manual effort.

• Observability & Monitoring:

  • Splunk Observability Cloud delivers comprehensive full-stack observability through infrastructure monitoring, application performance monitoring, and real user monitoring, providing end-to-end visibility into modern applications and infrastructure to ensure optimal performance and user experience.

  • Splunk IT Service Intelligence (ITSI) transforms IT operations through service-centric monitoring that correlates data across systems and applications, providing predictive analytics, anomaly detection, and service health scoring to enable proactive issue resolution and improved service reliability.

Splunk is currently running a critical beta program for the next major version of Splunk Enterprise, formerly known as the OpenSSL3 Beta Program. This pre-release initiative addresses significant infrastructure updates that will impact all Splunk deployments.

The upcoming Splunk Enterprise release represents a foundational infrastructure upgrade designed to keep the platform current with modern security standards and development frameworks. Organizations should prioritize participation in this beta program to identify potential compatibility issues with existing configurations, custom applications, and integration workflows before the production release. We have covered it in detail in our Lyrid Edition.

Optimizing Splunk Platform Usage

To maximize your security operations' effectiveness, focus on these strategic implementation approaches that leverage Splunk's integrated capabilities across data ingestion, threat detection, and automated response workflows:

• Leverage Core Platform Capabilities:

  • Utilize Splunk's Search Processing Language (SPL) to create powerful searches and reports that transform raw machine data into actionable insights. Build reusable saved searches and alerts that automatically trigger notifications or actions based on specific data patterns.

  • Take advantage of the Common Information Model (CIM) to normalize data from different sources into consistent field names and structures for unified analysis across your environment.

• Data ingestion and optimization:

  • Ensure data quality by implementing universal forwarders and data input configurations with parsing and indexing strategies. Machine data can be ingested into Splunk and automatically parsed using built-in sourcetypes for consistent field extraction.

• Maximize Enterprise Security effectiveness:

  • Leverage Enterprise Security's pre-built correlation searches and notable events framework to detect security threats using proven detection logic and investigation workflows.

  • Implement adaptive response actions to automate initial incident response steps, such as enriching events with threat intelligence or creating tickets in external systems.

• Orchestrate operations with SOAR:

  • Build comprehensive playbooks in Splunk SOAR that automate multi-step security processes, integrating with existing security tools and ticketing systems to standardize and accelerate incident response.

  • Use SOAR's case management capabilities to track investigation progress and maintain audit trails for compliance and process improvement.

Splunk's strength lies in its unified approach to security operations – by combining analytics with automated response capabilities, organizations can transform from reactive security postures to proactive threat hunting and rapid incident resolution. The platform's integration between Enterprise Security and SOAR creates a seamless workflow from detection to response.

Security Application and Version Updates

• Elasticsearch has released version 9.0.2, marking the latest update in the major 9.0 series with significant architectural changes and enhanced search capabilities. Key highlights of this release include:

  • Advanced Ranking Capabilities: Introduction of the rank_vectors field type for late-interaction ranking and ES|QL LOOKUP JOIN in technical preview, enabling more sophisticated search scoring and data correlation workflows.

  • Semantic Search GA: The semantic_text field type has been promoted to General Availability, providing production-ready semantic search capabilities with support for sparse_vector queries and knn vector queries for AI-powered search experiences.

  • Modern Infrastructure Foundation: Permanent transition from Java SecurityManager to the new Entitlements security system, bundled Java 24 JDK, and upgraded Lucene 10.1.0 engine provide enhanced security, performance, and compatibility with modern Java ecosystems.

• Splunk released version 8.0.4 of Enterprise Security on 30 April 2025, introducing several major enhancements focused on unified threat detection, investigation, and response workflows. Key highlights of this release include:

  • Unified TDIR Workflows: Integration with Splunk SOAR (Cloud) enables seamless pairing of playbooks and actions with case management features, creating a cohesive investigation experience.

  • Enhanced Detection Capabilities: Improved detection authoring with risk-based alerting allows security teams to build high-confidence groups of findings using new event-based and finding-based detection editors. Detection versioning enables backup and management of multiple detection versions without requiring complex SPL knowledge.

  • Streamlined User Experience: Reorganized navigation menus, simplified terminology aligned to the Open Cybersecurity Schema Framework (OCSF), and consolidated analytics dashboards under a single tab improve overall usability and accessibility.

Insights: From Our Integration Factory

• Reco AI + CAASM: This integration of Reco AI with the CAASM platform aims to establish a basic data feed that transfers incident information for enhanced visibility and analysis within the CAASM environment.
  
  This integration aims to provide a unified security experience, allowing security teams to monitor and analyze incident data from Reco AI within the CAASM platform. It bridges the gap between incident detection and comprehensive attack surface management, offering enhanced visibility into the organization's security posture and enabling streamlined analysis through graphical and tabular visualization formats.

• Abnormal Security + BAS: This integration of Abnormal Security with the Breach and Attack Simulation (BAS) platform aims to enhance email security testing and validation capabilities by incorporating advanced behavioral analysis and threat intelligence into simulated attack scenarios.
  
  This integration aims to provide a comprehensive security validation experience, allowing security teams to test email security controls using Abnormal's AI-driven threat detection insights within the BAS platform. It bridges the gap between email security monitoring and proactive security testing, offering enhanced visibility into email attack surface vulnerabilities and enabling continuous validation of security controls through sophisticated simulation scenarios.