Splunk, the cybersecurity and observability provider, is announcing that its seamless and customizable security analyst experience—introduced in the Splunk Enterprise Security 7.2 release—will now be turned on by default in Splunk Enterprise Security 7.3. Splunk is also announcing an expansion of Drill-Down Dashboards, Index Time Correlation Searches, and enhanced Risk-Based Alerting, culminating in a customer feedback-centered update.
According to Marquis Montgomery, director of product management, security products at Splunk, “customer feedback continues to drive innovation and enhancements in Splunk Enterprise Security,” ultimately spurring several improvements within the 7.3 release.
Splunk’s optional 7.2 analyst experience will now be the default mode of 7.3, enabling analysts to customize their Incident Review Dashboard to better represent their investigative priorities. Configurable with table filters and columns, analysts leveraging the Incident Review Dashboard can more easily isolate and rapidly investigate security events.
These custom Incident Review Dashboards can then be saved and shared with other analysts in the enterprise, applicable to different use cases and driving greater collaboration. Splunk Enterprise Security Administrators are also afforded a level control over the analyst experience with Incident Review Dashboards, able to configure default views for all users.
To aid in this transition, Splunk is offering an interactive onboarding experience available in-product.
Drill-Down Dashboards have now been expanded to Incident Review, enabling content engineers to “drill-down” into a Splunk dashboard via the incident workflow. This drives a seamless analyst experience, allowing these users to access crucial details of an event during investigation without incurring additional manual burden.
Users can generate multiple drill-down dashboard links, which are further customizable in text and token fields for greater flexibility.
Splunk Enterprise Security 7.3 also introduces Index Time Correlation Searches, developed in response to occasions where customer data is not forwarded to Splunk in real time. This feature allows administrators to run specific correlation rules on index time instead of event time, accommodating these instances without sacrificing visibility.
With enhancements to Risk-Based Alerting, enterprises can better prioritize security threats in a manner that adapts to the MITRE ATT&CK framework and an entity risk score. This not only reduces false positive investigations by up to 80% but also speeds up the investigation and remediation time of true positives by 50%, according to Splunk.
To learn more about Splunk’s latest updates, please visit https://www.splunk.com/.