← āļāļĨāļąāļšāļŦāļ™āđ‰āļēāļĢāļ§āļĄ Vendor 🏠 āļŦāļ™āđ‰āļēāđāļĢāļ WSS Info

📊 Splunk

SIEM / SOAR / UBA / Enterprise Security — āļĢāļ­āļ‡āļĢāļąāļš WSS āļ‚āđ‰āļ­ 6.9 (Log), āļ‚āđ‰āļ­ 9 (āļ•āļĢāļ§āļˆāļˆāļąāļš), āđāļĨāļ°āļ‚āđ‰āļ­ 10 (āđ€āļœāļŠāļīāļāđ€āļŦāļ•āļļ)

📊 Splunk Products → WSS Mapping

WSS āļ‚āđ‰āļ­āļŦāļąāļ§āļ‚āđ‰āļ­Splunk ProductāļŸāļąāļ‡āļāđŒāļŠāļąāļ™
6.9Log ManagementSplunk Enterprise / Cloud PlatformLog Collection, Indexing, Retention, āļ•āļēāļĄ āļž.āļĢ.āļš. āļ„āļ­āļĄāļžāļīāļ§āđ€āļ•āļ­āļĢāđŒ
7.1cāļ„āļ§āļšāļ„āļļāļĄāļ„āļ§āļēāļĄāđ€āļŠāļĩāđˆāļĒāļ‡Splunk ES + Risk-Based Alerting (RBA)Risk Scoring, Risk-based Alerting
8.4eInformation SharingSplunk Mission ControlThreat Intel Sharing, TAXII/STIX
9.1Monitoring & Threat DetectionSplunk Enterprise Security (ES)SIEM, Correlation, Real-time Monitoring
9.1aāļāļĨāđ„āļāļ•āļĢāļ§āļˆāļˆāļąāļšSplunk ES + Splunk UBAAnomaly Detection, UEBA, ML-based
9.1bāļ—āļšāļ—āļ§āļ™āļāļĨāđ„āļSplunk Security Posture DashboardDashboard, Reporting, Review
10.1Incident Response PlanSplunk SOAR (Phantom)SOAR, Automation, Playbook
10.1aāđāļœāļ™ IRSplunk SOARIncident Response Workflow
10.1bāļāļķāļāļ‹āđ‰āļ­āļĄāđāļœāļ™Splunk SOAR SimulationTabletop Exercise Simulation
10.1cCrisis CommunicationSplunk SOAR + Mission ControlCase Management, Collaboration
11.1RecoverySplunk IT Service Intelligence (ITSI)Service Health, Recovery Verification

📊 āļĢāļēāļĒāļĨāļ°āđ€āļ­āļĩāļĒāļ”āļœāļĨāļīāļ•āļ āļąāļ“āļ‘āđŒāđ€āļŠāļīāļ‡āļĨāļķāļ

Splunk Enterprise / Cloud Platform

Platform āļˆāļąāļ”āļāļēāļĢāļ‚āđ‰āļ­āļĄāļđāļĨ Machine Data āļ‚āļ™āļēāļ”āđƒāļŦāļāđˆ
  • Indexing: āļĢāļąāļš log āđ„āļ”āđ‰ >1TB/āļ§āļąāļ™ (āļ•āđˆāļ­ instance)
  • Search: SPL (Search Processing Language)
  • Retention: Hot/Warm/Cold/Frozen Bucket
  • Input: Syslog, HTTP Event Collector (HEC), API
  • Forwarder: Universal Forwarder (UF) — agent āļ‚āļ™āļēāļ”āđ€āļĨāđ‡āļ
  • Compliance: āļ„āļĢāļ­āļšāļ„āļĨāļļāļĄ āļž.āļĢ.āļš. āļ„āļ­āļĄāļžāļīāļ§āđ€āļ•āļ­āļĢāđŒ (Log āđ€āļāđ‡āļšāļ­āļĒāđˆāļēāļ‡āļ™āđ‰āļ­āļĒ 90 āļ§āļąāļ™)
  • WSS 6.9

Splunk Enterprise Security (ES)

SIEM Application āļŠāļąāđ‰āļ™āļ™āļģ — Correlation, Threat Detection
  • Correlation: Rules-based + Risk-Based Alerting (RBA)
  • Notable Events: Incident Creation, Assignment
  • Dashboard: Security Posture, Real-time Monitoring
  • Threat Intel: TAXII/STIX, Threat Feed Integration
  • Framework: MITRE ATT&CK Mapping āļ­āļąāļ•āđ‚āļ™āļĄāļąāļ•āļī
  • Integration: āļĢāļąāļš log āļˆāļēāļ Web Server, WAF, Firewall
  • WSS 9.1 9.1a

Splunk SOAR (Phantom)

Security Orchestration, Automation, Response
  • Playbook: Visual Playbook Editor
  • Automation: Automated Incident Response
  • Integration: >400 App Integrations
  • Case Management: Collaboration, Timeline
  • Simulation: Tabletop Exercise
  • Metrics: MTTR Tracking, Report
  • WSS 10.1 10.1a-d

Splunk UBA (User Behavior Analytics)

UEBA — Machine Learning Behavior Analytics
  • ML Models: Unsupervised + Supervised Learning
  • Anomaly: āļ•āļĢāļ§āļˆāļˆāļąāļšāļžāļĪāļ•āļīāļāļĢāļĢāļĄāļœāļīāļ”āļ›āļāļ•āļīāļ‚āļ­āļ‡ User/Device
  • Peer Group: āđ€āļ›āļĢāļĩāļĒāļšāđ€āļ—āļĩāļĒāļšāļāļąāļšāļāļĨāļļāđˆāļĄāļœāļđāđ‰āđƒāļŠāđ‰āđ€āļ”āļĩāļĒāļ§āļāļąāļ™
  • Chaining: āđ€āļŠāļ·āđˆāļ­āļĄāđ‚āļĒāļ‡āļŦāļĨāļēāļĒāđ€āļŦāļ•āļļāļāļēāļĢāļ“āđŒāđ€āļžāļ·āđˆāļ­āļĢāļ°āļšāļļāļāļēāļĢāđ‚āļˆāļĄāļ•āļĩ
  • Integration: āļŠāđˆāļ‡ Notable Event āđ„āļ› ES
  • WSS 9.1a

Splunk Mission Control

SOC Collaboration & Case Management
  • Case Management: SOC Workflow āđāļšāļšāļĢāļ§āļĄāļĻāļđāļ™āļĒāđŒ
  • Collaboration: Chat, Notes, Timeline
  • Threat Intel: TAXII/STIX Sharing
  • Reporting: Executive Dashboard
  • WSS 10.1c 8.4e

Splunk ITSI (IT Service Intelligence)

AIOps — Service Health & Recovery
  • Service Health: Real-time Service Monitoring
  • KPI Tracking: Availability, Performance
  • Glass Tables: Visual Topology
  • Recovery: āļ•āļĢāļ§āļˆāļŠāļ­āļšāļāļēāļĢ Recovery āļŦāļĨāļąāļ‡ Incident
  • WSS 11.1

ðŸŽŊ āļŠāļ–āļēāļ›āļąāļ•āļĒāļāļĢāļĢāļĄ Splunk āļŠāļģāļŦāļĢāļąāļš WSS

ComponentāļŸāļąāļ‡āļāđŒāļŠāļąāļ™āļĢāļ­āļ‡āļĢāļąāļš WSS
Universal Forwarder (UF)āļŠāđˆāļ‡ log āļˆāļēāļ Web Server, CMS, DB6.9
Heavy Forwarder (HF)āļāļĢāļ­āļ‡/ parse log āļāđˆāļ­āļ™āļŠāđˆāļ‡6.9
Indexerāļˆāļąāļ”āđ€āļāđ‡āļšāđāļĨāļ°āļ—āļģ Full-text Index6.9
Search Head (SH)āļ„āđ‰āļ™āļŦāļē SPL, Correlation, Dashboard9.1
ES AppSIEM, Threat Detection, Notable Events9.1, 9.1a
SOARIncident Response Automation10.1
UBABehavior Analytics, Anomaly Detection9.1a

āļ‚āļ™āļēāļ”āļ­āļ‡āļ„āđŒāļāļĢāđāļ™āļ°āļ™āļģ: Splunk Enterprise 60GB/āļ§āļąāļ™āļ‚āļķāđ‰āļ™āđ„āļ› Â· ES + UBA + SOAR āļ•āđ‰āļ­āļ‡āļāļēāļĢ >100GB/āļ§āļąāļ™
āļĢāļđāļ›āđāļšāļš: On-prem (Linux), Cloud (Splunk Cloud Platform), Hybrid