Subject Matter Experts
- Security Products

Machine Deep learning algorithms, Artificial intelligence, AI, Automation and modern technology in business as concept.

Splunk Anomaly Detection

Security detections should not contain "magic numbers" for thresholding and alert creation. For example "if (num_failed_logins > 3)". What's so special about the number "3". Nothing! These types of alerts result in thousands of noisy false positives. The answer is Splunk's anomaly detection. All the tools are available out-of-the-box (SPL and MLTK), however, utilizing these tools to create high fidelity security use cases is an art form in itself. Let Keos PS show you the way,

identities

Splunk Risk Based Alerting

Splunk Enterprise Security ("ES") come with all the ingredients necessary to implement risk based alerting ("RBA"). Rather than have a single detection create an alert that requires your SOC teams immediate attention, RBA looks across a large swatch of user and entity behavior. Given the broader context, many false positives fall to the way side and an aggregated list of concerning behaviors pushes itself up to the top of the priority list. Now an absolute must in Splunk ES 8.X, Keos will enable the RBA framework and develop your custom RBA alerts.

images - 2025-03-11T061441.069

Splunk SOAR

Splunk's product offering for automatically remediating incidents found in Splunk ES. Splunk provides a standard set of SOAR playbooks that help inspire the customer to make full use of the tool. But these out-of-the-box playbooks are not complete and not production worthy. The best playbooks are determined when the customer observes their SOC team and analysts performing the same redundant tasks. And then call in Keos to implement playbooks in python.

data-modeling-2

Splunk Datamodels

Splunk datamodels are Splunk crown jewel. These underlying repositories are necessary for customers to search large amounts of data in seconds. Out of the box, data models do not populate. And the default fields for each data model need to be modified for each customer. Users can benefit with correctly populated data models. The juice is worth the squeeze. Keos provides a unique field repository for customers to correctly parse their logs and populate their datamodels. The Keos "Datamodel Dictionary" correlates the customer's data model with the customer's log source. An invaluable mapping to maintain datamodels over time and for customers to write their own "tstats" enabled Splunk searches.

iStock-1154382481-komprimiert-400x400

Splunk UEBA

Splunk's unsung hero is their User and Entity Behavior Analytics tool. Under the covers, this product has a sophisticated set of machine learning models that need to trained on large amounts of data before it is able to detect anomalies. A powerful product, but not easy to setup and get working.

images - 2025-03-11T062355.564

Splunk ES

Splunk's SIEM. A very popular product that has added capability year-over-year. Today, all customers should be making full use of ES risk-based alerting, data modeling, and machine learning.

cisco-xdr

Cisco XDR

Cisco's XDR is designed to work OOTB without requiring professional services. With XDR, all the security detections and remediations are generic one-size fits all. Where things get interesting is when customers need to up their game and migrate from XDR to Splunk ES. Or if the customer has multiple XDR stacks and they need a single Splunk ES pane of glass to monitor the various XDR instances. That is when Keos professionals step in.

Main Menu

Privacy Policy

Contact Details

Phone

(408) 2719195

Email

info@csjunction.com

Scroll to Top