Splunk Enterprise Security
What is Splunk Enterprise Security?
Splunk Enterprise SecurityA commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
Splunk Enterprise Security (ES) is the flagship SIEM application built on the Splunk platform, originally developed by Splunk Inc. and acquired by Cisco in March 2024. It indexes any time-stamped machine data — firewalls, EDR, Windows events, syslog, cloud audit trails — and exposes it through the Splunk Processing Language (SPL) for searches, dashboards, and correlation rules. ES ships with the Common Information Model (CIM), risk-based alerting (RBA), MITRE ATT&CK navigator integration, asset and identity frameworks, and notable-event triage workflows. It is deployed on-premises, in Splunk Cloud, and increasingly as a unified platform with Cisco XDR. Splunk SOAR (formerly Phantom) provides playbook automation.
● Examples
- 01
Writing an SPL correlation search to alert on lateral movement detected by Windows event 4624 type 3 from a tier-0 host.
- 02
Using risk-based alerting to surface a user whose accumulated MITRE technique score crosses 100 in 24 hours.
● Frequently asked questions
What is Splunk Enterprise Security?
A commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation. It belongs to the Defense & Operations category of cybersecurity.
What does Splunk Enterprise Security mean?
A commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
How does Splunk Enterprise Security work?
Splunk Enterprise Security (ES) is the flagship SIEM application built on the Splunk platform, originally developed by Splunk Inc. and acquired by Cisco in March 2024. It indexes any time-stamped machine data — firewalls, EDR, Windows events, syslog, cloud audit trails — and exposes it through the Splunk Processing Language (SPL) for searches, dashboards, and correlation rules. ES ships with the Common Information Model (CIM), risk-based alerting (RBA), MITRE ATT&CK navigator integration, asset and identity frameworks, and notable-event triage workflows. It is deployed on-premises, in Splunk Cloud, and increasingly as a unified platform with Cisco XDR. Splunk SOAR (formerly Phantom) provides playbook automation.
How do you defend against Splunk Enterprise Security?
Defences for Splunk Enterprise Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Splunk Enterprise Security?
Common alternative names include: Splunk ES, Splunk SIEM.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1062
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 372
Elastic Stack (ELK)
An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale.
- defense-ops№ 680
Microsoft Sentinel
A cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources.
- defense-ops№ 448
Google Chronicle SecOps
Google Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language.