{"id":28334,"date":"2022-03-07T09:53:44","date_gmt":"2022-03-07T09:53:44","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=28334"},"modified":"2022-12-23T06:48:06","modified_gmt":"2022-12-23T06:48:06","slug":"what-is-splunk-siem-and-how-it-works-an-overview-and-its-use-cases","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/what-is-splunk-siem-and-how-it-works-an-overview-and-its-use-cases\/","title":{"rendered":"What is Splunk SIEM and How it works? An Overview and Its Use Cases"},"content":{"rendered":"

History & Origin of Splunk SIEM<\/h3>\n

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.<\/span><\/p>\n

Founded in 2003, Splunk is a global company\u00a0 \u2014 with over 7,500 employees, 850 patents and availability in 21 regions around the world \u2014 and offers\u00a0an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.<\/span><\/p>\n

Use this command to view your search history in the current application. This search history is presented as a set of events or as a table.<\/p>\n

Syntax<\/span><\/h2>\n

| history [events=<bool>]<\/p>\n

Required arguments<\/span><\/h3>\n

None.<\/p>\n

Optional arguments<\/span><\/h3>\n
\n
events<\/dt>\n
Syntax:<\/b>\u00a0events=<bool><\/dd>\n
Description:<\/b>\u00a0When you specify\u00a0events=true<\/code>, the search history is returned as events. This invokes the event-oriented UI which allows for convenient highlighting, or field-inspection. When you specify\u00a0events=false<\/code>, the search history is returned in a table format for more convenient aggregate viewing.<\/dd>\n
Default:<\/b>\u00a0false<\/dd>\n<\/dl>\n

Fields returned when\u00a0events=false<\/code>.<\/p>\n

\n
\n
\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Output field<\/th>\nDescription<\/th>\n<\/tr>\n
_time<\/code><\/td>\nThe time that the search was started.<\/td>\n<\/tr>\n
api_et<\/code><\/td>\nThe earliest time of the API call, which is the earliest time for which events were requested.<\/td>\n<\/tr>\n
api_lt<\/code><\/td>\nThe latest time of the API call, which is the latest time for which events were requested.<\/td>\n<\/tr>\n
event_count<\/code><\/td>\nIf the search retrieved or generated events, the count of events returned with the search.<\/td>\n<\/tr>\n
exec_time<\/code><\/td>\nThe execution time of the search in integer quantity of seconds into the Unix epoch.<\/td>\n<\/tr>\n
is_realtime<\/code><\/td>\nIndicates whether the search was real-time (1) or historical (0).<\/td>\n<\/tr>\n
result_count<\/code><\/td>\nIf the search is a transforming search, the count of results for the search.<\/td>\n<\/tr>\n
scan_count<\/code><\/td>\nThe number of events retrieved from a Splunk index at a low level.<\/td>\n<\/tr>\n
search<\/code><\/td>\nThe search string.<\/td>\n<\/tr>\n
search_et<\/code><\/td>\nThe earliest time set for the search to run.<\/td>\n<\/tr>\n
search_lt<\/code><\/td>\nThe latest time set for the search to run.<\/td>\n<\/tr>\n
sid<\/code><\/td>\nThe search job ID.<\/td>\n<\/tr>\n
splunk_server<\/code><\/td>\nThe host name of the machine where the search was run.<\/td>\n<\/tr>\n
status<\/code><\/td>\nThe status of the search.<\/td>\n<\/tr>\n
total_run_time<\/code><\/td>\nThe total time it took to run the search in seconds.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/dd>\n<\/dl>\n<\/dd>\n<\/dl>\n

What is Splunk SIEM<\/strong><\/h3>\n

\"\"<\/p>\n

\n
SIEM stands for security, information, and event management<\/b>. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring.<\/div>\n
Security operation centers (SOCs) invest in SIEM software to streamline visibility across their organization\u2019s environments, investigate log data for\u00a0incident response<\/a>\u00a0to cyberattacks and data breaches, and adhere to local and federal compliance mandates.<\/div>\n<\/div>\n
<\/div>\n
\n

How Splunk SIEM works aka Splunk SIEM architecture?<\/h3>\n<\/div>\n
\n
\"\"<\/div>\n<\/div>\n

 <\/p>\n

Basically, SIEM architecture\u00a0collects event data from organized systems such as installed devices, network protocol, storage protocols (Syslog) and streaming protocols<\/b>.<\/p>\n

SIEM software works by collecting log and event data produced from applications, devices, networks, infrastructure, and systems to draw analysis and provide a holistic view of an organization\u2019s information technology (IT).<\/p>\n

SIEM solutions can reside either in on-premises or cloud environments. Analyzing all of the data in real-time, SIEM solutions use rules and statistical correlations to drive actional insight during forensic investigations. SIEM technology examines all data, sorting threat activity according to its risk level to help security teams identify malicious actors and mitigate cyberattacks quickly.<\/p>\n

The Evolution of SIEM Software<\/strong><\/h2>\n

SIEM solutions have been around for over 15 years, but today\u2019s modern SIEMs have evolved from their original counterparts. Mark Nicolett and Amrit Williams established the term \u201cSIEM\u201d in a 2005 Gartner research report,\u00a0Improve IT Security With Vulnerability Management<\/em>.\u00a0[1]<\/a>\u00a0These legacy SIEMs were a combination of integrated security methods into one management solution, including:<\/p>\n