Splunk ES 8.0 Improves Identity Detections

## ES 8.0 Sharpens Identity-Based Threat Detection with New Framework Splunk Enterprise Security 8.0 introduces a significant evolution in its detection framework, moving from "Correlation Searches" to a more intuitive "Detections" terminology. This update brings two new authoring editors for creating event-based and finding-based detections, designed to streamline the development of analytics and better align with Risk-Based Alerting (RBA) principles. For detection engineers, this means a cleaner, more organized library of security content that is easier to manage and update. A key enhancement is the native version control for detections, allowing teams to edit, add notes, and roll back changes without impacting live rules—a critical feature for maintaining stability in multi-client environments. The new framework is built to tackle alert fatigue by distinguishing between low-fidelity "Intermediate Findings" and high-confidence "Findings." Event-based detections analyze raw log data to generate these findings. Finding-based detections then correlate these initial findings to identify more complex attack patterns, grouping them into a single, high-confidence alert. This layered approach allows analysts to focus on significant threats rather than chasing individual, noisy events, a methodology that is crucial for effectively monitoring user behavior against Zero Trust principles. For DoD environments, these enhanced identity detections can be customized to align with the User pillar of the Zero Trust model. For instance, a standard "Excessive Failed Logins" detection can be tuned to meet specific DoD thresholds for user activity monitoring. The DoD's Zero Trust roadmap emphasizes the need for User and Entity Behavior Analytics (UEBA) to inform access decisions. Splunk's framework supports this by enabling the creation of detailed user behavior baselines to differentiate between normal and abnormal activity, a core tenet of advanced Zero Trust maturity. In multi-tenant deployments, such as those managed for different defense contractors, best practices dictate the use of separate indexes and custom roles for each client to ensure data segregation. To streamline client onboarding, a centralized Splunk deployment server can be used to manage and deploy configuration apps consistently across all tenants. When using off-the-shelf Splunk applications, it's often necessary to modify them to remove hard-coded index names, allowing them to function across different client indexes based on user roles. To assess Zero Trust compliance for the User and Identity pillar, Splunk dashboards can be built to monitor key metrics. The "Access Anomalies" dashboard, for example, can help identify concurrent logins from geographically distant locations or multiple authentication attempts from various IPs in a short period. Specific SPL queries can be crafted to audit user access against policies, such as verifying that only privileged users are accessing critical systems or that accounts are not being used after a departure. These dashboards provide continuous monitoring and a quantifiable measure of adherence to Zero Trust controls. The Splunk Threat Research Team continuously releases new security content through the Splunk Enterprise Security Content Update (ESCU) app, which includes pre-packaged analytic stories for detecting specific threats. These stories often focus on identity-based attacks and insider threats, providing a valuable resource for detection engineers. For example, recent updates have included detections for suspicious activity in Kubernetes environments and techniques used in ransomware attacks, all of which can be adapted to a multi-client, Zero Trust architecture. The shift in ES 8.0 also aligns with the Open Cybersecurity Schema Framework (OCSF), standardizing terminology across the Splunk security portfolio and the broader cybersecurity industry. This common language simplifies collaboration and understanding of security events, which is particularly beneficial in complex, multi-stakeholder environments like the defense industrial base. The integration of Mission Control into the platform provides a unified work surface for analysts to detect threats, consult playbooks, and initiate response actions from a single interface. For a more proactive stance, Splunk's User Behavior Analytics (UBA) can be used to establish a baseline of normal user activity, flagging any deviations that could indicate an insider threat. This capability is directly in line with the DoD's goal of leveraging UEBA for continuous monitoring and risk scoring. By correlating user activity with other data sources, such as network traffic and endpoint logs, security teams can gain a comprehensive view of potential identity-based threats and respond more effectively.