I have to say this is my favorite series from Splunk conf so far. It's an essential checklist for your SIEM. In this session we really deep dive into what you should gather from your endpoints for qualifty visibility for your SOC analysts.
If you have not seen there series by
James Brodsky <brodsky@splunk.com>; check out https://conf.splunk.com/conf-online.html?search=Splunking%20the%20endpoint#/ It's very much worth your time. It makes a great check list for your deployment and asks important questions of the Splunk admin.
While this check list is great, and amazing. One of the challenges I have run into working with my analysts is that they don't KNOW the details of Splunk for Unix, Splunk for Windows or any of the various plug ins. I have started solving this problem with bi-weekly knowledge share lunches. Bringing those interested to to lunch and demo'ing a subset of data. Talking about use cases. Asking them HOW they think this data might be helpful. And always linking this knowledge back to formal training with our various vendors.
This sort of out reach has been GREAT. We're seeing more actionable alerts, better searches, and faster recovery times. The results are a simple loop up Talk about Data >> Do Cool Stuff >> Get more Training >> Talk about data >> Do cool stuff.
This simple feedback loop has adding hundreds of thousands of dollars to the value of our Splunk implementation.