Splunk Security Cloud: Product Editions and Professional Services

What Is Splunk Security Cloud?

Splunk Security Cloud is a data-centric security operations platform that provides security analytics, automated security operations, and threat intelligence.

Splunk Security Cloud provides machine learning-based analytics that detect and provide key insights into multi-cloud environments. It enables improved detection, investigation, and response times, automatically collecting, prioritizing, and consolidating all intelligence sources for faster detection.

In addition, the solution supports an open ecosystem to correlate data across all security tools, regardless of vendor, for improved visibility across the IT environment.

This is part of our series of articles about Splunk Cloud.

Splunk Security Cloud Editions

Splunk Security Cloud is available in two editions: Standard and Plus. Automation is also available as an add-on to both suites.

  • Security Cloud Standard—initiates security action by centralizing all security-related data, informing basic investigations, and standardizing first-response workflows.

  • Security Cloud Plus—provides an improved foundation for investigation by leveraging data models, frameworks, dashboards, and event correlation. This edition provides improved investigation, analysis, and continuous monitoring capabilities.

  • Add-on automation—provides automation, security orchestration, and response capabilities that reduce alert fatigue and allow security teams to focus on mission-critical tasks and respond quickly to threats.


Pricing for both editions is based on two factors:

  • Data ingestion for each protected device - a protected device is a physical or virtual machine that is active on one or more networks or systems in an organization. You are not limited to devices that send events directly to the Splunk platform. For example, Splunk can protect web proxies, firewalls, workstations, and any other device on the network.

  • Splunk Virtual Core Units (SVCs) - in the cloud, this metric is called Splunk Virtual Computing unit (SVC), and on-premises it is called virtual central processing units (vCPUs). Both are calculations of CPU resources allocated to Splunk for the search head and indexer components. These metrics let you align your provisioned Splunk resources with actual search activity, without ingestion limits.

What Does Splunk Security Cloud Standard Edition Provide?

Splunk Security Cloud Standard is an entry-level edition that gets you started with Splunk Cloud by centralizing your data for secure operations. Standard Edition investigation capabilities help you modernize your security operations, including basic security monitoring, and fraud analysis and detection.

Security Cloud Standard includes the following Splunk software:

  • Splunk Cloud

  • Splunk Security Essentials app on Splunkbase


In addition, the Standard edition offers the following level of entitlements:

  • Data ingestion per protected device - 35MB per day

  • SVC per protected device - 0.003 rounded up to nearest integer

What Does Splunk Security Cloud Plus Edition Provide?

The investigation capabilities of Splunk Security Cloud Plus help you modernize your security operations by supporting compliance and data privacy, security incident investigation, fraud detection and analysis, and cloud migration.

Security Cloud Plus includes the following Splunk software:

  • Splunk Cloud

  • Splunk Security Essentials app on Splunkbase

  • Security information and event management (SIEM) with Splunk Enterprise Security and content updates


In addition, the Standard edition offers the following level of entitlements:

  • Data ingestion per protected device - 4.5GB per day

  • SVC per protected device - 0.003 rounded up to nearest integer

Related content: Read our guide to Splunk SIEM

What is Splunk Security Cloud Success?

Splunk Security Cloud Success is a professional services offering by Splunk, which helps your organization apply Splunk best practices, suggest improvements, and familiarize your team with Splunk Security Cloud.

Different support and training sessions are included depending on the edition and the number of protected devices.

The following sessions are typically provided as part of Splunk Security Cloud Standard edition:

  • Maturity review/security roadmap session—used to define the actions taken during engagement. Whether you're going through the proof-of-value process or onboarding a new client, it's time to identify your current capabilities, align them with your goals, and create a custom implementation roadmap.

  • Security Essentials guided walkthrough—a curated tour of the Security Essentials application with discussion of use cases, content management (filtering, creation, and bookmarking), data availability, and introspection.

  • Data onboarding review session—provides a detailed plan on how to validate and retrieve the data needed to meet the requirements of the various use cases selected for implementation.

  • Data onboarding assistance—supports data onboarding from standard security data sources. Activities include data normalization, deployment of appropriate technology plug-ins, and assistance with ingesting the necessary data into the platform.

  • Use case advisory discussion—reviews the available use cases for your data source and makes recommendations for key detections to improve security mechanisms based on the capabilities of Splunk Enterprise.

  • Configuration services—help you configure Splunk Security Essentials on Splunk Enterprise and create individual alerts for incident detection and email workflows.

  • Use case development workshop for 10,000+ protected devices—a full-day workshop focused on security, Splunk Enterprise features, and tuning basic alerts.


Security Cloud Plus includes all of the above, and in addition (depending on the number of devices protected):

  • Data onboarding assistance—Splunk Security Essentials supports more advanced data onboarding from security data sources. Activities include data normalization, deployment of appropriate technology plug-ins, and support for data ingestion.

  • Enterprise security (ES)—uses the full security and event management (SIEM) capabilities of Splunk Enterprise Security. Includes guidance on implementing and configuring ES for all major ES frameworks (assets or IDs, threat intelligence, etc.) and configuring risk-based alerts.

  • Enterprise security content updates—covers the use of analytics stories and advanced detections in regularly updated content packs.

  • Use case development workshop—a multi-day workshop focused on harnessing the power of enterprise security to align security monitoring use cases with strategic and tactical objectives.

  • Advanced ES configuration—configures risk annotations and risk factors to leverage risk-based alerting (RBA) in Enterprise Security. Supports other applicable visualizations as well as advanced asset and identity configuration (third-party sources, advanced classification, and prioritization).

Managed Detection & Response

Splunk Security with BlueVoyant

Quickly scale your security operations across your environments without the need to invest in additional hardware or software.

black texture background