SIEM Platform Management

We’ve mentioned the importance of platform management in our previous blogs on wider operating models but now it’s time to take a deep dive into this component of operating a SIEM specifically. 

Let’s recap – What is platform management? It’s the idea of ‘keeping the foundation solid’, ensuring underlying infrastructure is both healthy and reliable, so that all your data and use-cases can function as intended. 

App Updates 

SIEM Apps often responsible for the collection and visualisation of data, having processes in place within your operational model to regularly maintain these is critical.  

It is crucial to ensure app compatibility with recent enterprise firmware updates. And there is no better time to highlight this, recently there has been a volume of data quality errors recently on Cisco firewall kit reporting to Splunk across several deployments.  

This has happened where networking teams update Cisco devices, which changes their logging capabilities, but if the Spunk app for these logs isn’t updated in tandem, resulting in extraction errors. 

Poor quality data = Failing use cases and reports. 

Similarly, it is paramount that versioning is correct across enterprise deployments, logging can stop entirely if app versions are mismatched across the data pipeline. 

Most commonly this happens in hybrid environments where cloud search head apps are upgraded, as they can easily been seen in the UI, but on-premise forwarders are forgotten. 

Forwarder/ Agent Upgrades 

Keeping forwarders updated ensures enhanced functionality and reliability. Yet, because these elements are not typically flagged by alerts, they can easily be overlooked. 

With a Splunk deployment this is more pertinent than ever, seeing the new vulnerability associated with windows forwarders: https://advisory.splunk.com/advisories/SVD-2025-0602 

This perfectly highlights the necessity to stay on top of regular forwarder/agent package upgrades.  Not for enhanced functionality and platform value but for security patches.  

On affected versions non-administrator users of the windows forwarder can access the directory and all it’s contents. For organisations running windows endpoint logging this, essentially gives any staff member the power to turn off or disrupt their machine logging to Splunk. 

You can only imagine the detection and compliance consequences down the line if that were to happen.