MDR on Splunk Enterprise Security: leading SIEM, custom SPL rules.
The Fortgale European SOC 24·7·365 on the Splunk ES console. SPL detection rules tuned on European TTPs, <30 min median containment, response orchestrated via Splunk SOAR.
European SOC 24·7·365L2/L3 analysts · direct interaction
Fortgale
◇
Multi-domain AI tier-zeroNoise reduced >90% by day 30
Fortgale
⚡
Native Splunk responseHost isolation in seconds
Live
◈
Proprietary intelligence34,000+ IoCs per week · European actors
Fortgale
MDR live, Splunk + Fortgale SOC active
Compliance
ISO/IEC 27001
NIS2 ready
DORA aligned
GDPR · ENISA
Technology partnership
Splunk Enterprise Security
MITRE ATT&CK aligned
OpenCTI
Why Fortgale + Splunk
The Gartner-leading SIEM, operated with proprietary CTI.
Splunk Enterprise Security is the Gartner Leader SIEM/SOAR for the 11th consecutive year. Fortgale operates it with European analysts who develop custom SPL detection rules on European actor TTPs.
01 ·
Splunk ES · top Gartner SIEM
Notable events, risk-based alerting, MITRE ATT&CK mapping. Native data ingestion from any source via Universal Forwarder. Risk-based alerting for noise reduction up to 90%. Fortgale delivers detection and response on the platform modules Splunk Enterprise Security · Splunk SOAR · User Behavior Analytics (UEBA) · Splunk Attack Analyzer.
02 ·
European SOC 24·7·365
L2/L3 analysts develop custom SPL rules and ES content packs tuned on European TTPs. Triage <15 min on notable events. Threat hunting on Splunk Search using proprietary CTI.
03 ·
Splunk SOAR + IR
Custom playbook orchestration via Splunk SOAR: cross-tool response, automatic enrichment, ticketing. Direct escalation to Fortgale IR. Full NIS2 national CSIRT notification support.
How it works · architecture
Four blocks, one MDR cycle on Splunk.
From data ingestion to SOAR response, all governed by Fortgale with European analysts and proprietary CTI on European markets.
01 ·
01 · Ingestion
Data sources active
Splunk Cloud or on-prem with all data sources connected: endpoint, firewall, AD, M365, AWS/Azure, custom apps. Universal Forwarder + HEC + APIs.
02 ·
02 · Tier-zero
Custom SPL detection
ES content packs + custom SPL rules tuned by Fortgale on European actor TTPs. Risk-based alerting reduces noise by 90%, only real notables reach analysts.
03 ·
03 · Analysts
Our L2/L3 on the console
European SOC specialised on Splunk. Triage on notable events, hunting via Splunk Search, attribution to actor. Direct interaction in your business language.
04 ·
04 · Response
SOAR playbook + IR
Containment via Splunk SOAR custom playbooks: EDR isolation, AD lockout, firewall block, ticketing. Direct escalation to Fortgale IR for critical incidents.
Proof · service metrics
Four numbers that hold MDR on Splunk up.
Metrics measured on real customer telemetry, Q1 2026, updated quarterly.
<30 min
Median containment from confirmed notable
90 %
Noise reduced by risk-based alerting
Custom
SPL rules MITRE-mapped on European TTPs
14 days
Full onboarding Splunk ES + SOAR
The problems MDR must solve
Five reasons Splunk alone is not enough.
The platform produces telemetry. What is missing is the people who read it around the clock, prioritise it and turn it into decisions.
01 ·
Alert fatigue
Tier-zero AI filters, analysts decide: noise reduced >90% by day 30. Every alert that reaches you is already a qualified case.
02 ·
Splunk expertise
L2/L3 analysts who operate the Splunk console every day: detection tuning, MITRE-mapped runbooks, native response on your platform.
03 ·
Operational experience
European SOC, headquartered in Milan since 2017, 24·7·365: median TTD <15 minutes, median TTC <30 minutes.
Proprietary CTI on 287 tracked adversary groups and attack tools: advisories, IOCs and actor profiles feed directly into detection on your platform.
Threat intelligence · attacks detected on Splunk
Infostealers and phishing kits contained via Splunk + ES correlation.
Selection of credential-theft threats detected on Fortgale customers with Splunk Enterprise Security. Splunk RBA (Risk-Based Alerting) aggregates multiple indicators into single notable events to reduce fatigue.
Monthly hunting on Splunk Search using proprietary CTI + Sigma rules. Focus on silent lateral movement, persistence, data staging not covered by automatic detections.
For whom · two angles
Same MDR on Splunk, two angles.
The CISO decides on risk. The IT lead decides on the runbook. Fortgale MDR produces evidence for both.
For the CISO
A named runbook per actor, on the Splunk stack.
Each month the CISO receives the profile of the 3 most likely actors against their sector, with the Fortgale MDR runbook already mapped to the Splunk Enterprise Security telemetry.
Monthly threat briefingActors, observed TTPs, campaigns in progress on your sector.
Splunk runbookLive MITRE-mapped playbooks, executable on the Splunk Enterprise Security console.
Board-ready reportingRisk · impact · decision. No slideware technology.
Zero translator handover. European analysts on your Splunk console.
When the Splunk alert is real, decision time is containment time. Our L2/L3 analysts know the Splunk Enterprise Security console and have a mandate to decide.
Median containment ~11 minFrom confirmed alert to remediation in production.
Everything to know before talking to our analysts.
What is the MDR service on Splunk Enterprise Security?
Combines Splunk Enterprise Security (Gartner Leader SIEM) with the Fortgale European SOC 24·7·365. L2/L3 analysts develop custom MITRE-mapped SPL detection rules, monitor ES notable events, orchestrate response via Splunk SOAR and apply proprietary runbooks.
Do I need to already have Splunk?
No. Fortgale handles the full cycle: Splunk Cloud or on-prem licensing, indexer/search head deployment, data sources integration, ES content packs, tuning. Available both on existing instance or as part of the service.
Does the service include Splunk SOAR?
On request, yes. Splunk SOAR (formerly Phantom) is available as add-on module for playbook orchestration, cross-tool integration and response automation. The Fortgale SOC develops custom playbooks mapped to runbooks.
Is the service NIS2-compliant?
Yes. We support NIS2 transposition requirements: continuous monitoring, IoC collection for national CSIRT notification within 24 hours, technical documentation for 72-hour notifications. Splunk's configurable retention supports NIS2 log retention requirements.
Is Splunk only for logs or does it have XDR/EDR capabilities?
Splunk Enterprise Security is SIEM. For XDR/EDR it combines with Splunk Attack Analyzer and add-ons/integrations with third-party EDR (CrowdStrike, SentinelOne, Defender). Fortgale orchestrates the entire stack.
Talk to the outpost
One meeting. One NDA. One real runbook on Splunk.
We bring you the Report on your sector with the most likely actors and a concrete MDR runbook on your Splunk Enterprise Security console.
Outlook Bookings · Fortgale
Book a meeting
Loading calendar…
Response · 1 business day
Speak with our analysts.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
Document · Fortgale
PDF preview
Loading PDF…
Request · Fortgale Threat Intelligence Report
Request the Report
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
See a real attack
IR · 24·7·365
Are you under attack?
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.
We use essential cookies required for site functionality and, with your consent, analytics and marketing cookies to measure traffic and personalise content. You can accept all cookies, reject them, or customise your preferences. For more details see the Cookie Policy and Privacy Policy.
Cookie preferences · Fortgale
Manage your preferences
Choose which cookies to allow. Essential cookies are required for the site to work and cannot be disabled. For the others, consent is always free, specific and revocable at any time.
EssentialAlways on
Required for the site to function (session, security, cookie preferences). The legal basis is the controller's legitimate interest (Art. 6(1)(f) GDPR). Without these cookies the site does not work correctly.
AnalyticsWe measure what works
Aggregated statistical cookies to understand how users browse the site (page views, session duration, traffic source). EU-friendly or anonymised providers. Legal basis: consent (Art. 6(1)(a) GDPR).
MarketingPersonalisation and remarketing
Third-party cookies (LinkedIn Insight Tag, possible campaign pixels) to measure ad campaign effectiveness and show relevant content. Legal basis: consent (Art. 6(1)(a) GDPR). Disabled by default.
You can change these choices at any time from the Cookie Policy page or by clicking the Cookie preferences link in the footer.