Skip to main content
Splunk Lantern

Extracting insights from ES


Would security capabilities that help you focus attention towards malicious actions improve your detections? Would fewer alerts of more value give your team more time for better response? Would expanding machine learning capabilities give your security operations an advanced edge?

With Splunk Enterprise Security, you can leverage advanced capabilities faster and easier, rather than needing to build advanced detections from the ground up. These include:

  • Risk-based alerting that allows the security domain to use fewer event criteria driven sources. This means that you have an advanced, fully operational detection and response framework in less time.
  • A use case library that gives you analytic stories to build content from. Each of these comes with framework mapping to a variety of different kill chains and the MITRE ATT&CK framework.
  • Recommendations for data sources, source types, and data models.
  • The power of machine learning and streaming analytics with behavior analysis. Unsupervised machine learning algorithms analyze data and detect anomalies that deviate from normal behavior. This continuous learning process allows you to better adapt to emerging cyber threats.
  • Visual threat topology that maps risk objects to associated threat objects.
  • Reports that show a variety of threat sources with additional detail all within one place to enrich notable events and give more context.

To learn more, watch the following demo to see how alerting that is better focused on surfacing legitimate threats takes less time and is easier for teams to manage.

More about use cases in Splunk Enterprise Security

The pre-configured notables in Splunk Enterprise Security represent many detections for use cases. You can find more in the Use Case Library in Splunk Enterprise Security, accessed via the Configure menu, Content, and then Use Case Library. Some common use cases that can be addressed with Splunk Enterprise Security are:

  • Detecting malware
  • Identifying suspicious activity
  • Privileged/ non-privileged user monitoring
  • Brute force activity (local and cloud)
  • Advanced threat detection
  • Traffic over time by action
  • Access anomalies
  • Communications with known bad actor
  • Cloud provisioning activity from unusual country
  • Cloud instance created by unusual user
  • VPN monitoring
  • Suspicious AWS activities
  • Unusual processes

Often the best way to start is to enable a few correlation searches and adjust them to fit the use case in your environment.

Many more use cases can be found in the Splunk Enterprise Security Content Updates app, Security Essentials, and Splunk Lantern. The Splunk Enterprise Security Content Update app is linked to the Splunk Security Research Team's work and it is updated frequently with timely detections. It is a best practice to use this often. Here are some additional resources:

Using a framework like MITRE ATT&CK can help you find gaps in your coverage and areas you need to implement. Use MITRE ATT&CK to see how these use cases map to advisory Tactics, Techniques, and Procedures (TTP).

Finally, risk-based alerting (RBA) in Splunk Enterprise Security can help you implement use cases more efficiently. To get started with RBA, see the following resources: