Extracting insights from ES
More about use cases in Splunk Enterprise Security
The pre-configured notables in Splunk Enterprise Security represent many detections for use cases. You can find more in the Use Case Library in Splunk Enterprise Security, accessed via the Configure menu, Content, and then Use Case Library. Some common use cases that can be addressed with Splunk Enterprise Security are:
- Detecting malware
- Identifying suspicious activity
- Privileged/ non-privileged user monitoring
- Brute force activity (local and cloud)
- Advanced threat detection
- Traffic over time by action
- Access anomalies
- Communications with known bad actor
- Cloud provisioning activity from unusual country
- Cloud instance created by unusual user
- VPN monitoring
- Suspicious AWS activities
- Unusual processes
Often the best way to start is to enable a few correlation searches and adjust them to fit the use case in your environment.
Many more use cases can be found in the Splunk Enterprise Security Content Updates app, Security Essentials, and Splunk Lantern. The Splunk Enterprise Security Content Update app is linked to the Splunk Security Research Team's work and it is updated frequently with timely detections. It is a best practice to use this often. Here are some additional resources:
-
- Community: Example of how to detect basic malware outbreak
- Blog: Kaseya sera. What REvil shall encrypt, shall encrypt
Using a framework like MITRE ATT&CK can help you find gaps in your coverage and areas you need to implement. Use MITRE ATT&CK to see how these use cases map to advisory Tactics, Techniques, and Procedures (TTP).
Finally, risk-based alerting (RBA) in Splunk Enterprise Security can help you implement use cases more efficiently. To get started with RBA, see the following resources:
- Solution guide: Embark on your risk-based alerting journey with Splunk
- Splunk Lantern guide: Risk-based_alerting