Extracting insights from ES

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Would security capabilities that help you focus attention towards malicious actions improve your detections? Would fewer alerts of more value give your team more time for better response? Would expanding machine learning capabilities give your security operations an advanced edge?

With Splunk Enterprise Security, you can leverage advanced capabilities faster and easier, rather than needing to build advanced detections from the ground up. These include:

Risk-based alerting that allows the security domain to use fewer event criteria driven sources. This means that you have an advanced, fully operational detection and response framework in less time.
A use case library that gives you analytic stories to build content from. Each of these comes with framework mapping to a variety of different kill chains and the MITRE ATT&CK framework.
Recommendations for data sources, source types, and data models.
The power of machine learning and streaming analytics with behavior analysis. Unsupervised machine learning algorithms analyze data and detect anomalies that deviate from normal behavior. This continuous learning process allows you to better adapt to emerging cyber threats.
Visual threat topology that maps risk objects to associated threat objects.
Reports that show a variety of threat sources with additional detail all within one place to enrich notable events and give more context.

To learn more, watch the following demo to see how alerting that is better focused on surfacing legitimate threats takes less time and is easier for teams to manage.

More about use cases in Splunk Enterprise Security

The pre-configured notables in Splunk Enterprise Security represent many detections for use cases. You can find more in the Use Case Library in Splunk Enterprise Security, accessed via the Configure menu, Content, and then Use Case Library. Some common use cases that can be addressed with Splunk Enterprise Security are:

Detecting malware
Identifying suspicious activity
Privileged/ non-privileged user monitoring
Brute force activity (local and cloud)
Advanced threat detection
Traffic over time by action
Access anomalies
Communications with known bad actor
Cloud provisioning activity from unusual country
Cloud instance created by unusual user
VPN monitoring
Suspicious AWS activities
Unusual processes

Often the best way to start is to enable a few correlation searches and adjust them to fit the use case in your environment.

Many more use cases can be found in the Splunk Enterprise Security Content Updates app, Security Essentials, and Splunk Lantern. The Splunk Enterprise Security Content Update app is linked to the Splunk Security Research Team's work and it is updated frequently with timely detections. It is a best practice to use this often. Here are some additional resources:

Webinar: 20 SIEM use cases in 40 minutes: Which ones have you mastered?
Community: Example of how to detect basic malware outbreak
Blog: Kaseya sera. What REvil shall encrypt, shall encrypt

Using a framework like MITRE ATT&CK can help you find gaps in your coverage and areas you need to implement. Use MITRE ATT&CK to see how these use cases map to advisory Tactics, Techniques, and Procedures (TTP).

Finally, risk-based alerting (RBA) in Splunk Enterprise Security can help you implement use cases more efficiently. To get started with RBA, see the following resources:

Solution guide: Embark on your risk-based alerting journey with Splunk
Splunk Lantern guide: Risk-based_alerting

Previous step

Next step