Skip to main content

 

Splunk Lantern

Extracting insights from ES

 

The pre-configured notables in Splunk Enterprise Security represent many detections for use cases. You can also check the Use Case Library in Splunk Enterprise Security, accessed via the Configure menu, Content, and then Use Case Library. Some common use cases that can be addressed with Splunk Enterprise Security are:

  • Detecting malware
  • Identifying suspicious activity
  • Privileged/ non-privileged user monitoring
  • Brute force activity (local and cloud)
  • Advanced threat detection
  • Traffic over time by action
  • Access anomalies
  • Communications with known bad actor
  • Cloud provisioning activity from unusual country
  • Cloud instance created by unusual user
  • VPN monitoring
  • Suspicious AWS activities
  • Unusual processes

Often the best way to start is to enable a few correlation searches and adjust them to fit the use case in your environment. 

Other resources on use cases development 

Many more use cases can be found in the Splunk Enterprise Security Content Updates app, Security Essentials, and Splunk Lantern. The Splunk Enterprise Security Content Update app is linked to the Splunk Security Research Team's work and it is updated frequently with timely detections. It is a best practice to use this often. Here are some additional resources:

Using a framework like MITRE ATT&CK can help you find gaps in your coverage and areas you need to implement. Use MITRE ATT&CK to see how these use cases map to advisory Tactics, Techniques, and Procedures (TTP).

Finally, risk-based alerting (RBA) in Splunk Enterprise Security can help you implement use cases more efficiently. To get started with RBA, see the following resources: