Identifying Splunk Enterprise Security use cases and data sources
The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For assistance with ES 8.x, Splunk Professional Services can help.
Splunk Enterprise Security provides pre-configured notables for a variety of detections. Some common use cases include:
- Detecting malware
- Using Enterprise Security to find data exfiltration
- Monitoring privileged and non-privileged users
- Detecting brute force activity (local and cloud)
- Advanced threat detection
- Analyzing traffic over time by action
- Finding TOR traffic
- Detect Windows event log cleared
- Detect excessive user account lockouts
- Common ransomware notes
- Detect excessive account lockouts from an endpoint
- Detect short-lived Windows accounts
- Detect remote desktop network brutefore
- Detect O365 suspicious user email forwarding
- Detect remote process instantiation via WMI
- Detect hosts connecting to dynamic domain providers
To access the use cases in Splunk Enterprise Security click Configure > Content > Use Case Library. A great way to begin is by enabling a few correlation searches and adjusting them to fit your specific environment.
Other places you can find ideas for use cases include:
- Splunk ES Content Update app. This app is linked to the work of the Splunk Security Research Team and it is updated frequently with timely detections. It is a best practice to use this often.
- Splunk Security Essentials. This app helps you to explore security use cases and discover your current status and identify gaps in your security posture. Find out the most suitable security content to start addressing threats and challenges. SSE also has a data inventory tool to perform data introspection on available data sources.
- Splunk Lantern. Lantern has a wealth of use cases and product tips written by Splunk experts to help you optimize your use of Splunk Enterprise Security.
- MITRE ATT&CK. This framework can help you find gaps in your coverage and areas you need to implement. Use MITRE ATT&CK to see how use cases map to advisory Tactics, Techniques, and Procedures (TTP).
- Risk-based alerting (RBA). RBA in Splunk Enterprise Security can also help you implement use cases more efficiently.
Some additional resources to help you develop use cases are:
- Enterprise Security SIEM use case library
- .conf session: The beginner’s guide to security monitoring for enterprises
- Blog: Kaseya sera. What REvil shall encrypt, shall encrypt
- Blog: REvil ransomware threat research update and detections
Identify data sources
See Data source planning for Splunk Enterprise Security for detailed information on data source planning.