Skip to main content
 
 
 
Splunk Lantern

Creating a timebound picture of network activity

 

It is your second day as a security analyst at a new company, and your network has suffered a cyber attack. Not only are you new on the job, but you are also new to Splunk Enterprise. You want to start the investigation immediately, but don't know what data sources were available or what hosts were on your network at the time of the attack. You need to gather this information before you begin to ensure your investigation is thorough. You can use Splunk software to quickly obtain a complete picture of what data is written to your indexes, through what sources, and by what devices. 

Required data

System log data

How to use Splunk software for this use case

You can run many searches with Splunk software to gather information about your network and hosts. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to create a picture of your network at the time of the incident: How fast you are able to determine where to begin the investigation
  • Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed

These additional Splunk resources might help you understand and implement this specific use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.