Skip to main content


Splunk Lantern




After you have connected your data sources and developed a meaningful ability to correlate threats, you're now ready to define your use cases and harness the capabilities of pre-built content that you can access with Splunk Security Essentials and Splunk Enterprise Security.

Use cases help and support security analysts and threat monitoring goals. A use case can be a mix of multiple technical rules within the SIEM tool, or can be a mix of actions from multiple rules, depending on the need and desired outcome. It converts business risks into SIEM technical rules, which then detect possible threats and send alerts to the SOC to action. Building and defining the correct use cases can help identify and eliminate false positives from real ones. It also recommends action based on current or historical activity that could be part of an ongoing or future attack. 

Pre-built content consists of out-of-the-box detections that are preconfigured for monitoring, threat detection and alerting. Part of testing such content is to simulate attacks by generating real attack data for integration into the use cases. Testing your use cases provides you with assurance that content is working as expected and that you are receiving and acting as desired.

As you continue to expand use cases and mature your monitoring efforts to provide continuous and effective analysis of the security posture of the organization, appropriate dashboards and reports from Splunk Security Essentials or Splunk Enterprise Security should be created and monitored by the relevant teamsDashboards and reports can be an effective point of view on both real-time and historical activity that has occurred and provide a state on how well your use cases are working. 

If you're a user of Splunk Cloud Platform or Splunk Enterprise, this content can still help you understand the strategies you should use to augment your monitoring techniques. You can find use cases which apply to all Splunk products in the Lantern Security Use Case Library.

Explore monitoring focal areas and find your use cases

If you're at the Monitor stage of your journey, explore the following focal areas to find use cases you should apply.

  • Alert prioritization
    Pivot resources from traditionally reactive functions to proactive functions in your SOC, improving alert fidelity, true positive rates, and resulting in happier analysts.
  • Getting started with use cases in Splunk Security Essentials
    Obtain detailed security detections and analytic stories that get you answers without going down rabbit holes which consume time, resources and leave risks unaddressed.
  • Security posture: Dashboards and reports
    A well-configured dashboard or report allows you to view threats and incidents that are trending up or down, respond faster, and provide real-time insights for management.