Monitor & Detect
|Use Case Explorer for Security|
After you have connected your data sources and developed a meaningful ability to correlate threats, you're now ready to define your use cases and harness the capabilities of pre-built content that you can access with Splunk Security Essentials and Splunk Enterprise Security.
Use cases help and support security analysts and threat monitoring goals. A use case can be a mix of multiple technical rules within the SIEM tool, or can be a mix of actions from multiple rules, depending on the need and desired outcome. It converts business risks into SIEM technical rules, which then detect possible threats and send alerts to the SOC to action. Building and defining the correct use cases can help identify and eliminate false positives from real ones. It also recommends action based on current or historical activity that could be part of an ongoing or future attack.
Pre-built content consists of out-of-the-box detections that are preconfigured for monitoring, threat detection and alerting. Part of testing such content is to simulate attacks by generating real attack data for integration into the use cases. Testing your use cases provides you with assurance that content is working as expected and that you are receiving and acting as desired.
As you continue to expand use cases and mature your monitoring efforts to provide continuous and effective analysis of the security posture of the organization, appropriate dashboards and reports from Splunk Security Essentials or Splunk Enterprise Security should be created and monitored by the relevant teams. Dashboards and reports can be an effective point of view on both real-time and historical activity that has occurred and provide a state on how well your use cases are working.
If you're a user of Splunk Cloud Platform or Splunk Enterprise, this content can still help you understand the strategies you should use to augment your monitoring techniques. You can find use cases that apply to these products in our use case library Use Cases for Security with Splunk Platform.
Explore Monitor & Detect focal areas and find your use cases
If you're at the Monitor & Detect stage of your journey, explore the following focal areas to find use cases you should apply.
- Ensure that your organization follows applicable laws, general mandates, and industry-specific regulation that governs how it conducts business.
- Risk-based alerting
- Pivot resources from traditionally reactive functions to proactive functions in your SOC, improving alert fidelity, true positive rates, and resulting in happier analysts.
- Security Monitoring: Getting started with use cases in Splunk Security Essentials
- Obtain detailed security detections and analytic stories that get you answers without going down rabbit holes which consume time, resources and leave risks unaddressed.
- Visualizations and Reports
- A well-configured dashboard or report allows you to view threats and incidents that are trending up or down, respond faster, and provide real-time insights for management.