Scenario: It is your second day as a security analyst at a new company, and your network has suffered a cyber attack. Not only are you new on the job, but you are also new to Splunk Enterprise. You want to start the investigation immediately, but don't know what data sources were available or what hosts were on your network at the time of the attack. You need to gather this information before you begin to ensure your investigation is thorough. You can use Splunk software to quickly obtain a complete picture of what data is written to your indexes, through what sources, and by what devices.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
- People: Security analyst, system administrator, network engineer
- Technologies: Splunk Enterprise or Splunk Cloud Platform
- Data: System log data
How to use Splunk software for this use case
You can run many searches with Splunk software to gather information about your network and hosts. Depending on what information you have available, you might find it useful to identify some or all of the following:
- Hosts logging data in a certain timeframe
- Hosts logging more or less data than expected
- Source types available
- Baseline of user logon times
- Processes running on a host
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to create a picture of your network at the time of the incident: How fast you are able to determine where to being the investigation
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case: