Skip to main content
Splunk Lantern

Prescriptive Adoption Motion - Using the Splunk platform for Security use cases


What’s your plan for cybersecurity? Are you simply “planning for the worst, but hoping for the best?” With digital technology touching every part of our lives and new threats popping up daily, it’s imperative that your organization is informed and prepared when it comes to defending your assets and hunting your adversaries.

High-profile breaches, global ransomware attacks, and the scourge of cryptomining are just a few reasons that your organization needs to collect, leverage, and understand the right data. You also need to implement the right processes and procedures, often alongside new technologies, methods and requirements - all with an ever-increasing velocity and variety of machine data.

So how can you best defend your organization and hunt down new adversaries? Ultimately, by taking a holistic approach to your defense system across the enterprise. This is why Splunk believes every organization needs a security nerve center, implemented by following the six-stage security journey described in this guide.

Aim and strategy

Splunk offers the data-centric security solution required for foundational security monitoring, incident management, and compliance requirements, all of which enable teams to build modern security operations. With the Splunk platform, security teams can centralize and analyze their data, regardless of source or format, and gain end-to-end visibility of their environment, whether on-premises, hybrid, or multi-cloud. Security teams ready for a SIEM solution can easily add Splunk Enterprise Security to the Splunk platform environment to advance their detection and resolution capabilities. Splunk security solutions are supported by an open ecosystem of 2,800+ integrations and applications that help rapidly extract value from data sources teams already use. By using Splunk software, security teams can evolve and scale their security operations to support their security maturity journey.

Common use cases

A variety of effective security use cases that only require the core Splunk platform can be found in the Splunk Security Essentials app and in the Platform Use Case Explorer articles linked in this section.

Security monitoring. This enables you to analyze a continuous stream of near-real-time data for threats and other potential security issues. Data sources for monitoring include network and endpoint systems, as well as cloud devices, data center systems, and applications. The Splunk platform enables security teams to detect and prioritize threats found in the stream of data from these sources.

Incident Management. Security incidents can occur without warning and can often go undetected long enough to pose a serious threat to an organization. Usually by the time security teams are aware of an issue, there’s a good chance the damage has been done. Splunk provides security teams with a “single source of truth” for all time-stamped machine data in a computing environment. This helps them drive better and faster security investigations, reducing the chance of a threat going undetected for extended periods.

Compliance. In nearly all environments, there are regulatory requirements in one form or another – especially when dealing with GDPR, HIPAA, PCI, SOX and even common guidelines that aren’t considered true compliance, such as the 20 CIS Critical Security Controls. There are many ways of solving compliance challenges using Splunk solutions. One example is creating correlation rules and reports that identify threats to sensitive data or key employees, as well as automatically demonstrate compliance.

User roles

Role Responsibilities

Lead Security Analysts

Define security use cases, analyst workflows, and content strategy

Splunk Admins / Splunk Enterprise Security Admins

Manage configuration changes, app installs, index creation, and permissions changes

Information Security Management

Change approvals and project sponsorship


1. Prerequisites

While this specific document focuses on the Splunk platform security implementation, it is important to understand the additional complementary offerings of Splunk’s overall security suite:

  • Splunk platform - A flexible platform that addresses an array of security use cases. It enables you to monitor and analyze machine data quickly from any source to deliver insights to act and is an essential analytics-driven foundation that strengthens your overall security. Available in the cloud.
  • Splunk Enterprise Security - A security information and event management (SIEM) solution that provides insights into machine data generated from security technologies such as network, endpoint, and access as well as malware, vulnerability, and identity information. Available in the cloud.
  • Splunk User Behavior Analytics - A machine-learning-powered solution that delivers answers organizations need to find unknown threats and anomalous behavior across users, endpoint devices, and applications.
  • Splunk SOAR - A security orchestration, automation, and response (SOAR) platform that integrates with your existing security technologies to provide a layer of “connective tissue” between them, making them smarter, faster, and stronger.
  • Applications - Apps developed by Splunk, partners, and our community to enhance and extend the power of the Splunk platform. Available in the cloud.
  • Splunk Security Essentials - Explore new use cases and deploy security detections from Splunk Security Essentials to Splunk Enterprise or Splunk Cloud Platform, as well as the Splunk SIEM and SOAR offerings. Now a fully-supported app with an active Splunk Cloud Platform license, it allows you to start strengthening your security posture and quicken your time- to-value with Splunk.
  • Splunk Enterprise Security Content Updates - For customers with Splunk Enterprise Security, this app delivers security analysis guides, called “Analytic Stories,” that explain how to best use Splunk Enterprise Security to investigate and take action on new threats detected in your environment, what searches to implement, and what you should be able to achieve.
  • Splunk Mission Control - Splunk Mission Control unifies your security operations across Splunk’s industry-leading security technologies and partner ecosystem within one work surface. This allows you to better understand business risk by seeing the entire picture of security insights and trends to detect what matters, investigate holistically, and respond intelligently.

The flexibility of the Splunk platform allows for end-to-end visibility across all enterprise systems, This allows customers to effectively complete multi-step analysis, as well as ad-hoc investigations, to address any security monitoring use cases. Beyond the core platform, Splunk also offers enhanced features with our industry-leading SIEM, as well as a suite of solutions for detections, alerting, automation, and response management.

Implementation guide

The following image shows the security data journey in the Splunk Security Essentials application. The Splunk platform is used in stages 1 to 4 to help build foundational search and investigation capabilities. Stages 5 to 6 focus on advanced features outside of the Splunk platform.


1. Collection

This stage focuses on foundational functionality of the Splunk platform by collecting the data, metrics, or events generated by key components of your security infrastructure. A defensible security posture, or regulatory compliance, requires moving critical activity logs to a separate system where they can’t be easily tampered with by an attacker. This also gives a security analyst the data necessary to perform basic investigations. At this early stage in security adoption, the best practice is to capture data in four primary focused categories: 

  • Network. Visibility into network traffic is critical for any security team. At this early stage, the priority is to see what types of traffic are entering and exiting your network. It’s critical to see permitted traffic as well as communication attempts that have been blocked.
  • Endpoint. Endpoint logs complement network visibility to give insight into malicious activities such as malware execution, an insider performing an unauthorized activity, or an attacker dwelling in your network. It’s important to capture this data from both servers and workstations, and all operating systems (Windows, Linux, MacOS etc.)
  • Authentication. Authentication logs can tell you when users are accessing your systems and applications, and from where. Since most successful attacks eventually include the use of valid credentials, this data is critical in helping to tell the difference between a valid login and an account takeover.
  • Web Activity. Many attacks start with a user visiting a malicious website or end with valuable data being exfiltrated to a site that the attacker controls. Visibility into who is accessing what sites and when is critical for investigation.

2. Normalization

In this stage you'll begin implementing a Security Operations Center (SOC) to track systems and users on your network, and to consume a larger selection of detection mechanisms from vendors and the community. Even if you don’t plan to stand up a formal SOC, normalized data will streamline investigations and improve the effectiveness of an analyst.

At this stage, you map your data properly to the Common Information Model (CIM).  This ensures that fields representing common values such as source IP address, port, or username have consistent naming conventions, regardless of the device that created the event. This allows you to start consuming detection mechanisms from many sources and to begin to scale the capabilities of your security team.

3. Expansion

Moving beyond foundational data sources, ingesting additional types of data into your Splunk environment unlocks a rich set of detection capabilities. 

  • Network. World-class threat hunters rely on DNS and advanced endpoint data to uncover and track adversaries dwelling in your network.
  • Endpoint. Rich endpoint activity that captures process creation, file changes, registry modifications, network connections, and more to provide an amazingly clear history of critical events occurring on an endpoint.

4. Enrichment

Machine data is important, but high performing security teams enrich their data with other internal and external sources. A wealth of contextual and investigative knowledge including threat intelligence feeds, open source intelligence (OSINT) sources, and internally sourced information allows your security personnel to extract more value from the data you are collecting to detect security events and incidents sooner.

Splunk platform native enrichment

Splunk Enterprise Security / Splunk SOAR enrichment 

Mature organizations continuously monitor their environment for alerts, triage, and respond to threats in a consistent, repeatable, and measurable way. Stage 5 maturity provides the ability to track incidents, measure analyst effectiveness, and take action according to prescribed play books. You can automate simple response actions and combine them into more sophisticated orchestration.

Find anomalous behavior and unknown threats by applying machine learning, data science, and advanced statistics to analyze the users, endpoint devices, and applications in your environment.

  • Splunk Enterprise Security / Splunk Mission Control
  • Splunk User Behavior Analytics
  • RBA (Risk Based Alerting)
  • Splunk native machine learning (MLTK, etc.)

Success measurement

When implementing the guidance in this adoption guide, you should see improvements in the following: 

  • Customer Experience 
  • Mean Time To Detect (MTTD)
  • Mean Time to Respond (MTTR)
  • Service Level Objectives (SLO)
  • Service Level Agreements (SLA)