Skip to main content
Getting started with SIEM
- Last updated
Save as PDF
Data onboarding best practices
- Find Splunk apps/add-ons in Splunkbase that power the use cases.
- Use Common Information Model (CIM) compatible add-ons to collect and process data.
Dashboards and reporting
- Identify and investigate security incidents.
- Use the Security Posture dashboard to monitor enterprise security status
- View a high-level overview of the notable events in your environment over the last 24 hours.
- Identify the security domains with the most incidents, and the most recent activity.
- Use the Incident Review dashboard to investigate notable events
- View the details of all notable events identified in your environment.
- Triage, assign, and review the details of notable events from this dashboard.
- Accelerate your investigations with security intelligence.
- Use the Risk Analysis dashboard to assess the risk scores of systems and users across your network and identify particularly risky devices and users posing a threat to your environment
- Use the Protocol intelligence dashboard to provide network insights that are relevant to your security investigations.
- Identify suspicious traffic, DNS activity, email activity, and review the connections and protocols in use in your network traffic.
- Use the Threat intelligence dashboard to provide context to your security incidents and identify known malicious actors in your environment.
- Use the threat intelligence sources included in Splunk Enterprise Security and custom sources that you configure.
- User activity dashboards allow you to investigate and monitor the activity of users and assets in your environment.
- Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs.
- Monitor security domain activity.
- Access domain dashboards display authentication and access-related data, such as login attempts, access control events, and default account activity.
- View endpoint domain dashboards for endpoint data relating to malware infections, patch history, system configurations, and time synchronization information.
- View network domain dashboards for network traffic data provided by devices such as firewalls, routers, network intrusion detection systems, network vulnerability scanners, proxy servers, and hosts.
- Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use.
Splunk Enterprise Security use cases
- Detecting Malware. For example, detect possible zero-day malware activity in your organization's network with Splunk Enterprise Security. Detect malware activity that could indicate a zero-day exploit, and use the investigation results to improve your threat detection.
- Identifying Suspicious Activity. For example, use Splunk Enterprise Security to find data exfiltration.
- Privileged/ Non-Privileged User Monitoring
- Brute Force Activity (Local and Cloud)
- Advanced Threat Detection
- Traffic Over Time by Action
- Access Anomalies
- Communications with Known Bad Actor
- Cloud Provisioning Activity from Unusual Country
- Cloud Instance Created by Unusual User
- VPN Monitoring
- Suspicious AWS Activities
- Unusual Processes