Creating a timebound picture of network activity
It is your second day as a security analyst at a new company, and your network has suffered a cyber attack. Not only are you new on the job, but you are also new to Splunk Enterprise. You want to start the investigation immediately, but don't know what data sources were available or what hosts were on your network at the time of the attack. You need to gather this information before you begin to ensure your investigation is thorough. You can use Splunk software to quickly obtain a complete picture of what data is written to your indexes, through what sources, and by what devices.
Required data
How to use Splunk software for this use case
You can run many searches with Splunk software to gather information about your network and hosts. Depending on what information you have available, you might find it useful to identify some or all of the following:
Next steps
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to create a picture of your network at the time of the incident: How fast you are able to determine where to begin the investigation
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed
These additional Splunk resources might help you understand and implement this specific use case:
- Docs: The metadata search command
- Docs: The tstats search command