Scenario: It is your second day as a security analyst at a new company, and your network has suffered a cyber attack. Not only are you new on the job, but you are also new to Splunk Enterprise. You want to start the investigation immediately, but don't know what data sources were available or what hosts were on your network at the time of the attack. You need to gather this information before you begin to ensure your investigation is thorough.
How Splunk software can help
You can use Splunk software to quickly obtain a complete picture of what data is written to your indexes, through what sources, and by what devices.
What you need
The following technologies, data, and integrations are useful in successfully implementing this use case.
The best person to implement this use case is a security analyst, system administrator, network engineer, or anyone who needs to be familiar with your organization's network infrastructure. This person might come from your team, a Splunk partner, or Splunk onDemand Services.
Gathering initial information about your network and hosts using Splunk software takes only minutes.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
How to use Splunk software for this use case
You can run many searches with Splunk software to gather information about your network and hosts. Depending on what information you have available, you might find it useful to identify some or all of the following:
- Hosts logging data in a certain timeframe
- Hosts logging more or less data than expected
- Source types available
- Baseline of user logon times
- Processes running on a host
These additional Splunk resources might help you understand and implement this use case:
How to assess your results
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to create a picture of your network at the time of the incident: How fast you are able to determine where to being the investigation
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed