The two most frequent questions I hear from Splunk customers are “What more, outside of what I’m already doing, can I do with the Splunk platform?” and “What more can I do with my data?”. Customers who ask these questions usually have a few use cases deployed, but aren’t sure what issues to address next. Other customers aren’t sure where to get started. And these days, pretty much everyone wants to get the most out of their data.
Although these are big (and important) questions, they aren’t difficult to answer, thanks to the capabilities included in Splunk Security Essentials (SSE). The SSE app is pre-loaded with more than 120 correlation searches, and maps to more than 450 pieces of content from Splunk premium products. It was specifically designed to help you find, deploy and expand quickly into new use cases. Even if you aren’t sure where to start, SSE can show you the different use cases that can benefit your environment, and start you on the right path.
Splunk for Security Use Cases
To get an overview of the available content, start browsing the different use cases. If you’re looking for a more targeted search, you can use the SSE’s “data introspection” feature to examine the data in your Splunk instance and correlate the content to your specific needs. You can also make your search even more specific with the MITRE ATT&CK recommendation matrix. The matrix allows you to quickly find SSE content that is mapped to various tactics and techniques, as well as filtering based on threat groups that have been observed using these different attacks.
Once you’ve found the content you need to help you meet the goals you’re trying to achieve, SSE can help track your progress and identify next steps. You can bookmark use-case content in SSE at various phases, which can be used to benchmark, track progress, identify additional data sources and plan further tuning necessary to become fully production-ready.
Start Your Security Journey
Don’t know where to start? SSE has you covered. Pick a security journey that meets the needs of your organization and your security team. For example, if you are just starting out with Splunk Enterprise for security, you might look at brute-force activity use cases first, and then move on to more advanced use cases, like monitoring for a new user connecting to a git server. SSE can help inform, expand and get you started with use cases to strengthen your overall security posture. Once you have a good set of detections and data sources, you can move to a more mature security operations model with SIEM (using Splunk Enterprise Security) and SOAR (using Splunk Phantom). Customers with a mature Security Operations Center (SOC) would benefit from a fully integrated security operations solution, like Splunk’s Security Operations Suite may be right for you.
Finally, Splunk Security Essentials has a full set of documentation to help you get started and add data sources to Splunk solutions. The document library available through SSE is designed to help you find content quickly. Practical examples within the documentation can help you best configure and forward data sources to Splunk solutions.
If you want to watch the Splunk Security Essentials in action, tune into our Between Two Alerts webinar episode, "Get Started with Splunk for Security."
This blog is part of Splunk's always-on digital series, "Between Two Alerts." Click here to see more from the series.