Security and Fraud Use Cases
Detect and Investigate Malware
Describes the Splunk Enterprise Security workflows and tasks to detect infected hosts and determine the spread of malware. This use case also explains how to initiate potential remedial activities using domain-specific dashboards, correlation searches and reports.
Detect and Stop Data Exfiltration
Describes how Splunk Enterprise Security and the Splunk App for Stream can be used to isolate events that require attention and how the Splunk App for Stream can be used to monitor transactions to determine data exfiltration.
Privileged User Monitoring
Describes how to monitor privileged user activity using Splunk Enterprise Security. Privileged accounts are often used in advanced attacks or for insider threats based attacks because these accounts have higher privilege levels giving the attacker access to high value assets/data.
Using DNS Data to Identify Patient Zero Malware
Describes how to use DNS data, Splunk Cloud, Splunk Enterprise Security and the Splunk App for Stream to identify command-and-control communications. This use case outlines the workflow to identify infected hosts, determine which hosts have command-and-control activity and help identify patient-zero of a malware outbreak.
Detect Zero-Day Attacks
Describes how the Splunk Enterprise Security Risk Analysis Framework, Incident Review and Security Domain dashboards are used to detect attacks. It also explains how the Splunk App for Stream helps identify data exfiltration to detect zero-day attacks.
Fraud: Detect Account Takeovers
Describes how to use Splunk Enterprise to detect fraudsters performing online account takeovers with the intent of then misusing these accounts for financial gain. Includes a Splunk search that can be used, as well as possible investigation and remediation actions that can be initiated in Splunk.
Compliance: Detect When a Critical System Stops Sending Logs to Splunk
Describes how to use Splunk Enterprise to detect when critical systems stop sending logs to Splunk, as this often is a violation of regulatory compliance requirements. Includes a Splunk lookup file and search that can be used, as well as possible investigation and remediation actions that can be initiated in Splunk.