Splunk® Enterprise Security

Use Cases

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Classify accounts based on privileged access

Ram first collects and extracts all assets and identity data to add it to Enterprise Security. Next, Ram formats the collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security. Finally, Ram uses the Assets and Identities framework in Splunk Enterprise Security to specify categories for all the accounts in his SOC, and label the privileged accounts.

For more information on how to format the asset and identity list, see Format an asset or identity list as a lookup

Specifying categories for all the accounts in his SOC allows Ram to use the default correlation searches in Splunk Enterprise Security to monitor those accounts more closely and get visibility into interesting account activity or unauthorized usage.

Last modified on 19 January, 2022
Use Dashboards to track user behavior   Use correlation searches to monitor accounts

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters