Splunk® Enterprise Security

Use Cases

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Isolate User Behaviors That Pose Threats

Buttercup Games, a fictitious company, runs an e-commerce site to sell its products. As a best practice, Ram, a security analyst at Buttercup Games tries to track user behavior and maintain the security hygiene of his security operations center (SOC) by monitoring the accounts that are created, the purpose for which the accounts are created, and the expected usage of the accounts. However, the size of his SOC makes it impossible to maintain all the records of when an account is created, when an account is dormant, if an account is shared between individuals, or if the account is a service account. So Ram uses Splunk Enterprise Security to make the task of tracking account activity easier and to monitor user behaviors. User behaviors that represent security threats in this particular SOC include compromised user credentials, insider threats, and misuse by privileged users. Compromised user credentials represent the biggest threat for the assets and identities in Ram's SOC. Ram knows that user credentials can be compromised due to any of the following reasons:

  • When phishing emails are sent to user accounts from purportedly reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.
  • When passwords are shared across multiple user accounts.
  • When passwords are inadvertently exposed due to insecure password sharing, and so on.

Ram also wants to identify all high-priority accounts. High-priority accounts are accounts that typically have administrative privileges and executive-level authority, which can access sensitive or confidential assets. By identifying high-priority accounts, Ram can prevent unauthorized users from misusing the accounts. Ram also knows that a valid credential might be used by an insider in an unauthorized manner. This use case describes how Ram, a security analyst, uses the various dashboards, correlation searches, risk factors, and other analytics provided by Splunk Enterprise Security to monitor user behaviors that pose a security threat to the SOC of Buttercup Games using the following steps:.

  1. Use dashboards to track user behavior
  2. Classify accounts based on privileged access
  3. Use correlation searches to monitor accounts
  4. Increase risk factors to identify unauthorized usage
Last modified on 19 January, 2022
Investigate risk notables that represent a threat   Use Dashboards to track user behavior

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters