Splunk® InfoSec App

User Guide

Identify advanced threats using the InfoSec app for Splunk

Use the Advanced Threat dashboards combined with searches to highlight security events of interest. Searches aim to identify out-of-character behaviors within the event data. The search indicators can be considered anomalies but does not necessarily indicate a threat.

To highlight security risks, use the following Advanced Threat dashboards in the InfoSec app for Splunk:

Identify security risks

Use the Access Anomalies dashboard to identify events that can potentially pose a security risk as follows:

  • Spikes or out-of-character increases in access to hosts
  • Brute force attacks by source or user
  • Accounts that have a high percentage of login failures versus success
  • Users performing new privileged actions
  • Geographically improbable access

Identify network abnormalities

Use the Network Anomalies dashboard to identify the following abnormalities in your network:

  • Spikes in access to destinations
  • Suspected network scanning
  • BOT/C2 network indicators
  • SMB and DNS anomalies

Include custom searches and dashboards

Use the Custom Use Cases dashboard to incorporate your own searches and dashboards. You may also incorporate searches from the Splunk Security Essentials app into this dashboard.

Last modified on 25 February, 2021
Monitor your environment continuously using the InfoSec app for Splunk   Investigate behaviors using the InfoSec app for Splunk

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters