Identify advanced threats using the InfoSec app for Splunk
Use the Advanced Threat dashboards combined with searches to highlight security events of interest. Searches aim to identify out-of-character behaviors within the event data. The search indicators can be considered anomalies but does not necessarily indicate a threat.
To highlight security risks, use the following Advanced Threat dashboards in the InfoSec app for Splunk:
- Access Anomalies dashboard to Identify security risks
- Network Anomalies dashboard to Identify network anomalies
- Custom Use Cases dashboard to Incorporate custom searches and dashboards
Identify security risks
Use the Access Anomalies dashboard to identify events that can potentially pose a security risk as follows:
- Spikes or out-of-character increases in access to hosts
- Brute force attacks by source or user
- Accounts that have a high percentage of login failures versus success
- Users performing new privileged actions
- Geographically improbable access
Identify network abnormalities
Use the Network Anomalies dashboard to identify the following abnormalities in your network:
- Spikes in access to destinations
- Suspected network scanning
- BOT/C2 network indicators
- SMB and DNS anomalies
Include custom searches and dashboards
Use the Custom Use Cases dashboard to incorporate your own searches and dashboards. You may also incorporate searches from the Splunk Security Essentials app into this dashboard.
| Monitor your environment continuously using the InfoSec app for Splunk | Investigate behaviors using the InfoSec app for Splunk |
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0
Download manual
Feedback submitted, thanks!