Monday Fun: Splunk Use Cases

As I talk to different Splunk users, watch twitter, read blog entries and have the great opportunity to speak and participate in Splunk events I always find it so interesting the various use cases people have for Splunk. True that most organizations have brought it in primarily for Security tasks but time and time again it’s so easy to find other great uses for it. Through these discussions I’ve been able to find many new uses for Splunk, ones which I had not initially thought of or was unsure of how to approach. From this I thought it would be great to have a central point of reference to break down these use cases into the reports/searches built for them so people could gain from others successes.

Yes, I know that Splunk has a great blog ( that you can gain insight off of but there is no one simple, single, page to reference. I wanted to use this blog post to list some of the, in most cases typically obvious, use cases for Splunk that I have observed or implemented and break down the type of reporting/searching capabilities that have been built for each. I hope this helps improve your own Splunk deployment and maybe add some new reporting that was not previously there.

Splunk Reports for Security Teams:

-> Individual counts of failed logins to services such as: LDAP, ssh, sftp/ftps, databases, custom applications, web based applications, edge authentication/access devices (VPN, RSA, SSO, etc..)

-> Account accesses split up by normal vs. admin accesses: failed logons, failed logins to suspended/locked out accounts, failed logins to non-existent accounts, accounts locked, account resets, password resets, monitoring of automated login processes and successful logins sorted by IP/device/etc.

-> Correlating the account access data can lead to reports such as: multiple failed logins across multiple devices indicative of brute force attacks or scanning, multiple failed logins on a device or devices followed by a successful login in a short time frame, successful logins followed by password change and detect logins to VPN while user badged into building (using badge access data).

-> IPS/IDS/HIDS: agent status, internal vs. external offenses, offenses by geographic area, event trends compared over time, top attacks/signatures, top severity (by host/subnet/category), top attack categories and top hosts.

-> Integrity checking: file system hash checks, file system change monitoring, registry monitoring, application additions/deletions and file additions/deletions.

-> Data Loss Prevention: email content/attachment monitoring, document access monitoring, file integrity checking (as mentioned above), external storage connections, flagging known web storage domains (dropbox, etc) and flagging large web requests to identify uploads/downloads.

…more to come