What's the Use (Cases) for Splunk?
Author: Nik Wadge
Release Date: 03/10/2025
When the marketing department asked me to write a blog, I was like "Sure, what on? I have a lot of knowledge, some of it relevant and interesting, some not so", "How about the top ten Use Cases based on your experience?"
My immediate response was no, I'm not really a sales guy or fleet manager, I'm more the mechanic and in fairness, most of my recent engagements haven't really had a well defined set of Use Cases, more a general "I wanna know if someone is doing something bad", "When do I need to increase my VM resources" or even "I want to know if my app is working" kind of desire. And that got me thinking…realistically, who has got a good set of Use Cases?
We see a lot of organisations with a general idea of what they want Splunk to do, monitor security, provide infrastructure or development teams with useful info, ensure compliance, etc, but then when we dig further into this with the client, there seems to be a point when they don't know or haven't been told what they are actually, or should be, looking for and therefore where to look for it. This isn't a fault with the client, their organisation nor Splunk or the delivery of it, it is a general situation that a lot of organisations find themselves in.
Where's a Good Place to Start?
A good Use Case is a clearly defined and detectable set of events or metrics that could lead to a specific outcome that you, as an organisation, can counter, remediate or prevent.
For instance, security-wise, geographically improbable log-ons (or superman logins) and incorrect password attempts, although are Use Cases in themselves, are not necessarily useful and in today's world of VPNs, remote working and cloud infrastructure can easily be false positives. Someone entering an incorrect password multiple times could be bad coding (although, if the password is hard-coded that is certainly a security concern, but not necessarily a threat).
Or for Infrastructure, if your CPU usage for your sales transaction is hitting 90% and higher...Is this actually an issue? Compute is not cheap so getting a lot of usage from your processing power is desirable.
However, if you combine superman logins and/or repeated bad password attempts with other factors, like the source of the superman login also probing web-servers with unusual port requests or the account with the incorrect password sending a much higher amount of email, then you have a good indication of an external attack or a compromised account.
Or, if your CPU usage stays high, along with storage and memory, repeatedly and consistently then it certainly warrants investigation and possibly more resources for Infrastructure or a deep dive into the code being run for the Development teams.
All Use Cases ideally need to be either actionable or auditable otherwise you just have a system that is telling you there's an issue you can do nothing about, like a dog that barks when it rains.
Thanks, I know it's raining, but there's little I can do about it (unless you have the washing on the line, then it's a great indicator..see? Actionable)
“Great!”, I hear you shout “but what Use Cases can I use?”
What Use Cases Are Right For You?
Well, this bit is up to you. It depends on, as mentioned, what you can do to remediate or prevent the actions detected. It also depends on what data you index. The more data you have, the more accurate and contextual your results can be.
You can’t detect superman logins if you don’t have the audit logs or the source IP and location that login attempts came from. Likewise, you can’t measure CPU spikes without baselines or even just CPU usage without the metrics.
So to start with, ask yourself why you are using Splunk or a SIEM in the first place? What questions did you have that needed answering? If you can’t clearly answer that, then what is your biggest time-killer or unknown at the moment? What gives you the (and I hate this term) “biggest win”?
Then look to see if there's already a Use Case defined for that. At the end of this blog will be some links to useful sites for finding or defining Use Cases for your own use.
Put together a list of just 5 Use Cases. Where relevant, use frameworks such as MITRE ATT&CK, NIST, CIS, GDPR, ISO27001,SOC2 or PCI DSS to outline your Use Case, prioritise them and then check if you have the data to qualify them. If you haven't got the data, can you get it? If not, park that Use Case until you can.
Once you have a good Use Case, test it. Check the rationale, check the limitations and update as necessary. Then move on to the next one, documenting it all as you go until eventually, you will have a set of clearly defined Use Cases, where they sit within your organisation, what they are looking for and where, processes for testing, updating and tuning and a set of actionable, accurate and relevant alerts that keeps all teams involved happier and more involved.
And remember, Use Cases are not “for life”. Given the speed of change and adoption of new features within our sector, set yourself achievable timeframes to review Use Cases for the validity, accuracy and necessity and build processes around this to update, remove and create Use Cases as required.
Useful Links:
Splunk have a really good technology or industry focused Use Case library that can be found here:
https://lantern.splunk.com/Splunk_Platform/UCE
Guidance can be found in many places, but the getting started articles can also be a great help:
https://lantern.splunk.com/Splunk_Platform/Getting_Started/Implementing_use_cases_in_Cloud_Platform
There's also a lot of Apps and Add-Ons that have pre-built detection searches that can lead to good Use Case implementation.
For security, Splunks Security Essentials is one of note:
https://docs.splunk.com/Documentation/SSE
SplunkBase is the place to look for the above app or specific technology add-ons that can be useful for both ingesting or displaying data:
https://splunkbase.splunk.com
