I am new to Splunk and am learning all about it, I was hoping you guys would be able to give me some examples of how I can use Splunk from a security prescriptive, I have already created searches for login failures but what else can Splunk do from a security point of view?
Thanks,
Too numerous to cover them all, but the things I have seen are:
1) Using "transactions" to find abnormal behavior over a period of time (check out search reference guide to see what I mean).
2) Finding correlations across multiple log files (my syslog says this, my checkpoint FW said that, and I got my IDS telling me this....so this is what is going on).
3) Creating alerts and notifications that send emails or even log messages to your NOC.
The key is to pump data into Splunk and let it "learn" what you put in there. It will tell you things you never knew.