School of Computer Science and Information Technology

Program: BCA
2024-2025
SEMESTER: 04
SECTION: GSS
COURSE NAME: SOFTWARE ENGINEERING
Activity #2
SRS and Use Case Model Document
of
Splunk as a Security Information and Event Management
(SIEM) Solution

USN(s) and Group Members Name(s) Date of Submission:

21BCAR0142 – SHREYAS L 09-11-2024

Name of Faculty In-Charge : Dr. Deepak Mehta

 EVALUATION CRITERIA
Report Oral Viva Total Convert 25 into
Submission Presentation (5) (25) 15 marks
(15) (05)

DECLARATION

We declared that Activity-1 has been carried out by us following all ethical practices of Jain
(Deemed-to-be-University) for the partial fulfillment of the Software Engineering Course of
BCA in the year 2024-2025 (3rd Semester)

SHREYAS L
21BCAR0142

2 | Page
 INDEX

SRS and Use Case Model Document

of
(Type your SOFTWARE SYSTEM TITLE here )
Sl. No. Table of Content Page No.
1 Abstract 5
2 Description of the proposed system
- Introduction 5
- Problem statement 5
- Objective 6
- Scope 6
- Definitions, acronyms, and abbreviations 6
- Limitations of Existing System 6
- Advantages of Proposed System 6
3 Requirements Specification
- Functional Requirements 7
- Non-Functional Requirements 7
4 USE Case Model
- USE case Diagram for all required Use Cases 8
- Use Case specification of any five use cases preferable 8
important ones.
5 References 9

3 | Page
 Rubrics for Evaluation
Activity 1: SRS and Use Case Model Document (25 marks)
Poor Fair Good Excellent
Criteria Below Needs Meets Exceeds Weightage
Expectation Improvement Expectation Expectation
Report (14-15 marks)
(12-13 marks)
Submission (10-11 Very Good
Good Report:
marks) Report:
Selected a
(8 marks) Moderate: Selected a
topic with
Poor: Poor Selected a latest topic
partial
selection of topic through with Extensive
knowledge and
topic, No improper literature
did
Clarity knowledge, survey, 15
considerable
Specificatio No much Specification
Specification
n and Clarity in and Modelling
and Modelling
Modelling & Specification with standard
with standard
plagiarism and Modelling references
references and
& No and No
No plagiarism
plagiarism plagiarism

Oral (2 marks) (3 marks) (4 marks) (5 marks)

Presentatio Poor Moderate Good Very Good
n language, language, language, language, 5
voice, & voice, & voice, & voice, &
Content Content Content Content
Question- (2 marks)
(3 marks) (4 marks) (5 marks)
Answer Answers
Answers 3 Answers 4 Answers all 5
less than 3 5
questions questions questions
questions
correctly correctly correctly
correctly

4 | Page
 Abstract
Provide an overview of the purpose, scope, and significance of implementing
Splunk in a Security Operations Center. Describe how Splunk addresses SOC
challenges, its role in centralizing log management, and its impact on threat
detection and incident response. This section should summarize the benefits and
innovations introduced by Splunk. Splunk provides the industry-leading software
to consolidate and index any log and machine data, including structured,
unstructured and complex multi-line application logs. It can collect, store, index,
search, correlate, visualize, analyse and report on any machine-generated data to
identify and resolve operational and security issues in a faster, repeatable and more
affordable way. It's an enterprise ready, fully integrated solution for log management
data collection, storage and visualization. Ad hoc queries and reporting across
historical data can also be accomplished without third-party reporting software.
Splunk software supports log data enrichment by providing flexible access to
relational databases, field delimited data in comma-separated value files or to other
enterprise data stores such as Hadoop. Splunk software supports a wide range of
log management use cases including log consolidation and retention, security, IT
operations troubleshooting, application troubleshooting and compliance reporting.

Description of the Proposed System

Introduction
Detail what Splunk is, its primary functions, and its use in the cybersecurity
industry. Explain the necessity for SIEM solutions in SOCs, and introduce
Splunk as a leading tool for log analysis, threat intelligence, and incident
management.
Problem Statement
Elaborate on the limitations SOCs face, like handling large volumes of log data
from diverse sources, the difficulty in achieving real-time threat visibility, and
the complexity of coordinating incident response. Describe how without
centralized logging and alerting, SOCs can suffer from inefficiency and missed
threats.
5 | Page
Objective
Define the primary objective of this proposal, which is to implement Splunk to
create a more effective SOC. Key objectives might include improving incident
response times, increasing threat detection capabilities, enhancing compliance,
and streamlining workflows in threat management.
Scope
Describe the scope of the Splunk implementation, emphasizing log aggregation,
threat detection, real-time monitoring, and incident response capabilities.
Specify its applicability in hybrid and multi-cloud environments and integration
potential with existing incident management systems.
Definitions, Acronyms, and Abbreviations
 SIEM: Security Information and Event Management
 SOC: Security Operations Center
 HTTP: Hypertext Transfer Protocol
 LF: Line Feed (used in HTTP protocol anomalies)
 CR: Carriage Return (relevant to HTTP issues flagged in alerts)
Limitations of Existing System
Discuss the drawbacks of traditional log management and security monitoring
systems, such as:
 Limited real-time monitoring and alerting capabilities.
 Lack of centralized data aggregation.
 Inability to effectively scale with expanding data volumes.
 Limited cloud security support.
Advantages of Proposed System
The key benefits of using Splunk:
 Enhanced Threat Detection: Real-time data analysis and custom alert
rules.
 Unified Data Management: Centralized storage and indexing of log data
for seamless analysis.

6 | Page
  Efficient Incident Response: Integration with tools like Jira for end-to-
end incident tracking.
 Scalability: Capable of handling large-scale log data from diverse
sources.
 Cloud Security: Compatibility with cloud platforms (AWS, Azure, GCP).

Requirements Specification
Functional Requirements
Provide details on essential functions for the system’s operation:
1. Data Ingestion: Ability to capture logs from network devices, cloud
services, and on-premises systems.
2. Real-Time Alerting: Set up rules to trigger alerts based on suspicious
activity.
3. Dashboard Creation: Build custom dashboards for visualizing metrics
and key performance indicators.
4. Incident Tracking: Track incidents from detection to closure, with
options for assigning and updating status.
5. User Management: Role-based access control to maintain data integrity
and security.
Non-Functional Requirements
Define performance and quality requirements that Splunk must fulfill:
1. Scalability: Ensure the system can scale to meet increasing data volumes.
2. Reliability: High availability to minimize downtime.
3. Security: Encryption of log data and secure user authentication.
4. Usability: User-friendly interface, minimizing training needs for SOC
analysts.

Use Case Model

Use Case Diagram for All Required Use Cases

7 | Page
Present a Use Case Diagram that outlines actors and primary use cases. Use
cases should include:
 Ingest Logs
 Search Logs
 Generate Alerts
 Manage Incidents
 Create Reports
Use Case Specifications for Five Primary Use Cases
Expand on each use case with detailed specifications:
1. Ingest Logs
o Actor: System Administrator
o Description: Collects and stores log data from various sources.
o Preconditions: Data sources configured and accessible.
o Postconditions: Logs are indexed and searchable.
2. Search Logs
o Actor: SOC Analyst
o Description: Runs queries to find specific events in the logs.
o Preconditions: Logs ingested and indexed.
o Postconditions: Relevant logs retrieved and displayed.
3. Generate Alerts
o Actor: SOC Analyst
o Description: Sets up alerting rules for real-time threat detection.
o Preconditions: Detection rules defined.
o Postconditions: Alerts generated and notifications sent.
4. Manage Incidents
o Actor: SOC Manager
o Description: Manages the incident lifecycle, tracking status and
response efforts.
o Preconditions: Incident detected.

8 | Page
 o Postconditions: Incident status updated and resolved as
appropriate.
5. Create Reports
o Actor: SOC Manager
o Description: Generates reports for audit, performance tracking, or
compliance.
o Preconditions: Incident and log data available.
o Postconditions: Report generated and shared with stakeholders.

References
List credible sources and documentation for Splunk, SIEM practices, SOC
requirements, and any additional cybersecurity standards relevant to SIEM
implementation. Possible references could include:
1. Official Splunk Documentation.
2. Research articles on SIEM and SOC best practices.
3. Books and publications focused on cybersecurity operations and threat
management.
4. Whitepapers on modern SIEM tools and cloud security solutions.

9 | Page