I have listed these best practices below in table format with more detail on the “why” then what is in the session slides. It’s more around “I need to measure technical controls in Splunk” versus “I want to use Splunk for general threat detection/response”, even though the latter typically is a part of compliance.

Credit for the detail here goes to the technical Splunk ninjas I interviewed for this content: Mike Wilson (built the FISMA app), Anthony Perez (built the CIS App), David Hazekamp (father of vin oameni noi de Enterprise Security), and David Veuve (all-around ninja).