Glossary
Splunk Enterprise Security 8.0 term | Definition | Prior usage or related terms |
---|---|---|
Analyst queue | A list of findings and investigations that analysts can triage. Intermediate findings are not displayed in the analyst queue. |
|
Detection | A scheduled correlation search that runs analytics on Splunk events, third-party alerts, or findings and generates findings, intermediate findings, or finding groups. |
|
Detection editor | An editor to configure event-based and finding-based detections. Using the detection editor, you can also configure time range to run the detection searches, configure adaptive response actions, and so on. | Correlation search editor in Splunk Enterprise Security. |
Entity | Asset, identity, user, or device in your network that generates machine data. Entities are the subject of suspicious, anomalous, or malicious activity and help to identify potential security threats. Entities are normalized in lookups against known assets and identities using the Assets and Identities framework in Splunk Enterprise Security. Entities also carry weighted risk scores that are updated automatically in real time. |
|
Event-based detection | A type of detection that reviews raw events ingested into the Splunk platform and creates findings, which might or might not indicate a potential security threat. Event-based detections generate findings or intermediate findings depending on how the user configures the detection. | NA |
Finding | One or more anomalous incidents or alerts generated by event-based detections. Findings contain custom metadata fields that have details about what was calculated or observed by the detection such as a timestamp, key-value pairs, entity information, summary information about the behavior observed, metadata such as a MITRE tactic or technique, a calculated risk score based on the confidence and impact of the entity, and so on. Findings can be displayed in the analyst queue as standalone or as a group and are used to assist in the investigation of the alert conditions and to track event remediation. This term applies to Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence. |
|
Finding-based detection | A type of detection that reviews the findings in the risk index and the notable index for anomalous events and threat activities and uses an aggregation of findings impacting a single entity, or other group type and criteria, to generate finding groups that indicate a security risk. | NA |
Finding group | A group of findings and intermediate findings created by finding-based detections. Finding groups can be manually included in an investigation and triaged by the SOC. Finding groups are stored in KV Store collections. | NA |
Intermediate finding | A record or observation created by event-based detections that indicate an anomaly but might not be a standalone security incident. Intermediate findings in conjunction with other findings might be used as input by advanced finding-based detections to discover potential security incidents with high fidelity and confidence. Intermediate findings might look identical to findings based on the data stored in the index. However, intermediate findings are not displayed in the analyst queue and are not triaged by analysts. The style and format of an intermediate finding is identical to that of a traditional finding and contains fields such as timestamp, key/value pairs, an entity, risk score, threat objects, and other metadata. |
|
Investigation | A case that has been manually or automatically flagged and is displayed in the analyst queue of the Mission Control page in Splunk Enterprise Security. Investigations are a collaborative process for security personnel such as analysts, SOC managers, automation engineers, security architects and so on to identify, collect, and examine findings or finding groups. |
|
Investigation type | A category of investigations that share common characteristics, such as source or severity. After creating an investigation type, you can associate the investigation type with a response plan to automate and personalize your response workflow. | Incident type in Splunk Mission Control. |
Note | Additional information such as PDFs, slide decks, reference materials, screenshots, extracts of log files, notes, Splunk events, email messages, and so on that can be attached to an investigation or finding. |
|
Observable | Suspicious indicators of threat that the user observes in log events such as hostname, IP address, URL, file name, file hash. |
|
Response plan | A template of guidelines for analysts to follow so that they can provide a standardized response for investigations of the same type. You can use response plans provided by Splunk Enterprise Security, such as NIST 800-61 or Vulnerability Disclosure, or you can create your own custom response plan. |
Response plan in Splunk Mission Control. |
Threat list | A list of threat-indicators published by your threat intelligence management (cloud) data sources for use in Splunk Enterprise Security threat-matching searches and investigation enrichment. You can set up multiple threat lists to pinpoint responses or target data to specific tools in your cybersecurity setup. | Intelligence workflow in Splunk Mission Control |
Support for Splunk Enterprise Security and provided add-ons | Share data usage in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!