Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use Analytic Stories for actionable guidance in

The Splunk Security Research team writes Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches you need to implement the story in your own environment. It also provides an explanation of what the search achieves and how to convert a search into adaptive response actions, where appropriate.

By default, the ess_admin and ess_analyst roles can configure the use case library with relevant Analytic Stories. See Manage Analytic Stories through the use case library in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

Determine which Analytic Stories to use

You can use common industry use cases to determine which Analytic Stories and searches are useful to you. There are a variety of ways to determine if an Analytic Story contains the searches you need:

  • by industry use case
  • by framework
  • by data

In the following scenario, you know that you're interested in common AWS-related security issues, so you start by filtering on known use cases for cloud security.

  1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
  2. From the use cases filters on the left, click Cloud Security.
  3. From an Analytic Story, such as Suspicious AWS EC2 Activities, click the greater than ( >) symbol to expand the display.
  4. You see the detection searches that are related to this use case.
  5. You also see your data sources, data models, and lookups that these searches use.
    Data Sources Description
    Recommended Data Sources The type of data sources that are likely to provide valuable data.
    Sourcetypes Your sourcetypes that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
    Data Models Your data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
    Lookups Your lookups that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason.

You can use an Analytic Story if the recommended data sources, sourcetypes, data models, and lookups do not have red exclamation marks. However, even though green checkmarks indicate that sources are available, they don't always mean that the searches return results based on the ingested data.

Use Analytic Stories to search for results and get guidance

In the following scenario, you know that you're interested in EC2 instances that originate from unusual locations or those launched by previously unseen users, so you start by filtering on known use cases for cloud security.

  1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
  2. From the use cases filters on the left, click Cloud Security.
  3. Click the name of the Analytic Story. In this case, click Suspicious AWS EC2 Activities.
    The Analytic Story Details page opens for the story.
    1. From the References section, see any links, white papers, or PDFs provided.
    2. From the Detection section, select a search, such as ESCU - EC2 Instance Started In Previously Unseen Region.
    3. From the Search section, click the greater than (>) symbol to expand the display.
    4. Revise the time picker and click Search to manually run the search and see the results.
      This screenshot shows where to find the Search section, time picker, and search button.
    5. From the Known False Positives section, click the greater than (>) symbol to expand the display for tips on when the results might not indicate a problem.

By default, the ess_admin and ess_analyst roles can enable and schedule to run this search automatically on a regular basis. See Enable and schedule the Analytic Story in the Administer Splunk Enterprise Security manual.

Bookmark the Analytic Story

Bookmarks persist per user, so you can bookmark the Analytic Stories that are specific to your duties.

  1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
  2. Find the name of the Analytic Story.
  3. Toggle the Bookmark switch to enable it.
  4. From the drop-down filters, select Bookmarked > True to find your bookmarked stories.
Last modified on 19 July, 2021
PREVIOUS
Review the summary of an investigation in Splunk Enterprise Security
  NEXT
Analyze risk in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters