Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How risk annotations provide additional context in Splunk Enterprise Security

Manage your investigations effectively using the risk annotations that provide additional context and enrichment in Splunk Enterprise Security.

You can add risk annotations for the following purposes:

  • To enrich correlation search results
  • To tag risk events
  • To manage ad-hoc risk entries

Use annotations to enrich your correlation search results with security framework mappings. You can use annotations for industry-standard mappings or unmanaged annotations for custom mappings. You also see these annotations as field labels in the Incident Review and Risk Analysis dashboards.

Tagging the risk events that get generated by the risk incident rules with security metadata from common cybersecurity frameworks and analyst observations using annotations makes it easier to identify the root problem and helps to detect security threats during the phases of a cybersecurity investigation.

The savedsearches.conf file stores the annotations in action.correlationsearch.annotations JSON format. MITRE ATT&CK definitions are pre-populated in the security_framework_annotations.csv file. MITRE ATT&CK is a widely-used knowledge base of adversary tactics and techniques based on real-world observations. Tactics are categories of activities such as Privilege Escalation or Command and Control. Techniques are specific activities such as Kerberoasting or Protocol Tunneling. You don't need to revise these files unless you want to display the information in the annotations drop down field, which is not available by default.

When annotated, the correlation searches do not automatically display in the use case library for use with the Framework Mapping filter. To add correlation searches to analytic stories, see Edit or add Analytic Story details in Administer Splunk Enterprise Security.

Following are some of the cybersecurity frameworks available by default in the risk incident rules:

  • MITRE ATT&CK
  • CIS Critical Security Controls
  • NIST
  • Lockheed Martin Cyber Kill Chain

Additionally, you can create your own custom security framework if you follow a naming convention and group together similar risk events. For example, you can create a security framework called "Potential Phishing" to identify the three distinct phases of user activity that might indicate phishing such as:

  • PDF reader spawns web browser
  • User traffic to uncategorized website
  • HTTP POST to uncategorized website

Using this security framework, you can create a risk-based correlation search to detect potential phishing when a user account generates any of the three events within the custom "Potential Phishing" security framework in a short timeframe.

Additionally, you can add managed or unmanaged security framework annotations in an ad-hoc risk entry for additional context.

Use risk annotations to enrich correlation searches in Splunk Enterprise Security

Follow these steps to use annotations to enrich your correlation search results with the context from industry-standard mappings.

  1. In Splunk Enterprise Security, select Configure > Content > Content Management.
  2. Select the title of the correlation search you want to edit to open the Correlation Search Editor.
  3. Go to Annotations.
  4. Add annotations for the common framework names listed.
    These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
    Security frameworkMapping examples
    CIS 20CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
    Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
    MITRE ATT&CKT1015, T1138, T1084, T1068, T1085
    This field also contains mitre technique IDs for you to select from the mitre_attack_lookup lookup definition.
    NISTPR.IP, PR.PT, PR.AC, PR.DS, DE.AE
  5. If you are using the adaptive response action of Notable because you want see annotations as field labels in Incident Review, and if you are editing a correlation search that does not use the Risk data model, then you need to append an eval statement for the annotations.mitre_attack field to end of the correlation search, such as:

    | from datamodel:"Identity_Management"."Expired_Identity_Activity" | stats max("_time") as "lastTime",latest("_raw") as "orig_raw",count by "expired_user" | rename "expired_user" as "user" | eval annotations.mitre_attack="T1027"

  6. If you are using the adaptive response action of Risk Analysis because you want see annotations as field labels in the Risk Analysis Dashboard, the annotations display automatically.
  7. Select Save.
  8. Search your MITRE ATT&CK intelligence download data to verify the annotation details as follows:

    | inputintelligence mitre_attack

Add additional security frameworks to your annotations

While the MITRE ATT&CK framework annotations are available by default, you can also add other industry-standard frameworks. You can add them from scratch, but clone the existing mitre_attack for convenience.

To add security frameworks to your annotations, follow these high-level steps:

Add the intelligence download

Follow these steps to add the intelligence download:

  1. From the Splunk bar, select Settings > Data inputs > Intelligence Downloads.
  2. Filter for mitre.
  3. Select the Clone action for mitre_attack.
  4. Enter a name for the industry-standard framework.
  5. Revise the description.
  6. Leave Is Thre:at Intelligence unchecked.
  7. Revise the type.
  8. Revise the URL.
  9. Select Save.

Add the lookup definition

Follow these steps to add the lookup definition:

  1. From the Splunk bar, select Settings > Lookups > Lookup definitions.
  2. Filter for mitre.
  3. Select the Clone action for mitre_attack_lookup.
  4. Leave Type as-is.
  5. Enter a name for the industry-standard framework.
  6. Revise the Supported fields.
  7. Select Save.

Add the automatic lookup

Follow these steps to add the automatic lookup:

  1. From the Splunk bar, select Settings > Lookups > Automatic lookups.
  2. Filter for mitre.
  3. Select the Clone action for source::...- Rule : LOOKUP-mitre_attack_enrichment.
  4. Leave Destination app as-is.
  5. Leave Apply to as-is. The named* source::...- Rule is necessary.
  6. Enter a name for the industry-standard framework.
  7. Revise all the fields.
  8. Select Save.


Example of using MITRE ATT&CK annotations for additional context

Consider MITRE ATT&CK annotations as an example. At search time, the mitre_attack_enrichment automatic lookup uses the MITRE technique ID that you selected, and it outputs additional industry-standard context as event fields. Some examples include, but are not limited to, the following: annotations.mitre_attack.mitre_description, annotations.mitre_attack.mitre_detection, annotations.mitre_attack.mitre_platform, annotations.mitre_attack.mitre_software_name, annotations.mitre_attack.mitre_software_platform, annotations.mitre_attack.mitre_tactic, annotations.mitre_attack.mitre_technique, annotations.mitre_attack.mitre_technique_id, annotations.mitre_attack.mitre_url.

Add managed security framework annotations to an ad-hoc risk entry

Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Annotations get enriched with industry-standard context. Only MITRE ATT&CK definitions are pre-populated for enrichment.

Follow these steps to add managed security framework annotations in an ad-hoc risk entry:

  1. In Splunk Enterprise Security, navigate to the Correlation Search Editor and find Annotations.
  2. Add annotations for the common framework names listed. These fields are for use with industry- standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
    Security frameworkMapping examples
    CIS 20CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
    Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
    MITRE ATT&CKT1015, T1138, T1084, T1068, T1085
    This field also contains MITRE technique names for you to select because they are pre-populated for enrichment.
    NISTPR.IP, PR.PT, PR.AC, PR.DS, DE.AE
  3. Select Save.

MITRE ATT&CK annotations appear on dashboards by ID, such as T1015, rather than by the technique name.

Add unmanaged annotations to an ad-hoc risk entry

Unmanaged annotations are not enriched with any industry-standard context.

Follow these steps to add unmanaged annotations in an ad-hoc risk entry:

  1. Scroll to Unmanaged Annotations.
  2. Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
  3. Click Save.

If you search the risk index directly, you see your unmanaged annotations.

index=risk

Unmanaged annotations display results as follows: annotations._all with your <unmanaged_attribute_value>, and annotations._frameworks with your <unmanaged_framework_value>.

i Time Event
> 7/22/20
5:34:09.000 PM
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0"


See also

For more information about how best to use annotations in your security environment, see the product documentation.

Risk Analysis in Use Splunk Enterprise Security manual

Add ESCU annotations to correlation searches and analytic stories in the Administer Splunk Enterprise Security manual

Identify annotations based risk objects in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual

Investigations in Splunk Enterprise Security in the Use Splunk Enterprise Security manual

Getting started with risk-based alerting and MITRE(.conf talk)

Last modified on 12 April, 2023
Review risk notables to identify risk in Splunk Enterprise Security   Classify risk objects for targeted threat investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters