Splunk® Enterprise Security

Administer Splunk Enterprise Security

Add ESCU annotations to correlation searches and analytics stories

Add and edit annotations from Enterprise Security Content Update (ESCU) to correlation searches and analytic stories in the use case library of Splunk Enterprise Security to enrich your security content.

Add annotations to a correlation search

Add annotations such as Analytic Story, Confidence, Context, and Impact from Splunk ESCU to your correlation searches for enriching your security content.

Managed annotations are annotations that Splunk ES and ESCU ship by default. Unmanaged annotations are custom annotations that you can add for your specific use case. Annotations are often based on a recognized industry framework such MITRE ATT&CK or KILL CHAIN.

Follow these steps to add annotations to a correlation search:

  1. From the Content Management page, locate the correlation search you want to edit.
  2. Click the name of a correlation search on the Content Management page to edit it.
  3. Scroll to the section on Annotations and add values for managed annotation such as Confidence, Impact, Analytic Story, and Context.

Following annotation types are supported by the correlation search editor:

ESCU annotation type Description Example value Managed/Unmanaged
Confidence Numerical value to score confidence level 50 Managed
Impact Numerical value to score impact 40 Managed
Analytic story Identifies the analytic story to which the correlation search is linked in the use case library Ransomware

AWS IAM Privilege Escalation
Active Directory Discovery
AWS Cross Account Activity

Context Context for the correlation search?? Source Cloud Data

Scope External
Source Endpoint
Stage Execution
Stage Reconnaisance


View annotations in analytic stories from the use case library

View annotations that you added to the searches in the Analytic Story details page of the use case library.

  1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
  2. From the use cases filters on the left, click Cloud Security.
  3. From an Analytic Story, such as AWS Cross Account Activity, click the greater than ( >) symbol to expand the display.
  4. Scroll to Framework Mapping to view the annotation types supported by the Use Case Library.
  5. Click the name of the Analytic Story. For example, click AWS Cross Account Activity.
    The Analytic Story Details page opens for the story.
  6. Scroll to Cyber Security Framework Attributes to see the various ESCU annotation types associated with the analytic story.

See also
Use security framework annotations in correlation searches
Edit a correlation search

Last modified on 20 April, 2022
Manage Analytic Stories through the use case library in Splunk Enterprise Security   Configure general settings for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters