Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 1: Getting started

Prerequisites

To follow this tutorial, fulfill the following prerequisites:

  • Set up a Splunk platform instance.
  • Install Splunk Enterprise Security version 6.4.0 or higher.
  • Upload the MITRE ATT&CK framework to your deployment. For more information, see MITRE ATT&CK framework.

Download the tutorial dataset

For this tutorial, you can download the open source BOTS dataset and add it to your available Splunk instance.

Why? Because this tutorial uses a specific set of data to ensure consistency in your results and the features that you are learning about. You can upload this tutorial-specific data to any Splunk deployment, which is not part of your work environment. This ensures that the tutorial data does not get mixed up with your production data.

The SOC (BOTS) version 3.0 dataset is distributed by Splunk Inc. with licenses based on Creative Commons CCO. This dataset helps security analysts and detection engineers explore common security issues that organizations face and test new detection methods against realistic data. The dataset is already indexed during packaging to avoid data ingest restrictions.

Splunk Enterprise Security is not included in this open-source release of the BOTS version 3.0 dataset.

The tutorial describes the steps for downloading the dataset and adding it to a Splunk instance.

Upload the tutorial dataset to the Splunk platform

When you add data to your Splunk platform deployment, the data gets processed and transformed into a series of individual events that you can view, search, and analyze.

Follow these steps to add data to the Splunk platform using Splunk Web:

  1. Log into Splunk Web to access the Home page.
  2. Select Settings, then select Add Data to access the Add Data page.
  3. On the Add Data page, select Upload to add the BOTS data as a botsv3_data_set.tgz file into your Splunk instance.
  4. Upload data through one of the following methods on this page:
    • Drag the file you want to index from your desktop to the Drop your data file here area.
    • Select Select File, and then select the botsv3_data_set.tgz file that you want to index as shown in the following image: This screen image shows the screenshot of the Select Source page in the Add Data workflow.

    Splunk Enterprise then loads the file and processes it.

  5. After the file loads, select Next.
  6. Select Review, then select Submit, keeping the default settings.

Verify that the tutorial data gets indexed

Check the data to verify whether the tutorial dataset gets indexed correctly so that you can use risk-based alerting.

Follow these steps to verify whether the BOTS dataset has populated the index correctly:

  1. Navigate to the Splunk Enterprise Security app.
  2. Select Search menu, then select Search.
  3. Enter the following search:

    | tstats count where index=botsv3 by sourcetype

  4. Run the search on the All Time time range as shown in the following image. Approximately 107 sourcetypes are displayed for the BOTS dataset. This screen image shows the 107 sourcetypes in the BOTS dataset that got uploaded.

Verify the MITRE ATT&CK framework gets applied to Splunk Enterprise Security

Applying the MITRE ATT&CK framework to your Splunk Enterprise Security deployment provides context and helps to view security detection coverage. The framework outlines adversarial behaviors specific to Windows, Linux, Mac, cloud-based and mobile environments and helps security personnel better classify attacks, understand adversary behavior, and assess an organization's risk.

Follow these steps to review the MITRE ATT&CK lookup in Splunk Enterprise Security:

  1. Navigate to the Splunk Enterprise Security app.
  2. Select Configure, then select Data Enrichment.
  3. Select Threat Intelligence Management.
  4. Under Sources, search for mitre_attack.
    The mitre_attack scheduled search downloads the data from the MITRE ATT&CK website once a day and converts it into the mitre_attack lookup. This screen image shows the mitre_attack lookup in Splunk Enterprise Security.

List the fields in the MITRE ATT&CK lookup

Follow these steps to list all the fields in the MITRE ATT&CK lookup:

  1. Navigate to the Splunk Enterprise Security app.
  2. Select the Search menu, then select Search.
  3. Enter the following search:

    | inputlookup mitre_attack_lookup | head 1 | transpose

    The following screenshot shows a list of all the fields in the MITRE ATT&CK lookup. This screen image shows the fields in the mitre_attack lookup in Splunk Enterprise Security.

    The MITRE ATT&CK lookup enriches the risk events by matching them against various MITRE techniques and tactics.

See also

For more information on uploading data to Splunk Enterprise Security, see How do you want to add data in the Splunk Enterprise Getting Data In manual.

Next step

Now that you have added data to your Splunk platform instance and verified that the MITRE ATT&CK framework is applied, you can raise the risk score of watchlisted users using risk factors. See Part 2: Raise the risk score of watchlisted users using risk factors.

Last modified on 20 July, 2023
About the Risk-based Alerting Tutorial   Part 2: Raise the risk score of watchlisted users using risk factors

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters