Splunk® Enterprise Security

Administer Splunk Enterprise Security

Add annotations to detections in Splunk Enterprise Security

Add annotations to provide additional context, enrich detection search results, and better manage your investigations in Splunk Enterprise Security. Using annotations from common cybersecurity frameworks and analyst observations makes it easier to perform root cause analysis and helps to detect security threats during the different phases of a cybersecurity investigation.

You can enrich detection search results and provide additional context using industry standard security framework mappings or create your own custom mappings. You also see these annotations as field labels in the Mission Control page and the Risk Analysis dashboard in Splunk Enterprise Security.

You can add annotations of the following two types to the detection search results:

  • Managed annotations: Annotations that Splunk Enterprise Security and Enterprise Security Content Update (ESCU) provided by default, such as analytics stories. Managed annotations can also be based on a recognized cybersecurity framework, such as MITRE ATT&CK or Kill Chain.
  • Unmanaged annotations: Custom annotations that you can add for your specific use case. Unmanaged annotations won't be enriched with any industry-standard context.

The savedsearches.conf file stores the annotations in action.correlationsearch.annotations JSON format. MITRE ATT&CK definitions are pre-populated in the security_framework_annotations.csv file. MITRE ATT&CK is a widely-used knowledge base of adversary tactics and techniques based on real-world observations. Tactics are categories of activities such as Privilege Escalation or Command and Control. Techniques are specific activities such as Kerberoasting or Protocol Tunneling. You don't need to revise these files unless you want to display the information in the annotations drop-down field, which is not available by default.

Search your MITRE ATT&CK intelligence download data to verify the annotation details as follows:

| inputintelligence mitre_attack

When annotated, the detections do not automatically display in the Use Case library for use with the Framework Mapping filter.

The following are some of the cybersecurity frameworks available by default for the detections:

  • MITRE ATT&CK
  • CIS Critical Security Controls
  • NIST
  • Lockheed Martin Cyber Kill Chain

Additionally, you can create your own custom security framework if you follow a naming convention and group together similar findings. For example, you can create a security framework called "Potential Phishing" to identify the three distinct phases of user activity that might indicate phishing, such as the following:

  • PDF reader spawns web browser
  • User traffic to uncategorized website
  • HTTP POST to uncategorized website

Using this security framework, you can create a detection to detect potential phishing when a user account generates any of the three events within the custom "Potential Phishing" security framework in a short timeframe.

Add annotations to a detection in the detection editor

Follow these steps to add annotations to a detection in the detection editor:

  1. In the Splunk Enterprise Security app, go to the Configure tab.
  2. Select Content and then select Content management.
  3. Locate the detection to which you want to add the annotations.
  4. Select the name of the detection on the Content management page to edit it in the detection editor.
  5. In the detection editor, scroll to the section on Annotations.
  6. Add values for the managed annotations such as CIS 20, Kill Chain, MITRE ATT&CK, NIST, Confidence, Impact, Analytic Story, and Context. Following ESCU annotation types are supported by the detection editor:
    ESCU annotation type Description Example value Managed/Unmanaged
    CIS20 CIS20 security framework mapping to enrich detection results. CIS 3,CIS 9,CIS 7,CIS 11, CIS 12 Managed
    Kill Chain Kill Chain security framework mapping to enrich detection results. Reconnaissance, Actions on Objectives, Exploration, Delivery, Lateral Movement Managed
    MITRE ATT&CK MITRE ATT&CK security framework mapping to enrich detection results. This field also contains MITRE technique IDs for you to select from the mitre_attack_lookup lookup definition. T1015, T1138, T1084, T1068, T1085 Managed
    NIST NIST security framework mapping to enrich detection results. PR.PT, PR.AC, PR.IP, PR.DS, DE>AE Managed
    Confidence Numerical value to score confidence level 50 Managed
    Impact Numerical value to score impact 40 Managed
    Analytic story Identifies the analytic story to which the detection search is linked in the use case library Ransomware

    AWS IAM Privilege Escalation
    Active Directory Discovery
    AWS Cross Account Activity

    Unmanaged
    Context Context for the detection Source Cloud Data

    Scope External
    Source Endpoint
    Stage Execution
    Stage Reconnaissance

    Unmanaged
  7. Scroll to Unmanaged Annotations.
  8. Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
    If you search the risk index directly, you see your unmanaged annotations.

    index=risk

    Unmanaged annotations display results as follows: annotations._all with your <unmanaged_attribute_value>, and annotations._frameworks with your <unmanaged_framework_value>.

    i Time Event
    > 7/22/20
    5:34:09.000 PM
    1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0"
  9. Select Save.


Example of using MITRE ATT&CK annotations for additional context

Consider MITRE ATT&CK annotations as an example. At search time, the mitre_attack_enrichment automatic lookup uses the mitre technique id that you selected, and it outputs additional industry-standard context as event fields. Some examples include, but are not limited to, the following:

annotations.mitre_attack.mitre_description, annotations.mitre_attack.mitre_detection, annotations.mitre_attack.mitre_platform, annotations.mitre_attack.mitre_software_name, annotations.mitre_attack.mitre_software_platform, annotations.mitre_attack.mitre_tactic, annotations.mitre_attack.mitre_technique, annotations.mitre_attack.mitre_technique_id, annotations.mitre_attack.mitre_url.

Add additional security frameworks to your annotations

While some industry standard security frameworks such as MITRE ATT&CK are available by default, you can also add other industry-standard frameworks. You can add them from scratch or clone the existing MITRE ATT&CK for convenience.

To add security frameworks to your annotations, follow these high-level steps:

Add an intelligence download

Follow these steps to add a threat intelligence download:

  1. From the Splunk Enterprise menu bar, select Settings.
  2. Select Data inputs and then select Intelligence downloads.
  3. Filter on mitre.
  4. Select the Clone action for mitre_attack.
  5. Type a name for the industry-standard framework.
  6. Revise the description.
  7. Leave Is Threat Intelligence unchecked.
  8. Revise the Type.
  9. Revise the URL.
  10. Select Save.

Add the lookup definition

Follow these steps to add the lookup definition:

  1. From the Splunk Enterprise menu bar, select Settings.
  2. Select Lookups and then select Lookup definitions.
  3. Filter on mitre.
  4. Select the Clone action for mitre_attack_lookup.
  5. Leave Type as-is.
  6. Type a name for the industry-standard framework.
  7. Revise the Supported fields.
  8. Select Save.

Add the automatic lookup

Follow these steps to add the automatic lookup:

  1. From the Splunk Enterprise menu bar, select Settings.
  2. Select Lookups and then select Automatic lookups.
  3. Filter on mitre.
  4. Select the Clone action for source::...- Rule : LOOKUP-mitre_attack_enrichment.
  5. Leave Destination app as-is.
  6. Leave Apply to as-is. The named* source::...- Rule is necessary.
  7. Type a name for the industry-standard framework.
  8. Revise all the fields.
  9. Select Save.

View annotations in analytic stories from the use case library

View annotations that you added to the detections in the Analytic Story Details page of the Use Case Library.

  1. From the Splunk Enterprise Security menu bar, select the Configure tab.
  2. Select Content and then select Use Case Library.
  3. From the use cases filters, select Cloud Security.
  4. From an analytic story, such as AWS Cross Account Activity, select the greater than ( >) symbol to expand the display.
  5. Go to Framework Mapping to view the annotation types supported by the Use Case Library.
  6. Select the name of the analytic story. For example, select AWS Cross Account Activity.
    The Analytic Story Details page opens for the story.
  7. Go to Cyber Security Framework Attributes to see the various ESCU annotation types associated with the analytic story.
Last modified on 25 November, 2024
Specify the display of finding groups in the analyst queue of Splunk Enterprise Security   Specify the time to run detections in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters