Add annotations to detections in Splunk Enterprise Security
Add annotations to provide additional context, enrich detection search results, and better manage your investigations in Splunk Enterprise Security. Using annotations from common cybersecurity frameworks and analyst observations makes it easier to perform root cause analysis and helps to detect security threats during the different phases of a cybersecurity investigation.
You can enrich detection search results and provide additional context using industry standard security framework mappings or create your own custom mappings. You also see these annotations as field labels in the Mission Control page and the Risk Analysis dashboard in Splunk Enterprise Security.
You can add annotations of the following two types to the detection search results:
- Managed annotations: Annotations that Splunk Enterprise Security and Enterprise Security Content Update (ESCU) provided by default, such as analytics stories. Managed annotations can also be based on a recognized cybersecurity framework, such as MITRE ATT&CK or Kill Chain.
- Unmanaged annotations: Custom annotations that you can add for your specific use case. Unmanaged annotations won't be enriched with any industry-standard context.
The savedsearches.conf
file stores the annotations in action.correlationsearch.annotations
JSON format. MITRE ATT&CK definitions are pre-populated in the security_framework_annotations.csv
file. MITRE ATT&CK is a widely-used knowledge base of adversary tactics and techniques based on real-world observations. Tactics are categories of activities such as Privilege Escalation or Command and Control. Techniques are specific activities such as Kerberoasting or Protocol Tunneling. You don't need to revise these files unless you want to display the information in the annotations drop-down field, which is not available by default.
Search your MITRE ATT&CK intelligence download data to verify the annotation details as follows:
| inputintelligence mitre_attack
When annotated, the detections do not automatically display in the Use Case library for use with the Framework Mapping filter.
The following are some of the cybersecurity frameworks available by default for the detections:
- MITRE ATT&CK
- CIS Critical Security Controls
- NIST
- Lockheed Martin Cyber Kill Chain
Additionally, you can create your own custom security framework if you follow a naming convention and group together similar findings. For example, you can create a security framework called "Potential Phishing" to identify the three distinct phases of user activity that might indicate phishing, such as the following:
- PDF reader spawns web browser
- User traffic to uncategorized website
- HTTP POST to uncategorized website
Using this security framework, you can create a detection to detect potential phishing when a user account generates any of the three events within the custom "Potential Phishing" security framework in a short timeframe.
Add annotations to a detection in the detection editor
Follow these steps to add annotations to a detection in the detection editor:
- In the Splunk Enterprise Security app, go to the Configure tab.
- Select Content and then select Content management.
- Locate the detection to which you want to add the annotations.
- Select the name of the detection on the Content management page to edit it in the detection editor.
- In the detection editor, scroll to the section on Annotations.
- Add values for the managed annotations such as CIS 20, Kill Chain, MITRE ATT&CK, NIST, Confidence, Impact, Analytic Story, and Context.
Following ESCU annotation types are supported by the detection editor:
ESCU annotation type Description Example value Managed/Unmanaged CIS20 CIS20 security framework mapping to enrich detection results. CIS 3,CIS 9,CIS 7,CIS 11, CIS 12 Managed Kill Chain Kill Chain security framework mapping to enrich detection results. Reconnaissance, Actions on Objectives, Exploration, Delivery, Lateral Movement Managed MITRE ATT&CK MITRE ATT&CK security framework mapping to enrich detection results. This field also contains MITRE technique IDs for you to select from the mitre_attack_lookup lookup definition. T1015, T1138, T1084, T1068, T1085 Managed NIST NIST security framework mapping to enrich detection results. PR.PT, PR.AC, PR.IP, PR.DS, DE>AE Managed Confidence Numerical value to score confidence level 50 Managed Impact Numerical value to score impact 40 Managed Analytic story Identifies the analytic story to which the detection search is linked in the use case library Ransomware
AWS IAM Privilege Escalation
Active Directory Discovery
AWS Cross Account Activity
Unmanaged Context Context for the detection Source Cloud Data
Scope External
Source Endpoint
Stage Execution
Stage Reconnaissance
Unmanaged - Scroll to Unmanaged Annotations.
- Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
If you search the risk index directly, you see your unmanaged annotations.index=risk
Unmanaged annotations display results as follows:
annotations._all
with your<unmanaged_attribute_value>
, andannotations._frameworks
with your<unmanaged_framework_value>
.i Time Event > 7/22/20
5:34:09.000 PM1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0" - Select Save.
Example of using MITRE ATT&CK annotations for additional context
Consider MITRE ATT&CK annotations as an example. At search time, the mitre_attack_enrichment automatic lookup uses the mitre technique id that you selected, and it outputs additional industry-standard context as event fields. Some examples include, but are not limited to, the following:
annotations.mitre_attack.mitre_description, annotations.mitre_attack.mitre_detection, annotations.mitre_attack.mitre_platform, annotations.mitre_attack.mitre_software_name, annotations.mitre_attack.mitre_software_platform, annotations.mitre_attack.mitre_tactic, annotations.mitre_attack.mitre_technique, annotations.mitre_attack.mitre_technique_id, annotations.mitre_attack.mitre_url
.
Add additional security frameworks to your annotations
While some industry standard security frameworks such as MITRE ATT&CK are available by default, you can also add other industry-standard frameworks. You can add them from scratch or clone the existing MITRE ATT&CK for convenience.
To add security frameworks to your annotations, follow these high-level steps:
Add an intelligence download
Follow these steps to add a threat intelligence download:
- From the Splunk Enterprise menu bar, select Settings.
- Select Data inputs and then select Intelligence downloads.
- Filter on mitre.
- Select the Clone action for mitre_attack.
- Type a name for the industry-standard framework.
- Revise the description.
- Leave Is Threat Intelligence unchecked.
- Revise the Type.
- Revise the URL.
- Select Save.
Add the lookup definition
Follow these steps to add the lookup definition:
- From the Splunk Enterprise menu bar, select Settings.
- Select Lookups and then select Lookup definitions.
- Filter on mitre.
- Select the Clone action for mitre_attack_lookup.
- Leave Type as-is.
- Type a name for the industry-standard framework.
- Revise the Supported fields.
- Select Save.
Add the automatic lookup
Follow these steps to add the automatic lookup:
- From the Splunk Enterprise menu bar, select Settings.
- Select Lookups and then select Automatic lookups.
- Filter on mitre.
- Select the Clone action for source::...- Rule : LOOKUP-mitre_attack_enrichment.
- Leave Destination app as-is.
- Leave Apply to as-is. The named* source::...- Rule is necessary.
- Type a name for the industry-standard framework.
- Revise all the fields.
- Select Save.
View annotations in analytic stories from the use case library
View annotations that you added to the detections in the Analytic Story Details page of the Use Case Library.
- From the Splunk Enterprise Security menu bar, select the Configure tab.
- Select Content and then select Use Case Library.
- From the use cases filters, select Cloud Security.
- From an analytic story, such as AWS Cross Account Activity, select the greater than ( >) symbol to expand the display.
- Go to Framework Mapping to view the annotation types supported by the Use Case Library.
- Select the name of the analytic story. For example, select AWS Cross Account Activity.
The Analytic Story Details page opens for the story. - Go to Cyber Security Framework Attributes to see the various ESCU annotation types associated with the analytic story.
Specify the display of finding groups in the analyst queue of Splunk Enterprise Security | Specify the time to run detections in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!