Create event-based detections in Splunk Enterprise Security
Create event-based detections to review the raw events ingested into the Splunk platform and create intermediate findings and findings, which might or might not indicate a potential security incident. Event-based detections replace what was formerly known as risk rules, which added risk events to the risk index using the risk analysis adaptive response action.
Follow these steps to create event-based detections in Splunk Enterprise Security:
- In Splunk Enterprise Security, select the Security content tab.
- Select Content management.
- Select +Content and then select Detection to specify the type of detection that you want to create. For example, select Event-based detection.
- Select Submit to open the detection editor.
- In the Edit event-based detection editor, configure the finding type that you want to create using your event-based detection.
- Select Intermediate finding or Finding as the output type for the finding.
- Enter the information to define the event-based detection.
Field Description Example values Title The name of the detection. Detection names cannot be longer than 83 characters. However, if you include the string prefix, such as "Threat - " and the string suffix such as "-Rule" to the detection name, the maximum character count for detections is 99 characters. Splunk Enterprise Security supports only detections ending with the string suffix "-Rule".
Excessive Failed Logins - Tutorial App The app where you want to store the detection and align with the type of detection that you plan to build. If you have a custom app for your deployment, you can store the detection there. If you deactivate or remove the app where the search is stored, the detection is deactivated. The app context does not affect how or the data on which the detection runs.
SA-AccessProtection UI dispatch context The drop-down list to select an app used by the links in an email and other adaptive response actions. The app must be visible for links to work. None Description Information on what the detection looks for and the security use case addressed by the detection. Detects excessive number of failed login attempts (this is likely a brute force attack) Detection search The SPL search for the detection to identify patterns, anomalies, and threats. - Select Save to save the detection.
You see the option "Save as new version" only after the first version of the detection is saved.
Specify the display of intermediate findings in the analyst queue of Splunk Enterprise Security
Customize the display of intermediate findings that are generated by event-based detections in the analyst queue on the Mission Control page by defining the specific fields.
Follow these steps to specify the display of intermediate findings in the analyst queue on the Mission Control page.
- In Splunk Enterprise Security, select Security content tab.
- Select Content management.
- Select Create new content and then select Detections.
- Select Event-based detection to open the detection editor.
- In the detection editor, go to Analyst queue.
- Add the criteria to specify the display the intermediate findings in the Analyst queue on the Mission Control page.
Field Description Required? Title Name of the finding group. Yes Description Information on the finding group. Yes Investigation type Information on the service level agreements and response plans associated with an investigation. Yes Security domain Categories to organize access to entities within a specific network or system. For example, access, identity, endpoint, network. Yes Severity Value assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes Drill-down searches Drill-down searches that provide additional context to the finding group. No Drill-down dashboards Drill-down dashboards that provide additional context to finding groups by allowing visibility to multiple drill-down searches. No Identity extraction Collect and update your identity data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. Asset extraction Collect and update your asset data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. No File extraction Enter a field name to extract data from a file. No URL extraction Enter a field name to extract data from an URL. No
Configure risk modifiers and assign risk by specifying risk scores to entities and entity types
For more information on assigning risk to event-based detections by configuring risk modifiers, see Assign risk using risk modifiers in Splunk Enterprise Security.
Add annotations to detections to enrich detection search results using standard cybersecurity frameworks
For more information on adding annotations, see Add annotations to detections in Splunk Enterprise Security.
Specify the time schedule to run detections as scheduled searches instead of real-time searches
For more information on specifying the time range to run detections in Splunk Enterprise Security, see Specify the time to run detections in Splunk Enterprise Security.
Configure conditions to trigger appropriate number of findings
Configure trigger conditions to control when an event-based detection generates findings or intermediate findings and run the desired adaptive response actions when the trigger conditions are matched. You can do this by modifying the conditions that control when a detection generates findings and/or runs an adaptive response action. Throttling is different from defining trigger conditions and happens after detection search results meet the trigger conditions. After you define trigger conditions, the detection search results check if they match the conditions. If the detection search results match the conditions, throttling rules control whether a finding is created and/or an adaptive response action is generated.
You can set up trigger conditions to generate adaptive response actions for each result, based on the number of results returned by the detection search, the number of hosts, the number of sources, or other custom criteria. For custom criteria, enter a custom search string to create a condition. Trigger conditions act as a secondary condition against the results of the detection search.
For information on trigger conditions and configuring those conditions for a detection, see the following Splunk platform documentation:
- For Splunk Enterprise, see Configure alert trigger conditions in the Splunk Enterprise Alerting Manual.
- For Splunk Cloud Platform, see Configure alert trigger conditions in the Splunk Cloud Platform Alerting Manual.
Follow these steps to configure conditions to trigger the appropriate number of findings in event-based detections:
- In Splunk Enterprise Security, select Configure.
- Select Content, then select Content management.
- Select +Content and then select Detection to specify the type of detection that you want to create. For example, select Event-based detection to open the event-based detection editor.
- Scroll down to the section on Conditions
- Select the number of results that you want based on alert search results.
- Select one of two options: Once or For each result.
After the event pattern occurs, the alert can trigger just once or one time for each result in the pattern. You can choose an option depending on the notification or other alert action behavior that you want. However, selecting either of the options does not impact the finding adaptive response actions, such as Send email.
For Send email, if you select Once as the trigger frequency option, you trigger the alert only once for each time the search results match the specified condition and receive a single notification in your inbox. If you select For each result, you trigger multiple notifications but with the same number of findings. Trigger condition for Send Email is an exception and does not impact the total number of findings that are generated. Even if you receive multiple email notifications, many of the findings might be duplicates.
Throttle the number of adaptive response actions generated by a detection
Set up throttling to limit the number of adaptive response actions generated by a detection. When a detection matches an event, it triggers an adaptive response action.
By default, every result returned by the detection generates an adaptive response action. Typically, you might want only one alert of a certain type. You can use throttling to prevent a detection from creating more than one alert within a set period. To change the types of results that generate an adaptive response action, define trigger conditions. Some adaptive response actions allow you to specify a maximum number of results in addition to throttling.
Follow these steps to throttle the number of adaptive response actions generated by a detection:
- In Splunk Enterprise Security, select Configure.
- Select Content, and then select Content management.
- Select the title of the detection you want to edit.
- Enter a Window duration. During this window, if an event value matches all of the Fields to group by the detection does not create an alert. After the window ends, the next matching event creates a new alert and applies the throttle conditions again.
- Enter the Fields to group by to specify which fields to use when matching similar events. If an event matches all the fields listed here, the detection does not create a new alert. You can define multiple fields. Available fields depend on the search fields that the detection returns.
- Save the detection.
If you specify a field name in the '''Fields to group by''' that doesn't exist in the search results, Splunk Enterprise Security throttles all the results because the field is identical and null for all the results.
Throttling applies to any type of detection adaptive response action and occurs before finding suppression rules.
If you have throttling set for an existing detection, editing the details of the alert or the throttle configuration resets the throttling. This includes any changes to fields you throttle on, the SPL in the detection, the cron schedule, and so on. The change causes the throttle file, which notes how long to ignore events, to be removed. Therefore, the throttling does not occur until the next event triggers based on the new parameters.
When detection versioning is turned on, any change that is made to a detection is saved as a new version and that new version is not automatically turned on. This is because the previous version of the detection is still turned on until the detection engineer turns on the new version. Turning on the detection also resets throttling.
Gather information or take other actions based on detection search results or the details of an intermediate finding
For more information on adaptive response actions, see Configure adaptive response actions for detections in Splunk Enterprise Security.
See also
For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation:
- Use detections to search for behavioral patterns in Splunk Enterprise Security
- Create finding-based detections in Splunk Enterprise Security
- Use detection versioning in Splunk Enterprise Security
- Create suppression rules for findings in Splunk Enterprise Security
- Configure automation rules to run playbooks based on detections
Identify the relevant use case for your detection in Splunk Enterprise Security | Create finding-based detections in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!