Splunk® Enterprise Security

Administer Splunk Enterprise Security

Configure findings manually to track specific fields in Splunk Enterprise Security

Configure findings manually to track specific fields in Splunk Enterprise Security and address custom security threats.

For example, you might configure findings manually is when an employee calls the help desk to report a lost or stolen employee laptop and files a help desk ticket. For such an instance, you must create a finding manually in Splunk Enterprise Security to track the security threat since the laptop still has access to the company servers and data. So, the laptop might contain company confidential information.

Another example is if someone finds a USB drive in the parking lot of a company and files a security incident to investigate whether the USB drive contains company confidential information, you must create a finding manually to track the security threat in Splunk Enterprise Security.

Manually created findings are free-form findings that include a description and fields that you might want to specifically track in Splunk Enterprise Security. Manually created findings must include an entity and all other required information that you find in a typical finding.

You can manually create a finding from an indexed event or create a new one.

Only administrators with the edit_reviewstatuses capability can manually create findings. However, you can grant other users this capability.

Add a new finding in Splunk Enterprise Security

Follow these steps to add a new finding in the Analyst queue of Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Analyst queue on the Mission Control page, which lists all existing findings, finding groups, and investigations.
  2. Select the + button and select Add new finding to open the Add finding dialog box.
  3. In the Add finding dialog box, enter the name of the finding.
  4. In the Description field, enter a description for the finding.
  5. In the Security domain field, select the security domain such as Access, Identity, Endpoint, or Network from the drop-down menu.
  6. In the Entity field, enter the entity name, which is the user or machine that is the subject of the suspicious, anomalous, or malicious activity.
  7. In the Entity type field, enter the entity type from the drop-down menu such as system, user, hash_values, network_artifacts, host_artifacts, tools, other.
  8. In the Risk score field, enter the risk score that you want to associate with the entity.
  9. In the Finding attributes section, enter the values for the following fields from the drop-down menu options:
    • Owner
    • Status:
    • Urgency
    • Sensitivity
    • Disposition
  10. In the Fields section, add the field name and its value that you want to track in the finding.
    You have the option to track multiple fields by selecting the +Field tab to add new fields and values.

    You cannot add additional fields after you create the finding.

  11. Select Save.

Modify the detection SPL to include the additional field in a finding

Prerequisite

Ensure that the detection search results include the field and that the Mission Control page can display the field prior to adding a field to a finding.

Determine if the field you want to see is included in the detection results by running the detection on the Search page to review the output or the search syntax.

  • If the field exists in the search results, add the field to the finding.
  • If the field does not exist in the search results, modify the detection search processing language (SPL) to include the field.

Steps

Follow these steps to modify the detection SPL to include the additional field in a finding:

  1. Modify the detection SPL search to extract the fields if you created the search manually.

    Make sure that you do not modify the correlation criteria when you modify the search.

  2. If the search does not include statistical transformations, add | fields + newfieldname to the end of the search, where newfieldname is the name of the new field you want to see in the additional details.
  3. If the search includes statistical transformations, extract the fields when you perform the statistical transformation.
  4. Verify the changes to the detections on the Search page before saving them.
  5. Add the field to the list of additional fields.

SPL search to verify the additional fields

Use the following search to get a list of all of the active additional fields:

| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review | fields event_attributes | eval d=split(event_attributes, "},") | rex field=d max_match=0 "field\"\s*:\s*\"(?<field>[^\"]+)" | rex field=d max_match=0 "label\"\s*:\s*\"(?<label>[^\"]+)" | eval mv=mvzip(field,label) | fields mv | mvexpand mv | eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1) | table field, label

A truncated example response follows:

Field Label
action Action
app Application
bytes_in Bytes In
bytes_out Bytes Out
category Category
change_type Change Type
channel Channel
command Command
cpu_load_percent CPU Load (%)
creator Creator
creator_realname Creator Realname
cve CVE
decoration Decoration
desc Description
dest Destination
dest_threatlist_category Destination Threat List Category
dest_threatlist_description Destination Threat List Description
dest_threatlist_name Destination Threat List Name
dest_bunit Destination Business Unit
dest_category Destination Category


See also

For more information on entities, risk scoring, and finding attributes, see the product documentation:

Last modified on 22 August, 2024
Monitor your security operations center with findings in Splunk Enterprise Security   Configure the urgency for findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters