Create finding-based detections in Splunk Enterprise Security
Create and customize finding-based detections to create findings and finding groups in Splunk Enterprise Security for your specific security use case. Finding-based detections are based on findings, as opposed to events.
Risk-based alerting in Splunk Enterprise Security uses finding-based detections instead of typical correlation searches to generate risk-based findings so that alerting corresponds to the magnitude of the risk associated with the entity.
An event-based detection scans multiple data sources only for defined patterns and performs an adaptive response action when it finds the pattern. A finding-based detection reviews the events in the risk index and uses an aggregation of events impacting a single entity to generate risk-based findings: Finding-based detections review the risk index for anomalous events and threat activities. When the finding-based detection finds an entity associated with several risk events, the finding-based detection creates risk-based findings in Splunk Enterprise Security. When the risk scores associated with these findings surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the finding. The aggregated risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time.
In addition to a base detection search, finding-based detections can also include MITRE enrichment data such as:
- Tactic_Name
- Tactic Number
- Technique
- Technique Reference
For example:
- Tactic_Name:
credential_access
- Tactic Number:
T1098
- Technique:
Account Manipulation
- Technique Reference:
https://attack.mitre.org/techniques/T1098/
You can use the default finding-based detections available in Splunk Enterprise Security Content Updates (ESCU) or Splunk Security Essentials (SSE). For more information on available detections using ESCU app, see Available detections.
Following are some examples of event-based detections that are enabled by default:
- Risk - 7 Day ATT&CK Tactic Threshold Exceeded - Rule: A default finding-based detection that generates findings if 3 or more different MITRE tactics are seen and more than 4 distinct detections contributed to the risk level.
- Risk - 24 Hour Risk Threshold Exceeded - Rule: A default finding-based detection that generates findings when a threshold for risk score exceeds a 24-hour period.
Following are some examples of finding-based detections that are disabled by default:
- Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule: A finding-based detection that generates finding groups when a threshold for MITRE ATT&CK tactics exceeds a 24-hour period.
- Threat - Findings Risk Threshold Exceeded for Entity Over 24 Hour Period - Rule: A finding-based detection that generates finding groups when a threshold for risk score exceeds a 7-day period.
- Anomalous Risk Score Within an Identity Category: A finding-based detection that generates finding groups when a user displays risk scores of more than two standard deviations over their peers.
- Anomalous Risk Score Within an Asset Category: A finding-based detection that generates finding groups when a system displays risk scores of more than two standard deviations over peer systems.
- Anomalous Score Trend for a Role: A finding-based detection that generates finding groups when there is a significant percentage increase in risk score for a specific user role.
- Anomalous Score Trend for an Asset Category: A finding-based detection that generates finding groups when there is a significant percentage increase in risk score for a specific asset category.
- Anomalous Score Trend for Threat Object Type: A finding-based detection that generates finding groups when there is a significant percentage increase in risk score for a specific type of threat object.
- Threat Object Observed Across a Number of Risk Objects: A finding-based detection that generates finding groups when a detection observes a threat object for the first time across a small number of entities.
- Status Impact Accuracy KPIs: A finding-based detection that generates finding groups when the status, impact, and accuracy of key performance indicators of an organization are impacted.
- Mean time to resolution (MTTR): A finding-based detection that generates finding groups when the threshold exceeds the mean time to resolution.
Using finding-based detections you can create high-confidence groups of findings around a given entity, behavior, or activity, which indicates that a security incident is occurring or has occurred. For example, Splunk Enterprise Security includes a finding-based detection that relies on the MITRE ATT&CK framework, all available intermediate findings, and findings for a given entity, to create a finding or finding group when a threshold of multiple MITRE tactics or techniques is met.
Sometimes multiple findings can be part of one security incident with the same root cause. Grouping findings can help reduce the time you spend updating each investigation and also helps you resolve them faster without alert fatigue. You can group up to 100 related findings together into a finding group to investigate and compare their data and update some of their fields simultaneously.
Findings in a finding group include a unique identifier or GUID that is generated during the creation of the finding or intermediate finding. The GUID gets added to the notable index and risk index.
A new lookup called detection_time_range_lookup
exists in Splunk Enterprise Security to store the search information for finding-based detections such as key
, detection_name
, earliest
, latest
, and max_append_time
. The detection_time_range_lookup
lookup is updated with the earliest and latest time when the underlying search of the detection is run.
Create a finding-based detection
Prerequite
- Identify the security use case for your finding-based detection
Follow these steps to create a finding-based detection:
- In Splunk Enterprise Security, go to Configure.
- Select Content, and then select Content management.
- Select Create new content and then select Detection to specify the type of detection that you want to create.
- Select Finding-based detection to create a detection based on a high-confidence groups of findings around a given entity, behavior, or activity, which indicates a security incident.
- Select Submit to open the detection editor.
- In the New finding-based detection editor, go to the Finding input type panel and select a Select a group type to combine the findings from the detection search results into high confidence finding groups.
- In the Select a group type, select the criteria to group your findings. Following are the options that you can use to group your findings into finding groups:
Grouping criteria Description Entity Creates a finding group when the number of findings for an entity, system, or user exceeds a threshold. Threat object Creates a finding group when the number of findings contain the same threat object for an entity and exceeds a threshold. Cumulative entity risk Creates a finding group when the findings for an entity exceed a risk score threshold. Kill Chain Creates a finding group when the findings for the phases in the Kill Chain exceed a threshold. MITRE ATT&CK Creates a finding group when the findings for the number of MITRE ATT&CK tactics or techniques exceed a threshold. Similar findings Creates a finding group when the count of similar findings or intermediate findings exceeds a threshold. Custom Create a finding group when specific custom conditions in a custom search are met. - Select whether the finding-based detection searches on intermediate findings or findings to create finding groups.
- Enter the information to define the finding-based detection.
Field Description Example values Detection name The name of the detection. Detection names cannot be longer than 83 characters. However, if you include the string prefix, such as "Threat - " and the string suffix such as "-Rule" to the detection name, the maximum character count for detections is 99 characters. Splunk Enterprise Security supports only detections ending with the string suffix "-Rule".
Excessive Failed Logins - Tutorial App The app where you want to store the detection and align with the type of detection that you plan to build. If you have a custom app for your deployment, you can store the detection there. If you deactivate or remove the app where the search is stored, the detection is deactivated. The app context does not affect how or the data on which the detection runs.
SA-AccessProtection UI dispatch context The drop-down list to select an app used by the links in an email and other adaptive response actions. The app must be visible for links to work. None Description The information on what the detection looks for and the security use case addressed by the detection. Detects excessive number of failed login attempts (this is likely a brute force attack) - Select Save.
See also
For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation:
- Use detections to search for behavioral patterns in Splunk Enterprise Security
- Finding-based detections available in Splunk Enterprise Security
- Specify display of finding groups in Splunk Enterprise Security
- Create finding groups in Splunk Enterprise Security
- Assign risk using risk scores in Splunk Enterprise Security
- Configure automation rules to run playbooks based on detections
- Specify the time to run detections in Splunk Enterprise Security
Create event-based detections in Splunk Enterprise Security | Guidelines to create a custom finding-based detections |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!