Finding-based detections in Splunk Enterprise Security are currently released as a preview feature. Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms. To provide feedback, visit the Voice of the Customer portal for finding-based detections and select Send Feedback.

Monitor your security operations center with findings in Splunk Enterprise Security

Use findings and intermediate findings to monitor your security operations center (SOC) efficiently. In Splunk Enterprise Security version 8.0 and higher, the term intermediate finding replaces risk events and the term finding replaces notable events. In fact, findings combine the features of notable events and risk events into a single object that contains all the relevant information about what was observed and which entity was impacted. All metadata about the detection including tactics, techniques, confidence, impact, risk score, and threat objects are included in the finding.

As an analyst, you can use the analyst queue on the Mission Control page to review and triage findings, intermediate findings, and finding groups to gain insight into the severity of events occurring in your system or network. You can also use the Mission Control page to triage new findings, assign findings to analysts for review, and examine finding details for investigative leads.

As an administrator, you can manage and customize the display of findings, intermediate findings, and finding groups on the Mission Control page.

As an analyst, you can view and triage findings in the analyst queue on the '''Mission Control''' page. However, you can't triage intermediate findings because they are not displayed in the analyst queue on the '''Mission Control''' page. You can view intermediate findings nested within a finding group that is produced by a finding-based detection.

The same detection can't produce both findings and intermediate findings. While configuring the detection, you can select whether you want to create findings or intermediate findings.

Findings

Findings represent one or more anomalous incidents or alerts created by event-based detections or finding-based detections.

A finding can represent events such as:

• The repeated occurrence of an abnormal spike in network usage over a period of time.
• A single occurrence of unauthorized access to a system.
• A host communicating with a server on a known threat list.

Findings contain all the relevant information about what was observed and which entity was impacted such as a timestamp, key-value pairs, entity information, summary information about the behavior observed, metadata such as a MITRE tactic or technique, confidence, impact, threat objects, a calculated risk score based on the confidence and impact of the entity, and so on. You can see findings on the Analyst queue as a group of alerts or as a standalone alert.

Following is an example of a finding:

1704664597, search_name="ESCU - BITS Job Persistence - Rule", count="2", dest="win-host-mhaag-attack-range-791", firstTime="2024-01-07T20:00:07", info_max_time="1704660600.000000000", info_min_time="1704657000.000000000", info_search_time="1704664595.374606000", lastTime="2024-01-07T20:00:07", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x3a8", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\bitsadmin.exe /setnotifycmdline AtomicBITS C:\\Windows\\system32\\notepad.exe NULL", process_id="0xcb8", process_name="bitsadmin.exe", user="Administrator"

You can perform the following actions on findings, which are displayed in the Analyst queue:

• Assign the finding to an analyst.
• Assign the finding to an analyst group.
• Modify the status of a finding such as In Progress, Resolved, Closed, and so on.
• Modify the urgency of a finding such as High, Medium, Critical, and so on.
• Modify the disposition of a finding such as True Positive, Benign Positive, False Positive, and so on.
• Add notes to a finding.

Intermediate finding

Intermediate findings are records or observations created by event-based detections that indicate anomalies but might not be standalone security incidents. Intermediate findings in conjunction with other findings, might be used as input by advanced finding-based detections to discover potential security incidents with high fidelity and confidence. Intermediate findings might appear identical to findings in style and format based on the data stored in the index. An intermediate finding might also contain a timestamp, field key-value pairs, an entity, risk score, threat objects, and other metadata.

See also

For more information on triaging findings in the Analyst queue, see the product documentation:

• Overview of Mission Control in Splunk Enterprise Security
• Triage findings and investigations in Splunk Enterprise Security
• Manage analyst workflows using the analyst queue in Splunk Enterprise Security
• Sort and filter findings and investigations for triage in Splunk Enterprise Security