Configure findings manually to track specific fields in Splunk Enterprise Security
Configure findings manually to track specific fields in Splunk Enterprise Security and address custom security threats.
For example, you might configure findings manually when an employee calls the help desk to report a lost or stolen employee laptop and files a help desk ticket. For such an instance, you must create a finding manually in Splunk Enterprise Security to track the security threat since the laptop still has access to the company servers and data. So, the laptop might contain company confidential information.
Another example is if someone finds a USB drive in the parking lot of a company and files a security incident to investigate whether the USB drive contains company confidential information, you must create a finding manually to track the security threat in Splunk Enterprise Security.
Manually created findings are free-form findings that include a description and fields that you might want to specifically track in Splunk Enterprise Security. Manually created findings must include an entity and all other required information that you find in a typical finding.
You can manually create a finding from an indexed event or create a new one.
Only administrators with the edit_reviewstatuses capability
can manually create findings. However, you can grant other users this capability.
Add a new finding in Splunk Enterprise Security
Follow these steps to add a new finding in the Analyst queue of Splunk Enterprise Security:
- In Splunk Enterprise Security, go to the Analyst queue on the Mission Control page, which lists all existing findings, finding groups, and investigations.
- Select the + button and select Add new finding to open the Add finding dialog box.
- In the Add finding dialog box, enter the name of the finding.
- In the Description field, enter a description for the finding.
- In the Security domain field, select the security domain such as Access, Identity, Endpoint, or Network from the drop-down menu.
- In the Entity field, enter the entity name, which is the user or machine that is the subject of the suspicious, anomalous, or malicious activity.
- In the Entity type field, enter the entity type from the drop-down menu such as
system
,user
,hash_values
,network_artifacts
,host_artifacts
,tools
,other
. - In the Risk score field, enter the risk score that you want to associate with the entity.
- In the Finding attributes section, enter the values for the following fields from the drop-down menu options:
- Owner
- Status:
- Urgency
- Sensitivity
- Disposition
- In the Fields section, add the field name and its value that you want to track in the finding.
You have the option to track multiple fields by selecting the +Field tab to add new fields and values.You cannot add additional fields after you create the finding.
- Select Save.
Modify the detection SPL to include the additional field in a finding
Prerequisite
Ensure that the detection search results include the field and that the Mission Control page can display the field prior to adding a field to a finding.
Determine if the field you want to see is included in the detection results by running the detection on the Search page to review the output or the search syntax.
- If the field exists in the search results, add the field to the finding.
- If the field does not exist in the search results, modify the detection search processing language (SPL) to include the field.
Steps
Follow these steps to modify the detection SPL to include the additional field in a finding:
- Modify the detection SPL search to extract the fields if you created the search manually.
Make sure that you do not modify the correlation criteria when you modify the search.
- If the search does not include statistical transformations, add
| fields + newfieldname
to the end of the search, wherenewfieldname
is the name of the new field you want to see in the additional details. - If the search includes statistical transformations, extract the fields when you perform the statistical transformation.
- Verify the changes to the detections on the Search page before saving them.
- Add the field to the list of additional fields.
SPL search to verify the additional fields
Use the following search to get a list of all of the active additional fields:
| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review
| fields event_attributes
| eval d=split(event_attributes, "},")
| rex field=d max_match=0 "field\"\s*:\s*\"(?<field>[^\"]+)"
| rex field=d max_match=0 "label\"\s*:\s*\"(?<label>[^\"]+)"
| eval mv=mvzip(field,label)
| fields mv
| mvexpand mv
| eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1)
| table field, label
A truncated example response follows:
Field | Label |
---|---|
action | Action |
app | Application |
bytes_in | Bytes In |
bytes_out | Bytes Out |
category | Category |
change_type | Change Type |
channel | Channel |
command | Command |
cpu_load_percent | CPU Load (%) |
creator | Creator |
creator_realname | Creator Realname |
cve | CVE |
decoration | Decoration |
desc | Description |
dest | Destination |
dest_threatlist_category | Destination Threat List Category |
dest_threatlist_description | Destination Threat List Description |
dest_threatlist_name | Destination Threat List Name |
dest_bunit | Destination Business Unit |
dest_category | Destination Category |
See also
For more information on entities, risk scoring, and finding attributes, see the product documentation:
Monitor your security operations center with findings in Splunk Enterprise Security | Configure the urgency for findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!