Splunk® Enterprise Security

Administer Splunk Enterprise Security

Monitor your security operations center with findings in Splunk Enterprise Security

Use findings and intermediate findings to monitor your security operations center (SOC) efficiently. In Splunk Enterprise Security version 8.0 and higher, the term intermediate finding replaces risk events and the term finding replaces notable events. In fact, findings combine the features of notable events and risk events into a single object that contains all the relevant information about what was observed and which entity was impacted. All metadata about the detection including tactics, techniques, confidence, impact, risk score, and threat objects are included in the finding.

As an analyst, you can use the analyst queue on the Mission Control page to review and triage findings, intermediate findings, and finding groups to gain insight into the severity of events occurring in your system or network. You can also use the Mission Control page to triage new findings, assign findings to analysts for review, and examine finding details for investigative leads.

As an administrator, you can manage and customize the display of findings, intermediate findings, and finding groups on the Mission Control page.

As an analyst, you can view and triage findings in the analyst queue on the '''Mission Control''' page. However, you can't triage intermediate findings because they are not displayed in the analyst queue on the '''Mission Control''' page. You can view intermediate findings nested within a finding group that is produced by a finding-based detection.

The same detection can't produce both findings and intermediate findings. While configuring the detection, you can select whether you want to create findings or intermediate findings.

Findings

Findings represent one or more anomalous incidents or alerts created by event-based detections or finding-based detections.

A finding can represent events such as:

  • The repeated occurrence of an abnormal spike in network usage over a period of time.
  • A single occurrence of unauthorized access to a system.
  • A host communicating with a server on a known threat list.

Findings contain all the relevant information about what was observed and which entity was impacted such as a timestamp, key-value pairs, entity information, summary information about the behavior observed, metadata such as a MITRE tactic or technique, confidence, impact, threat objects, a calculated risk score based on the confidence and impact of the entity, and so on. You can see findings on the Analyst queue as a group of alerts or as a standalone alert.

Following is an example of a finding:

1704664597, search_name="ESCU - BITS Job Persistence - Rule", count="2", dest="win-host-mhaag-attack-range-791", firstTime="2024-01-07T20:00:07", info_max_time="1704660600.000000000", info_min_time="1704657000.000000000", info_search_time="1704664595.374606000", lastTime="2024-01-07T20:00:07", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x3a8", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\bitsadmin.exe /setnotifycmdline AtomicBITS C:\\Windows\\system32\\notepad.exe NULL", process_id="0xcb8", process_name="bitsadmin.exe", user="Administrator"

You can perform the following actions on findings, which are displayed in the Analyst queue:

  • Assign the finding to an analyst.
  • Assign the finding to an analyst group.
  • Modify the status of a finding such as In Progress, Resolved, Closed, and so on.
  • Modify the urgency of a finding such as High, Medium, Critical, and so on.
  • Modify the disposition of a finding such as True Positive, Benign Positive, False Positive, and so on.
  • Add notes to a finding.


Intermediate finding

Intermediate findings are records or observations created by event-based detections that indicate anomalies but might not be standalone security incidents. Intermediate findings in conjunction with other findings, might be used as input by advanced finding-based detections to discover potential security incidents with high fidelity and confidence. Intermediate findings might appear identical to findings in style and format based on the data stored in the index. An intermediate finding might also contain a timestamp, field key-value pairs, an entity, risk score, threat objects, and other metadata.

See also

For more information on triaging findings in the Analyst queue, see the product documentation:

Last modified on 25 November, 2024
Suppress specific fields for detections in Splunk Enterprise Security   Configure findings manually to track specific fields in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters