Add ESCU annotations to detections and analytics stories in Splunk Enterprise Security
Add and edit annotations from Enterprise Security Content Update (ESCU) to detections and analytic stories in the use case library of Splunk Enterprise Security to enrich your security content.
Add annotations to a detection
Add annotations such as Analytic Story, Confidence, Context, and Impact from Splunk ESCU to your detections for enriching your security content.
Managed annotations are annotations that Splunk ES and ESCU ship by default. Unmanaged annotations are custom annotations that you can add for your specific use case. Annotations are often based on a recognized industry framework such MITRE ATT&CK or KILL CHAIN.
Follow these steps to add annotations to a detection:
- From the Content management page, locate the detection you want to edit.
- Select the name of a detection on the Content management page to edit it.
- Scroll to the section on Annotations and add values for managed annotation such as Confidence, Impact, Analytic Story, and Context.
Following annotation types are supported by the detection editor:
ESCU annotation type | Description | Example value | Managed/Unmanaged |
---|---|---|---|
Confidence | Numerical value to score confidence level | 50 | Managed |
Impact | Numerical value to score impact | 40 | Managed |
Analytic story | Identifies the analytic story to which the detection is linked in the use case library | Ransomware AWS IAM Privilege Escalation |
Unmanaged |
Context | Context for the detection. | Source Cloud Data Scope External |
Unmanaged |
View annotations in analytic stories from the use case library
View annotations that you added to the searches in the Analytic Story details page of the use case library.
- From the Splunk ES menu bar, select Security content then Security use case library.
- From the use cases filters on the left, select Cloud Security.
- From an Analytic Story, such as AWS Cross Account Activity, select the greater than ( >) symbol to expand the display.
- Scroll to Framework Mapping to view the annotation types supported by the Use Case Library.
- Select the name of the Analytic Story. For example, select AWS Cross Account Activity.
The Analytic Story Details page opens for the story. - Scroll to Cyber Security Framework Attributes to see the various ESCU annotation types associated with the analytic story.
Manage Analytic Stories through the use case library in Splunk Enterprise Security | Customize Splunk Enterprise Security dashboards to fit your use case |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!