Splunk® Enterprise Security

Administer Splunk Enterprise Security

Finding-based detections available in Splunk Enterprise Security

View the available list of finding-based detections in Splunk Enterprise Security to use them to investigate security threats. You can also use these available detections as a model to create your own custom finding-based detections for threat investigation. For example, in the finding-based detection Risk Threshold Exceeded for Object Over 24 Hour Period, you can increase the risk score threshold by 200 instead of 100 over the last 24 hours if that works for your environment.

You can rename a detection and configure a unique label for tracking purposes. However, renaming only applies to customized detections or clones of detections that are available in Splunk Enterprise Security. Alternatively, you can configure a customized name for a detection available in Splunk Enterprise Security. Renaming a detection applies to real-time and scheduled detections, whether they are turned on or off.

Use a REST search to obtain a list of detections that are available in Splunk Enterprise Security and extract the information in a table.

For example, use the following search to create a table with the app, security domain, name, and description of all the detections in your environment.

| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description

Use the following search to create a table with only the activated detections and adaptive response actions associated with those detections.

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | table title,actions

If you want to see the adaptive response actions for all detections, remove | where disabled=0.

Following are some examples of finding-based detections included in Splunk Enterprise Security:

Finding-based detection name Description SPL search
ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 Days Creates findings when the number of MITRE tactics exceeds 3 over the last 7 days.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id' | where mitre_tactic_id_count >= 3 and source_count >= 4

Risk Threshold Exceeded For Object Over 24 Hour Period Searches the risk index and aggregates risk scores by entity and creates findings when the risk score for an object exceeds 100 over the last 24 hours. For example, if an entity has 8 related events, each with a calculated risk score, the search adds all the 8 scores together. This default finding-based detection has a default setting of a 24-hour search window.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100 | where risk_score > $risk_threshold$ | `get_risk_severity(risk_score)`

See also

For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation:

Last modified on 28 October, 2024
generatetimerange command   Specify the display of finding groups in the analyst queue of Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters