Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Components of a detection analytic

Detections tailored to specific source types in Splunk are comprised of the following three components:

  • Input macro: Located at the start of each detection, the input macro requires configuration to accurately reference the appropriate Splunk index values that contain the relevant data. This ensures that the detection logic operates on the correct dataset.
  • Detection logic: Core component of the analytic, where the primary detection mechanisms are implemented. It encapsulates the specific conditions and queries that identify potential security incidents based on the data ingested from the defined source type.
  • Filter macros: Play a crucial role in refining the detection outcomes. Filter macros must be meticulously reviewed and updated as needed to minimize false positives, thereby enhancing the accuracy and relevance of the alerts generated.


For example, the detection analytic Access LSASS Memory for Dump Creation (view on Github):

`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` `access_lsass_memory_for_dump_creation_filter`

has the following components:

  • Input Macro -`sysmon` - *Modify this macro (view on Github) to update with the splunk index where this Sysmon data lives.
  • Filter Macro - `access_lsass_memory_for_dump_creation_filter`- For tuning of alerts purposes, you can update this filter macro to filter out legitimate destinations that report this activity. These configurations are present in macros.conf in the ESCU app
  • Detection logic and output formatting
<div>
EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`|  `security_content_ctime(lastTime)`
</div>

This is the core of the detection logic that identifies processes to dump LSASS process memory. Each of these components must be correctly configured and maintained to ensure the effectiveness and reliability of the detection analytic within your environment.

Detections written against datamodel (view on Github) do not have an input macro since the assumption is that the appropriate data is mapped to the Splunk data models and accelerated.

Last modified on 15 October, 2024
Implement security use cases using the Use Case Library in Splunk Enterprise Security   Types of detection analytics

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters