Components of a detection analytic
Detections tailored to specific source types in Splunk are comprised of the following three components:
- Input macro: Located at the start of each detection, the input macro requires configuration to accurately reference the appropriate Splunk index values that contain the relevant data. This ensures that the detection logic operates on the correct dataset.
- Detection logic: Core component of the analytic, where the primary detection mechanisms are implemented. It encapsulates the specific conditions and queries that identify potential security incidents based on the data ingested from the defined source type.
- Filter macros: Play a crucial role in refining the detection outcomes. Filter macros must be meticulously reviewed and updated as needed to minimize false positives, thereby enhancing the accuracy and relevance of the alerts generated.
For example, the detection analytic Access LSASS Memory for Dump Creation (view on Github):
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` `access_lsass_memory_for_dump_creation_filter`
has the following components:
- Input Macro -`sysmon` - *Modify this macro (view on Github) to update with the splunk index where this Sysmon data lives.
- Filter Macro - `access_lsass_memory_for_dump_creation_filter`- For tuning of alerts purposes, you can update this filter macro to filter out legitimate destinations that report this activity. These configurations are present in macros.conf in the ESCU app
- Detection logic and output formatting
<div> EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by dest, TargetImage, TargetProcessId, SourceImage, SourceProcessId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` </div>
This is the core of the detection logic that identifies processes to dump LSASS process memory. Each of these components must be correctly configured and maintained to ensure the effectiveness and reliability of the detection analytic within your environment.
Detections written against datamodel (view on Github) do not have an input macro since the assumption is that the appropriate data is mapped to the Splunk data models and accelerated.
Implement security use cases using the Use Case Library in Splunk Enterprise Security | Types of detection analytics |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0
Feedback submitted, thanks!