Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Troubleshooting common errors

ESCU does not generate its own logs because the app leverages core features of the Splunk Platform.

Following are some common log files that you can use to identify issues that might appear to be ESCU-related but usually exist in the Splunk Platform:

  • splunkd.log
  • scheduler.log
  • splunkd_access.log

For more information on troubleshooting, see the product documentation:

  • If you use Splunk Enterprise Security, see the Splunk Enterprise Security Troubleshooting manual for additional troubleshooting information.
  • For search related issues on Splunk Enterprise, see the Search Troubleshooting Guide.
  • To confirm if there is data present for a search or if you must troubleshoot data model issues, see the Troubleshooting Datamodel manual.

Troubleshoot a specific threat detection use case

Follow these steps to troubleshoot a specific threat detection use case in Splunk Enterprise Security:

  1. Get a high-level understanding of what the detection is trying to accomplish.
    Each ESCU detection targets a specific detection use case. In some troubleshooting scenarios, this metadata can be useful. For more information, see the following resources in Splunk Documentation and Github repository.
  2. Confirm that the data source contains events by using search on data models.
    Each ESCU detection searches events in a data source.

    | from datamodel Endpoint.Processes | search *

  3. Ensure that events in a data source are correctly indexed by the Splunk Platform.
    Verify this by identifying the SPL for the detection and minimizing it to its simplest form to confirm that events exist. Certain ESCU detections rely on data models. For example, you can confirm if events are created in the following detection by reducing the search to the minimum time and removing every condition.

    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`

    as follows:

    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes

    Not every detection uses data models but you can identify the conditions and remove them from the SPL search query.

  4. Review the configuration of the detection.
    Each ESCU detection is initially configured to run on a schedule to identify on-going threats and troubleshoot mis-configured or disabled alerts. You can find specific details about the detection such as name, the SPL query, the last time it was run, the next time it runs, the frequency of the schedule, and so on by going to Searches, Reports, and Alerts in the Splunk UI.
Last modified on 15 October, 2024
Use ESCU tuning and filter macros to optimize detections   Install and set up the Splunk Machine Learning Toolkit

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters