What's Inside an Analytic Story
Each Analytic Story consists of the following elements that provide key insights into each story and its significance as a security methodology.
Description: Brief, top-level overview of the objective of the Analytic Story
Narrative: Details that provide a better understanding of the attack and/or methodology. Where appropriate, these include:
- Historical context and evolution
- Associated risks and/or exploits identified in the wild
- Potential impact and rationale for implementation
- Key security value and benefits
- Other associated methods and/or interdependencies
Framework mapping: Categorization within MITRE ATT&CK, corresponding Kill Chain phase, and CIS controls
Data Model: Relevant data models needed for normalization within Splunk Common Information Model (CIM)
Technologies: Examples of applicable data sources for the Analytic Story
References: Pointers to additional reading and/or technical resources that provide background, context, links to related methods, and/or other relevant information
Analytic Story searches: Each Analytic Story contains different types of searches, all designed to help with critical tasks performed by security teams at various operational stages. Depending on the Analytic Story, there may be multiple searches provided for each stage. Each search includes a description and a plain-language, non-technical explanation called "Explain It Like I'm 5." It also displays its associated SPL and provides implementation guidance and known false positives.
Stories include the following types of searches:
- Detection Searches: Each Analytic Story contains one or more detection searches. These searches are designed to detect activities, events, or behaviors associated with known issues and/or threats. Each search contains supporting details, such as framework mapping, relevant data models/technologies, and other related specifics (such as confidence level or a list of at-risk assets).
- Investigative Searches: Analytic Stories may contain multiple investigative searches that gather context, perform verification steps, and/or collect specific types of evidence related to the story. This may include Notable Events, Risk Modifiers, and other correlation-search results from the Splunk Enterprise Security frameworks.
- Supporting Searches: These searches provide operational methods that support detection, investigation, and response, such as building lookup files. They may also provide other techniques for ensuring proper execution of detection or investigation searches, as well as other operational tasks.
- Portfolio-wide applicability: Where appropriate, Analytic Stories incorporate machine learning models and playbooks from Splunk UBA and Splunk Phantom. This allows security teams to apply the Analytic Story across the entire portfolio of Splunk security products.
This documentation applies to the following versions of Splunk® Security Content: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0
Feedback submitted, thanks!