Splunk® Security Content

View analytic stories on the Splunk Security Content website

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

What's Inside an Analytic Story

Each Analytic Story consists of the following elements that provide key insights into each story and its significance as a security methodology.

Description: Brief, top-level overview of the objective of the Analytic Story

Narrative: Details that provide a better understanding of the attack and/or methodology. Where appropriate, these include:

  • Historical context and evolution
  • Associated risks and/or exploits identified in the wild
  • Potential impact and rationale for implementation
  • Key security value and benefits
  • Other associated methods and/or interdependencies

Framework mapping: Categorization within MITRE ATT&CK, corresponding Kill Chain phase, and CIS controls

Data Model: Relevant data models needed for normalization within Splunk Common Information Model (CIM)

Technologies: Examples of applicable data sources for the Analytic Story

References: Pointers to additional reading and/or technical resources that provide background, context, links to related methods, and/or other relevant information

Analytic Story searches: Each Analytic Story contains different types of searches, all designed to help with critical tasks performed by security teams at various operational stages. Depending on the Analytic Story, there may be multiple searches provided for each stage. Each search includes a description and a plain-language, non-technical explanation called "Explain It Like I'm 5." It also displays its associated SPL and provides implementation guidance and known false positives.

Stories include the following types of searches:

  • Detection Searches: Each Analytic Story contains one or more detection searches. These searches are designed to detect activities, events, or behaviors associated with known issues and/or threats. Each search contains supporting details, such as framework mapping, relevant data models/technologies, and other related specifics (such as confidence level or a list of at-risk assets).
  • Investigative Searches: Analytic Stories may contain multiple investigative searches that gather context, perform verification steps, and/or collect specific types of evidence related to the story. This may include Notable Events, Risk Modifiers, and other correlation-search results from the Splunk Enterprise Security frameworks.
  • Supporting Searches: These searches provide operational methods that support detection, investigation, and response, such as building lookup files. They may also provide other techniques for ensuring proper execution of detection or investigation searches, as well as other operational tasks.
  • Portfolio-wide applicability: Where appropriate, Analytic Stories incorporate machine learning models and playbooks from Splunk UBA and Splunk Phantom. This allows security teams to apply the Analytic Story across the entire portfolio of Splunk security products.
Last modified on 26 August, 2019

This documentation applies to the following versions of Splunk® Security Content: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters