How to use Splunk Security Content
From the Splunk Security Content menu bar, you can navigate to the following pages:
- Content Library to view the dashboard of Analytic Stories and search summaries
- Feedback Center to send feedback directly to the Splunk Security Research Team
- Usage Details to see what your users are doing inside your instance of ESCU
If you use Splunk Enterprise Security or Splunk Security Essentials, you can access Analytic Stories through those apps.
- See Manage Analytic Stories through the use case library in Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security manual to enable correlation searches.
- See About the Splunk Security Essentials app in the Splunk Security Essentials Use Splunk Security Essentials manual.
Access the Analytic Stories Stats tab to explore the Analytic Stories included with Splunk Security Updates using the Category, CIS Critical Security Control, or Kill Chain Phase mapping.
Access the Search Summary tab to see the searches associated with an Analytic Story and explore them based on their CIS Critical Security Control mapping or by search type.
Analytic Story Detail
The Analytic Story Detail view provides information on how to use Splunk ES to address a particular threat.
Splunk Security Content categorizes the stories according to the table below.
|Malware||Brand Monitoring |
Suspicious DNS Traffic
Suspicious WMI Use
Windows Log Manipulation
Windows Persistence Techniques
|Known vulnerabilities||Apache Struts Vulnerability |
DNS Amplification Attacks
Monitor for Updates
Splunk Enterprise Vulnerability
|Best practices||Account Monitoring and Controls |
Router & Infrastructure Security
Monitor Backup Solution
Monitor for Unauthorized Software
Use of Cleartext Protocols
Prohibited Traffic Allowed or Protocol Mismatch
Analytic Stories provide you with tactics, techniques, and methodologies to assist with detection, investigation, and response. They include easy-to-read background information, key context for motivations and risks associated with the attack techniques in question, and pragmatic advice on how to combat those techniques.
Each story is mapped to various frameworks, including MITRE ATT&CK, Lockheed Martin Kill Chain phases, CIS controls, and NIST, and include the following content objects:
- Detection: OOTB detection techniques in the form of detection searches or machine-learning models
- Investigation: Searches and/or Splunk Phantom playbooks that help the analyst determine whether a notable event is true-positive. For example, the analyst may wish to review additional notables related to the participating entity (additional detections). They may also need to gather collaborative evidence and additional contextual information.
- Response: These help the analyst conduct specific response actions to remediate the incident.
Analytic Stories are categorized by use case and can be accessed via the Splunk ES Use Case Library or Splunk Security Content.
Select any search to view its search name, description, kill chain phase, and details.
Customize to your Environment
Release 1.0.46 introduced
output(post-filter) macros for each of our detection searches. These macros let you update a macro definition once and then apply the new definition across all detections that leverage that macro. These changes will be local to your Splunk environment.
- input(pre-filter): This macro specifies your environment-specific configurations (index, source, sourcetype, etc.) to get the specific data sources that you require. Replace the macro definition with configurations for your Splunk environment.
- output(post-filter): This macro specifies your environment-specific values (dest, user, etc,), to filter out known false positives. Replace the macro definition with values that you'd like to exclude from detection results.
Coming soon is an improved naming convention that will be consistent across all of our detections, investigations, and baselines.
Access the Feedback Center to send feedback directly to the Splunk Security Research Team. Contact us at email@example.com to send us support requests, bug reports, or questions directly to the Splunk Security Research Team. Please specify your request type and/or the title of any related Analytic Stories.
Access Usage Details to see how your team is using Splunk Security Content. You can access details such as the following:
- The searches your team runs most frequently
- The types of searches your team runs, including the names of the searches and the average and total run times
About Splunk Security Content
Install and set up the Splunk Machine Learning Toolkit
This documentation applies to the following versions of Splunk® Security Content: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0