Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

What's in Splunk Security Content

Splunk security content includes analytics stories, detections, and playbooks.

Analytic stories

An analytic story is a complete use case specifically built to detect, investigate, and respond to a specific threat. See all of the available analytic stories on the Splunk Security Content website.

A group of related detections and a responses comprise an analytic story. The detections and responses are tagged with analytic_story: <analytic_story_name>. You can use this tag to search for detections and responses related to any analytic story.

The content parts of an analytic story are described in the following table:

Content Description
detections Contains the searches used to trigger detections. See Detections.
stories All the analytic stories that are group detections, also known as use cases.
deployments Configuration for the schedule and alert action for all content.
responses Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat.
response_tasks Individual steps in responses that help the user investigate via a Splunk search, automate via a phantom playbook, and visualize via dashboards threats.
baselines Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data.
macros Implements Splunk's search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below.
lookups Implements Splunk's lookup, usually to provide a list of static values like commonly used ransomware extensions.


Detections are investigative searches that security teams can easily save and implement in their own environment. See all of the available detections on the Splunk Security Content website.

You can also use Attack Range detection development platform to develop, test, and integrate your own detections.

Each detection consists of the following elements:

Element Description
Name and Description Name of the detection, and a brief, top-level overview of what triggers the detection.
Product List of Splunk products for which this detection can be used.
Datamodel Relevant data models required for normalization within Splunk Common Information Model (CIM).
Search The SPL for the detection. Detection searches are designed to detect activities, events, or behaviors associated with known issues and/or threats.
Associated Analytic Story The analytic stories that use this detection. See Analytic stories.
Implementation Details Information about the data sources and fields required to trigger this detection.
Framework Mapping Categorization within MITRE ATT&CK, corresponding Kill Chain phase, CIS controls, and NIST framework.
Known False Positives Description about cases where false positive detections may be triggered. For example, the Detect new login attempts to routers detection my be triggered in cases where legitimate router connections appear as new connections.
References Pointers to additional reading and/or technical resources that provide background, context, links to related methods, and/or other relevant information.
Test Dataset Links to test data that you can use in your environment to verify that the detection gets triggered.


See all of the available playbooks on the Splunk Security Content website.

Last modified on 16 February, 2022
What's new

This documentation applies to the following versions of Splunk® Security Content: 3.35.0, 3.36.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters