Related Answers
Download topic as PDF
What's in Splunk Security Content
Splunk security content includes analytics stories, detections, and playbooks.
Analytic stories
An analytic story is a complete use case specifically built to detect, investigate, and respond to a specific threat. See all of the available analytic stories on the Splunk Security Content website.
A group of related detections and a responses comprise an analytic story. The detections and responses are tagged with analytic_story: <analytic_story_name>. You can use this tag to search for detections and responses related to any analytic story.
The content parts of an analytic story are described in the following table:
| Content | Description |
|---|---|
| detections | Contains the searches used to trigger detections. See Detections. |
| stories | All the analytic stories that are group detections, also known as use cases. |
| deployments | Configuration for the schedule and alert action for all content. |
| responses | Incident Response Playbooks/Workflow for responding to a specific Use Case or Threat. |
| response_tasks | Individual steps in responses that help the user investigate via a Splunk search, automate via a phantom playbook, and visualize via dashboards threats. |
| baselines | Searches that must be executed before a detection runs. It is specifically useful for collecting data on a system before running your detection on the collected data. |
| macros | Implements Splunk's search macros, shortcuts to commonly used search patterns like sysmon source type. More on how macros are used to customize content below. |
| lookups | Implements Splunk's lookup, usually to provide a list of static values like commonly used ransomware extensions. |
Detections
Detections are investigative searches that security teams can easily save and implement in their own environment. See all of the available detections on the Splunk Security Content website.
You can also use Attack Range detection development platform to develop, test, and integrate your own detections.
Each detection consists of the following elements:
| Element | Description |
|---|---|
| Name and Description | Name of the detection, and a brief, top-level overview of what triggers the detection. |
| Product | List of Splunk products for which this detection can be used. |
| Datamodel | Relevant data models required for normalization within Splunk Common Information Model (CIM). |
| Search | The SPL for the detection. Detection searches are designed to detect activities, events, or behaviors associated with known issues and/or threats. |
| Associated Analytic Story | The analytic stories that use this detection. See Analytic stories. |
| Implementation Details | Information about the data sources and fields required to trigger this detection. |
| Framework Mapping | Categorization within MITRE ATT&CK, corresponding Kill Chain phase, CIS controls, and NIST framework. |
| Known False Positives | Description about cases where false positive detections may be triggered. For example, the Detect new login attempts to routers detection my be triggered in cases where legitimate router connections appear as new connections. |
| References | Pointers to additional reading and/or technical resources that provide background, context, links to related methods, and/or other relevant information. |
| Test Dataset | Links to test data that you can use in your environment to verify that the detection gets triggered. |
Playbooks
See all of the available playbooks on the Splunk Security Content website.
|
PREVIOUS What's new |
This documentation applies to the following versions of Splunk® Security Content: 3.35.0, 3.36.0
Feedback submitted, thanks!