Splunk® Security Content

How to Use Splunk Security Content

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

How to use Splunk Security Content

From the Splunk Security Content menu bar, you can navigate to the following pages:

  • Content Library to view the dashboard of Analytic Stories and search summaries
  • Feedback Center to send feedback directly to the Splunk Security Research Team
  • Usage Details to see what your users are doing inside your instance of ESCU

If you use Splunk Enterprise Security or Splunk Security Essentials, you can access Analytic Stories through those apps.

Content Library

Access the Analytic Stories Stats tab to explore the Analytic Stories included with Splunk Security Updates using the Category, CIS Critical Security Control, or Kill Chain Phase mapping.

Access the Search Summary tab to see the searches associated with an Analytic Story and explore them based on their CIS Critical Security Control mapping or by search type.

Analytic Story Detail

The Analytic Story Detail view provides information on how to use Splunk ES to address a particular threat.

Splunk Security Content categorizes the stories according to the table below.

Category Analytic Stories
Malware Brand Monitoring
Data Protection
Host Redirection
Lateral Movement
Malicious PowerShell
Ransomware
SQL Injection
Suspicious DNS Traffic
Suspicious Emails
Suspicious WMI Use
Unusual Processes
Windows Log Manipulation
Windows Persistence Techniques
Known vulnerabilities Apache Struts Vulnerability
DNS Amplification Attacks
JBOSS Vulnerability
Monitor for Updates
Splunk Enterprise Vulnerability
Best practices Account Monitoring and Controls
Asset Tracking
Router & Infrastructure Security
Monitor Backup Solution
Monitor for Unauthorized Software
Use of Cleartext Protocols
Prohibited Traffic Allowed or Protocol Mismatch

Analytic Stories provide you with tactics, techniques, and methodologies to assist with detection, investigation, and response. They include easy-to-read background information, key context for motivations and risks associated with the attack techniques in question, and pragmatic advice on how to combat those techniques.

Each story is mapped to various frameworks, including MITRE ATT&CK, Lockheed Martin Kill Chain phases, CIS controls, and NIST, and include the following content objects:

  1. Detection: OOTB detection techniques in the form of detection searches or machine-learning models
  2. Investigation: Searches and/or Splunk Phantom playbooks that help the analyst determine whether a notable event is true-positive. For example, the analyst may wish to review additional notables related to the participating entity (additional detections). They may also need to gather collaborative evidence and additional contextual information.
  3. Response: These help the analyst conduct specific response actions to remediate the incident.

Analytic Stories are categorized by use case and can be accessed via the Splunk ES Use Case Library or Splunk Security Content.

Select any search to view its search name, description, kill chain phase, and details.


Customize to your Environment

Release 1.0.46 introduced input(pre-filter) and output(post-filter) macros for each of our detection searches. These macros let you update a macro definition once and then apply the new definition across all detections that leverage that macro. These changes will be local to your Splunk environment.

  • input(pre-filter): This macro specifies your environment-specific configurations (index, source, sourcetype, etc.) to get the specific data sources that you require. Replace the macro definition with configurations for your Splunk environment.
  • output(post-filter): This macro specifies your environment-specific values (dest, user, etc,), to filter out known false positives. Replace the macro definition with values that you'd like to exclude from detection results.

Coming soon is an improved naming convention that will be consistent across all of our detections, investigations, and baselines.

Feedback Center

Access the Feedback Center to send feedback directly to the Splunk Security Research Team. Contact us at research@splunk.com to send us support requests, bug reports, or questions directly to the Splunk Security Research Team. Please specify your request type and/or the title of any related Analytic Stories.

Usage Details

Access Usage Details to see how your team is using Splunk Security Content. You can access details such as the following:

  • The searches your team runs most frequently
  • The types of searches your team runs, including the names of the searches and the average and total run times
Last modified on 27 April, 2023
PREVIOUS
About Splunk Security Content
  NEXT
Install and set up the Splunk Machine Learning Toolkit

This documentation applies to the following versions of Splunk® Security Content: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters