Find actionable guidance for your use cases in
The Splunk Security Research team writes Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches you need to implement the story in your own environment. It also provides an explanation of what the search achieves and how to convert a search into adaptive response actions, where appropriate.
includes built-in analytic stories that are enabled by default to help you uncover suspicious user and authentication behaviors.
Determine which Analytic Stories to use
You can use common industry use cases to determine which Analytic Stories and searches are useful to you. There are a variety of ways to determine if an Analytic Story contains the searches you need, but industry use case is the default.
In the following scenario, you know that you're interested in common Amazon Web Services (AWS) related authentication issues, so you start by filtering on known use cases for cloud security.
- From the menu bar, select Configure > Content > Use Case Library.
In the use cases column, Cloud Security is selected by default.
- In the filter field, type authentication to narrow down your results.
- From an Analytic Story, such as Suspicious AWS Login Activities, click the greater than ( >) symbol to expand the display.
- You see the detection searches that are related to this use case.
- You also see your data sources, data models, and lookups that these searches use.
Data Sources Description Recommended Data Sources The type of data sources that are likely to provide valuable data. Sourcetypes Your sourcetypes that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason. Data Models Your data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason. Lookups Your lookups that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
The Analytic Story Details page opens for the story.
- From the Detection section, select a search, such as ESCU - Detect AWS Console Login by User from New Country - Rule.
- From the Search section, click the greater than (>) symbol to expand the display.
- Revise the time picker and click Search.
The '''How to Implement''' section is not applicable. The default implementation is done for you.
- From the Known False Positives section, click the greater than (>) symbol to expand the display for tips on when the results might not indicate a problem.
This search runs automatically on a regular basis. To disable or revise this search see Use correlation searches to scan data sources for defined patterns.
Update the Analytic Stories
When new security content is available, you see a New Content Available dialog box. The dialog box can pop up on any page view.
Complete the following steps to update the app with new Analytic Stories and correlation searches.
- Prerequisite: You have the ess_admin role or the update app imports capability.
- See Add capabilities to a role in the Splunk Enterprise Security Installation and Upgrade Manual.
- Click Update App.
- Check the check box to accept the terms and conditions.
- Click Accept and Continue.
- Enter your Splunk.com username and password.
- Click Login and Continue.
You also have the options to skip it, be reminded about it, or close the dialog box:
- Skip this Version
- If you use skip, you are not reminded again until the next version of the Content Update app is available.
- Remind Me Later
- If you use remind, you are reminded each day until you update.
- If you use close the window by using the X, you are reminded each day until you update.
See the Analytic Stories in use by default
You can use the Detections menu to see Analytic Stories and corresponding detection searches in use by default in .
- From the menu bar, select Detections.
This takes you directly to the Content Management page with the following filters selected:
- Type filter of Correlation Search
- App filters for the apps and add-ons specific to Splunk Security Analytics for AWS.
- Status filter of Enabled
- Unselect all the app filters except ES Content Updates to see the corresponding detection searches for Analytic Stories.
Overview of securing your cloud environment in
Scan your data sources for defined patterns in
This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0