Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Find actionable guidance for your use cases in

The Splunk Security Research team writes Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches you need to implement the story in your own environment. It also provides an explanation of what the search achieves and how to convert a search into adaptive response actions, where appropriate.

includes built-in analytic stories that are enabled by default to help you uncover suspicious user and authentication behaviors.

Determine which Analytic Stories to use

You can use common industry use cases to determine which Analytic Stories and searches are useful to you. There are a variety of ways to determine if an Analytic Story contains the searches you need, but industry use case is the default.

In the following scenario, you know that you're interested in common Amazon Web Services (AWS) related authentication issues, so you start by filtering on known use cases for cloud security.

  1. From the menu bar, select Configure > Content > Use Case Library.
    In the use cases column, Cloud Security is selected by default.
  2. In the filter field, type authentication to narrow down your results.
  3. From an Analytic Story, such as Suspicious AWS Login Activities, click the greater than ( >) symbol to expand the display.
    • You see the detection searches that are related to this use case.
    • You also see your data sources, data models, and lookups that these searches use.
      Data Sources Description
      Recommended Data Sources The type of data sources that are likely to provide valuable data.
      Sourcetypes Your sourcetypes that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
      Data Models Your data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
      Lookups Your lookups that are in use by the detection searches for this Analytic Story. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
  4. Click the name of the Analytic Story. In this case, click Suspicious AWS Login Activities.
    The Analytic Story Details page opens for the story.
  5. You see the searches related to the stages of detecting, investigating, assessing, and mitigating issues.
    1. From the Detection section, select a search, such as ESCU - Detect AWS Console Login by User from New Country - Rule.
    2. From the Search section, click the greater than (>) symbol to expand the display.
    3. Revise the time picker and click Search.
      This screenshot shows where to find the Search section, time picker, and search button.

    4. The '''How to Implement''' section is not applicable. The default implementation is done for you.

    5. From the Known False Positives section, click the greater than (>) symbol to expand the display for tips on when the results might not indicate a problem.

This search runs automatically on a regular basis. To disable or revise this search see Use correlation searches to scan data sources for defined patterns.

Update the Analytic Stories

When new security content is available, you see a New Content Available dialog box. The dialog box can pop up on any page view.

Complete the following steps to update the app with new Analytic Stories and correlation searches.

  1. Prerequisite: You have the ess_admin role or the update app imports capability.
    1. See Add capabilities to a role in the Splunk Enterprise Security Installation and Upgrade Manual.
  2. Click Update App.
  3. Check the check box to accept the terms and conditions.
  4. Click Accept and Continue.
  5. Enter your Splunk.com username and password.
  6. Click Login and Continue.

You also have the options to skip it, be reminded about it, or close the dialog box:

Skip this Version
If you use skip, you are not reminded again until the next version of the Content Update app is available.
Remind Me Later
If you use remind, you are reminded each day until you update.
Close
If you use close the window by using the X, you are reminded each day until you update.

See the Analytic Stories in use by default

You can use the Detections menu to see Analytic Stories and corresponding detection searches in use by default in .

  1. From the menu bar, select Detections.
    This takes you directly to the Content Management page with the following filters selected:
    • Type filter of Correlation Search
    • App filters for the apps and add-ons specific to Splunk Security Analytics for AWS.
    • Status filter of Enabled
  2. Unselect all the app filters except ES Content Updates to see the corresponding detection searches for Analytic Stories.
Last modified on 10 August, 2021
PREVIOUS
Overview of securing your cloud environment in
  NEXT
Scan your data sources for defined patterns in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters