Search in Splunk Security Essentials

Splunk Security Essentials uses time series searches to detect spikes, first time seen searches to detect new values, and general Splunk searches. For more information on searching in Splunk, see the Search Tutorial.

Detect data spikes with time series searches

Use time series searches to track numeric values over time and look for spikes. The time series searches are performed on a per-entity basis, such as per-user, per-system, and per-file hash, for more accurate alerts.

Time series searches look at the standard deviation in the stats command and examine data samples many standard deviations away from the average, allowing you to identify outliers over time. For example, use a time series analysis to identify spikes in the number of pages printed per user, where a higher number can indicate malicious behavior. In a large-scale environment, use summary indexing for time series searches. To run a time series search, follow these steps:

1. From the main menu, click Advanced > Search Assistants > Detect Spikes.
2. Enter a search.
3. Refine the search by selecting the data points, subject, threshold method and multiplier.
4. Click Detect Spikes and review the outliers and total results.

Detect new values with first time seen searches

To identify suspicious or malicious activity, use first time seen searches to detect the first time that an action is performed. For example, service accounts typically log in to the same set of servers. If a service account logs into a new device one day or logs in interactively, that new behavior might indicate malicious activity.

You can also perform first time analysis based on a user group. Filter out activity that is new for a particular person, but not for the people in their group or department. For example, if User A hasn't checked out code from a particular git repository before, but User A's teammate User B regularly checks out code from that repository, User A's first time activity might not be suspicious.

Detect first time behavior with the stats command and first() and last() functions. Integrate user groups first seen activity using the eventstats command.

In a large-scale deployment, use caching with a lookup for first time seen searches. To run a first time seen search, follow these steps:

1. Click Advanced > Search Assistants > Detect New Values.
2. Enter a search.
3. Refine the search by selecting the primary and secondary fields.
4. (Optional) Select a filter for peer group and lookup cache.
5. Click Detect New Values and review the outliers and total results.

Use a Splunk search in Splunk Security Essentials

Splunk searches are used by the majority of the app and rely on tools included in the Splunk platform. You can get the most value from these searches if you copy the raw search strings to your deployment. For more information on searching in the Splunk platform, see the Search Tutorial. To run a Splunk search in Splunk Security Essentials, follow these steps:

1. Click Advanced > Search Assistants > Simple Search.
2. Enter a search.
3. Click Detect New Values and review the results.

To view custom search commands in Splunk Security Essentials, see Custom search commands for Splunk Security Essentials.