Splunk® Security Essentials

Use Splunk Security Essentials

This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.

Use Analytic Stories for actionable guidance in Splunk Security Essentials

The Splunk Security Research team writes Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches you need to implement the story in another environment. It also provides an explanation of what the search achieves and how to convert a search into adaptive response actions, where appropriate. For more information about Analytic Stories, see Use Analytic Stories for actionable guidance in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.

To access Analytic Stories in Splunk Security Essentials, follow these steps:

  1. In Splunk Security Essentials, select the Analytics Advisor tab.
  2. From the dropdown, select Analytic Story Detail.

Investigate an Analytic Story

The Analytic Story page in Splunk Security Essentials contains details about the Analytic Story and the searches used to find the data used to generate the Analytic Story.

To populate the dashboard, follow these steps:

  1. Choose the Analytic Story you want to investigate from the Select… menu.
  2. Select Run Analytics.

See details

After the analytics finish running, these details is visible:

Field Description
Category The high-level category of the Analytic Story.
Version The version of the particular Analytic Story.
Created The date the Analytic Story is created.
Description The high-level description of the Analytic Story.
Narrative The in-depth narrative describing the Analytic Story.
ATT&CK The MITRE ATT&CK codes.
Kill Chain Phases The phases in the kill chain.
Data Model The data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
References URL links to references relevant to the Analytic Story.

Identify Analytic Story Searches

After the analytics finish running, this information about the search is visible:

Field Description
Description The high-level description of the search.
Search The SPL search that has been used to generate data related to the Analytic Story.
How to Implement Information about how to implement the SPL search.
Known False Positives The known false positives in the SPL search.
ATT&CK The MITRE ATT&CK codes.
Kill Chain Phases The phases in the kill chain.
CIS Controls The Center for Internet Security controls.
Data Models The data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason.
Confidence The degree of confidence in the analysis.
Creation Date The date the search is created.

To reconfigure a search related to the Analytic Story, select the Configure button. That button redirects you to the Security Content page in Splunk Security Essentials.

Last modified on 01 July, 2022
The Cyber Kill Chain dashboard   Aggregate risk attributions with the Analyze ES Risk Attributions dashboard

This documentation applies to the following versions of Splunk® Security Essentials: 3.6.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters