Use Analytic Stories for actionable guidance in Splunk Security Essentials
The Splunk Security Research team writes Analytic Stories that provide actionable guidance for detecting, analyzing, and addressing security threats. An Analytic Story contains the searches you need to implement the story in another environment. It also provides an explanation of what the search achieves and how to convert a search into adaptive response actions, where appropriate. For more information about Analytic Stories, see Use Analytic Stories for actionable guidance in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.
To access Analytic Stories in Splunk Security Essentials, follow these steps:
- In Splunk Security Essentials, select the Analytics Advisor tab.
- From the dropdown, select Analytic Story Detail.
Investigate an Analytic Story
The Analytic Story page in Splunk Security Essentials contains details about the Analytic Story and the searches used to find the data used to generate the Analytic Story.
To populate the dashboard, follow these steps:
- Choose the Analytic Story you want to investigate from the Select… menu.
- Select Run Analytics.
See details
After the analytics finish running, these details is visible:
Field | Description |
---|---|
Category | The high-level category of the Analytic Story. |
Version | The version of the particular Analytic Story. |
Created | The date the Analytic Story is created. |
Description | The high-level description of the Analytic Story. |
Narrative | The in-depth narrative describing the Analytic Story. |
ATT&CK | The MITRE ATT&CK codes. |
Kill Chain Phases | The phases in the kill chain. |
Data Model | The data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason. |
References | URL links to references relevant to the Analytic Story. |
Identify Analytic Story Searches
After the analytics finish running, this information about the search is visible:
Field | Description |
---|---|
Description | The high-level description of the search. |
Search | The SPL search that has been used to generate data related to the Analytic Story. |
How to Implement | Information about how to implement the SPL search. |
Known False Positives | The known false positives in the SPL search. |
ATT&CK | The MITRE ATT&CK codes. |
Kill Chain Phases | The phases in the kill chain. |
CIS Controls | The Center for Internet Security controls. |
Data Models | The data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to see the reason. |
Confidence | The degree of confidence in the analysis. |
Creation Date | The date the search is created. |
To reconfigure a search related to the Analytic Story, select the Configure button. That button redirects you to the Security Content page in Splunk Security Essentials.
The Cyber Kill Chain dashboard | Aggregate risk attributions with the Analyze ES Risk Attributions dashboard |
This documentation applies to the following versions of Splunk® Security Essentials: 3.6.0
Feedback submitted, thanks!