Review your content with the Security Content page
The Security Content page is the main landing page for Splunk Security Essentials. The Security Content page provides a complete list of content and gives you the ability to dive deeper into any individual item using a variety of filters. Splunk Security Essentials includes more than 120 detection searches. These detection searches are documented in the app on the Security Content page. Navigate to Security Content > Security Content and click Edit under the Filters heading to add or remove filters to help find the capabilities most relevant to you. The filters that appear by default are described in the following list:
- Use the Journey filter to filter content based on where you are in your security journey. For more information on security journey stages, see Security maturity journey stages.
- Use the Category filter to filter content based on a specific category.
- Use the Data Sources filter to filter content from a specific data source.
- Use the Analytic Story filter to filter content based on a specific analytic story. An analytic story is a use case built to detect, investigate, and respond to a specific threat. A group of detections and a response make up an analytic story.
- Use the Originating App filter to filter content based on the source of the content, such as custom content originating from a third-party application. For more information on adding custom content from a third-party application or add on, see Create custom content from third-party applications.
- Use the Risk Object Type filter to filter content based on its level of risk.
- Use the Threat Object Type filter to filter content based on the type of threat.
After you configure your filters, corresponding content appears with a description, log sources, and the associated MITRE or Cyber Kill Chain phases. Click on a piece of content to learn more about it. Bookmark content using the bookmark icon to easily navigate to later using the Manage Bookmarks dashboard. For more information, see Track your content with the Manage Bookmarks dashboard.
To manually update the Security Research content on this page, navigate to Configuration > Update Content > Force Update. Otherwise, this content is automatically updated every 24 hours.
Review MITRE ATT&CK techniques and find detections
As you review common cybersecurity attacks and threats, you might notice that most reports list the MITRE ATT&CK techniques used in the attack. You can search for these MITRE ATT&CK techniques in Splunk Security Essentials to quickly see if your environment has detections to help protect against them:
- From the main menu in Splunk Security Essentials, navigate to the Security Content page.
- Copy and paste or enter the list of MITRE ATT&CK techniques from the attack report into the search bar. Alternatively, you can add and use the ATT&CK Technique filter to select the MITRE ATT&CK technique IDs you want to find detections for.
- Review the detections that appear to determine if your environment is protected against the potential attack.
- (Optional) Click Edit to enable the Content Enabled filter and the Data Availability filter. Use the Content Enabled filter to filter the detections based on what detections are already running in your environment. If a detection is enabled, you already have some protection against the listed techniques. Use the Data Availability filter to filter the detections based on if you have the data available for them.
Example: Basic Brute Force Detection
Splunk Security Essentials includes more than 120 detection searches that include context so you can understand the impact of a search, how it works, adapt it to the particulars of your environment, and handle the alerts that will be sent afterward. If you click on one of these detection searches, such as Basic Brute Force Detection, you see the following information:
- Data Source Links: Click on these links to see several popular technologies, not just a list of technologies that provide those data sources. You can also find the Installation documentation here.
- Related Splunk Capabilities, Known False Positives, How to Respond and so on: Expand these boxes to learn how to implement and respond to these searches.
- Enable SPL Mode: Turn on SPL mode to see the prerequisite checks that make sure you have the right data onboarded, get the Open in Search buttons, and be able to click Schedule Saved Search to save this search right from the app.
- View: The View buttons show a list of what searches are available for each example.
Use Enterprise Security Content Update content
In addition to accessing the Splunk Security Essentials content, you can also deploy your Enterprise Security Content Update content.
- In Splunk Security Essentials, navigate to Security Content > Security Content.
- Click Originating App > Enterprise Security Content Update
Depending on the content, you might see information such as the search, additional information, the data sources, tactics and techniques, and compliance mapping. If the Enterprise Security Content Update app is installed, you can click Open in ESCU to open the content in the ESCU app and schedule in Splunk Enterprise Security.
Use the Configuration menu to Customize Splunk Security Essentials | See visualizations in the Overview dashboard |
This documentation applies to the following versions of Splunk® Security Essentials: 3.6.0
Feedback submitted, thanks!