Use the schemas in Splunk Security Essentials
Splunk Security Essentials (SSE) requires a standard format for all content in the app. You can find the formatting in the following locations:
| Location | Format |
|---|---|
| Main | ShowcaseInfo.json |
| Native SSE | showcase_simple_search.json showcase_first_seen_demo.json showcase_standard_deviation.json |
Most use cases only require ShowcaseInfo.json schema. For example, in partner integrations, configurations automatically merge into ShowcaseInfo.json, and you don't need to use any of the search builder files.
SSE uses the following two schemas:
- ShowcaseInfo.json. To reference the ShowcaseInfo.json schema and see examples of it in the code, see ShowcaseInfo.json schema.
- Search builder content. To reference the search builder content schema and see examples of it in the code, see Search builder.
ShowcaseInfo.json schema
The following table is a point-in-time reference of the fields in the ShowcaseInfo.json file.
| JSON field name | Descriptive field | Relevance | Description | Examples |
|---|---|---|---|---|
| name | Name | All | The name of the example (for example, "New Local Admin Account"). Include a maximum of 150 characters and avoid punctuation if possible. | Basic Brute Force Detection |
| description | Description | All | The primary description of your custom content. Include 250–300 characters. | |
| highlight | Featured | All | Whether content appears on the main page. | No |
| advanced tags | Advanced Tags | All | Optional tags in the Advanced filter. | Cool Search |
| alertvolume | Alert Volume | All | Categorize the volume of the search. | Medium |
| bookmark_status | Bookmarked Status | All | The method SSE uses to track content. | Bookmarked |
| category | Category | All | A user-defined field. | IAM Analytics |
| data_source_categories | Data Source Categories | All | The data-source category ID that maps to data_inventory.json. | DS0003Authentication-ET02Failure |
| domain | Security Domain | All | The security domain. Options are Access, Network, Endpoint, Threat, and Other. | Access |
| hasSearch | Has Search | All | Whether the detection includes the related search string. | Yes |
| icon | Icon | All | The icon that appears wherever the icon tile appears, using BuildTile.js. | |
| journey | Journey | All | The stage of the journey at which the content appears. | Stage_1 |
| killchain | Kill Chain Phase | All | The phase of the kill chain. | Actions on Objectives |
| mitre_tactic | MITRE ATT&CK
and Pre-ATT&CK Tactics |
All | The pipe-delimited list of MITRE ATT&CK Tactic IDs. | TA0006 |
| mitre_technique | MITRE ATT&CK and Pre-ATT&CK Techniques | All | The pipe-delimited list of the MITRE ATT&CK Technique IDs. | T1110 |
| released | Released | All | The release number. | 3.0.0 |
| searchkeywords | Search Keywords | All | The automatically indexed search keywords, which include the description, title, category, use case, response, implementation, and help, as well as known false positives. To add highly weighted custom keywords, include them as space-separated values. | login log in logon log on sign |
| severity | Severity | All | The severity of the event. This value doesn't surface in the UI but is available as an enrichment field through the sseanalytics command.
|
Medium |
| SPLEase | SPL Ease | All | The level of expertise to use SPL for your content. | Basic |
| usecase | Use Case | All | The high-level description of the use case for your content. | Security Monitoring |
| additional_context | Array of Custom Panels | All | The option to include custom panels. | |
| additional_context | Custom Panel: Detail | All | An optional text block. Supports Markdown. | |
| additional_context.link | Custom Panel: Link | All | An optional URL that allows users to navigate to a helpful website. If defined, a Learn More… button appears. | Learn more… |
| additional_context.open_panel | Open Custom Panel | All | Whether the custom panel is open by default. | |
| additional_context.search | Custom Panel: Code Block Contents | All | A display of raw code, like SPL. Code highlighting appears automatically. | |
| additional_context.search_label | Custom Panel: Code Block Title | All | A text-only label for the search, directly before the pre tag. If undefined, the label displays Search.
|
Example |
| additional_context.search_lang | Custom Panel: Code Block Language | All | An optional tag to identify the language of the code on display. If undefined, the tag identifies SPL. The default languages for highlight.js are supported. | conf |
| additional_context.title | Custom Panel: Title | All | A text-only label that names a custom panel. If undefined, the label displays "Additional Context." | Config settings |
| help | Help | All | A field that allows users to seek help. Supports Markdown. | |
| howToImplement | How to Implement | All | Optional text that describes how to implement a detection. Supports Markdown. | |
| knownFP | Known False Positives | All | Optional text that describes the known false positives that are created in a search. Supports Markdown. | |
| operationalize | How to Respond | All | Optional text that describes how to respond to a search. Supports Markdown. | |
| printable_image | Printable Image URL | All | Optional screenshot showing demo results when creating a PDF export. | |
| relevance | Security Impact | All | Text describing why your content is important. Supports Markdown. | |
| open_search_panel | Open Search Panel | All | Whether the search panel is open by default. If you provide a search string, this setting defaults to true. | Text String: "False" |
| search | Search String | All | Optional search string. | |
| search_name | Saved Search Name | All | The saved search name available in Correlation Search Introspection. Maps to the stanza name in the savedsearches.conf file. | ESCU - Abnormally High AWS Instances Terminated By User - Rule |
| company_description | Company Description | Partners | Description of your company. Supports Markdown. | Your Short Company Description |
| company_link | Company Link | Partners | An optional URL that allows users to navigate to your company's website. If defined, a Learn More... button appears. | https://www.splunk.com |
| company_logo | Company Logo | Partners | The URL and dimensions to an image of your company's logo. The dimensions must be less than 250 px in height and 500 px in width. | https://…/yourlogo.png |
| company_logo_height | Company Logo: Height | Partners | The height of your company's logo in pixels. | 200 |
| company_logo_width | Company Logo: Width | Partners | The width of your company's logo in pixels. | 400 |
| company_name | Company Name | Partners | The name of your company. | Company Name |
| create_data_inventory | Create data Inventory | Partners | If defined as True, this field creates an entry in the Data Inventory and overwrites the existing data_source_categories field. | Obj: True |
| inSplunk | Solved in Splunk | Partners | Marks functionality that exists in an environment but outside Splunk Enterprise. | Yes |
| escu_cis | ESCU - CIS Mapping | ESCU Authors | ES Content Update Specific: The CIS Mapping | CIS 13 |
| escu_data_source | ESCU - Data Source | ESCU Authors | ES Content Update Specific: The Data Sources | AWS CloudTrail Logs |
| escu_nist | ESCU - NIST Mapping | ESCU Authors | ES Content Update Specific: The NIST Mapping | DE.DP |
| escu_providing_technologies | ESCU - Providing Technologies | ESCU Authors | ES Content Update Specific: The technologies that enable a detection | AWS |
| story | ESCU - Story ID | ESCU Authors | ES Content Update Specific: Story ID | 2e8948a5-5239-406b-b56b-6c50f1268af3 |
| examples | Array of Examples for Detection | SSE Authors | An added object to the examples array. One adds for each kind of search (Live Data, Demo Data, Accelerated Data, and the like). | |
| examples.label | Name for Example | SSE Authors | The name of the example. | Live Data |
| examples.name | ID in Search Builder JSON | SSE Authors | The machine-readable name of the content. Don't include spaces or special characters. Custom content is overwritten by the channel definition. | Splunk_Security_Essentials |
| dashboard | Dashboard | SSE Authors | The name of a dashboard users go to after they select its name. Append any fields to the name. | showcase_simple_search?ml_toolkit.dataset=Basic Brute Force - Demo |
| displayapp | Display App | SSE Authors | The name of the content. Custom content is overwritten by the channel definition. | Splunk Security Essentials |
| visualizations | Array of Visualization Objects | SSE Authors | The native Splunk Viz or screenshot visualizations you want to include in SSE. | |
| visualizations.basesearch | Base Search | SSE Authors | If defined, the value that initializes a base search and post-process in the visualizations.search field. Define this setting when you have multiple panels with input from the same dataset so the same search doesn't run multiple times. | |
| visualizations.dashboard | Dashboard Name | SSE Authors | The visualization that appears near the dashboard name when using automatic dashboards. You can have 10–30 dashboards on each panel. | Essential Network Security |
| visualizations.description | Panel Description | SSE Authors | Optional description that appears when using automatic dashboards. | Provides a running count of identified DNS connections over time. |
| visualizations.header | Dashboard Header | SSE Authors | The visualization that appears near the header when using automatic dashboards. Use 1–5 panels for the header. | DNS Traffic |
| visualizations.hideInSearchBuilder | Hide in Search Builder | SSE Authors | If defined as True, a visualization appears in automatic dashboards but not the search builder. | Obj: True |
| visualizations.panel | Panel ID | SSE Authors | The panel in which a visualization made in the search builder renders. The panel contains three columns and rows. | row1cell1 |
| visualizations.path | Image URL | SSE Authors | The path to the visualization for the visualizations.type field. | |
| visualizations.recommended | Is Base Search | SSE Authors | Whether to mark panels in the automatic dashboarding feature as recommended. | Obj: True |
| visualizations.search | Search String | SSE Authors | The search string for the visualization. | |
| visualizations.title | Panel Title | SSE Authors | The title of the visualization. | DNS Traffic Over Time |
| visualizations.type | Image or Visualization | SSE Authors | Whether a visualization is an image or a Splunk Viz. | Image |
| visualization.vizParameters | Parameters For Native Viz | SSE Authors | The parameters referenced when you initialize Splunk Viz using SplunkJS. | |
| visualizations.vizType | Visualization Type | SSE Authors | What type a Splunk Viz is. Options are ChartElement, SingleElement, MapElement, and TableElement. | TableElement |
| anomalies | UBA: Array of ShowcaseIDs for UBA Anomalies | UBA Authors | UBA specific. A list of SSE IDs for any UBA anomalies the threat sees. Each resolves to a threat. Often, the ID matches regex TT\d*. | |
| contributes_to_threats | UBA: Array of ShowcaseIDs for UBA Threats | UBA Authors | UBA specific. An array that contains objects for each detection related to anomaly types. | |
| detections.data_source | UBA: Array of DSC IDs | UBA Authors | UBA specific. A proper JSON array with DSC IDs that resolve to the data_inventory.json file, just like the data_source_categories field, except the detections.data_source field is a true JSON field rather than a pipe-delimited string. | DS009EndPointIntel-ET01ProcessLaunch |
| detections.descriptions | UBA: Description for the Detection | UBA Authors | UBA specific. Description of the detection related to an anomaly type. | |
| detections.id | UBA: ID for the Detection | UBA Authors | Not currently in use. | |
| detections.internal_id | UBA: Internal ID for the Detection | UBA Authors | Not currently in use. | |
| detections.name | UBA: Detection Name | UBA Authors | UBA specific. The name of the detection related to an anomaly type. | |
| internal_id | UBA: Internal ID | UBA Authors | Not currently in use. | |
| is_custom | UBA: Is a Custom Threat | UBA Authors | UBA specific. Not currently in use, but displays whether a threat is a rule-based custom threat rather than an ML-detected threat. | Yes |
| long_description | UBA: Long Description | UBA Authors | UBA specific. A description field not subject to character limits, like other description fields. Appears if a user selects an anomaly or threat. |
Unless noted otherwise, multivalue fields populate with pipes separating each element. For example, content mapped to Security Monitoring and Advanced Detection appears as follows:
{
"usecase": "Security Monitoring|Advanced Threat Detection"
}
To find valid values, use the following example search:
| sseanalytics | fieldsummary | table field *count values
ShowcaseInfo.json examples
Review the following examples to learn more:
- Partner content
- Simple content
- Native content
- Product-specific content
- Visualizations
- Dashboard panels
Partner content
SSE expects to download a JSON file. Each top-level key must be the ID of the showcase:
{
"buttercuplabs_detect_bad_ponies": {
"name": "Detect Bad Ponies",
"inSplunk": "yes",
"journey": "Stage_1",
"usecase": "Security Monitoring",
"highlight": "Yes",
"id": "buttercuplabs_detect_bad_ponies",
"channel": "ButtercupLabs",
"alertvolume": "Low",
"severity": "Very High",
"category": "Account Compromise",
"description": "This detection uses advanced analytics to determine which ponies are not good.",
"domain": "",
"killchain": null,
"SPLEase": "None",
"searchkeywords": "",
"advancedtags": "",
"printable_image": "",
"icon": "https://static.mylogocloud.com/shop/store/20180213730/assets/items/largeimages/SPK0153.jpg",
"company_logo": "https://image.slidesharecdn.com/splunklivesfhowtoalignyourdailysplunkactivitiesbreakoutsession-160317192319/95/how-to-align-your-daily-splunk-activities-breakout-session-23-638.jpg?cb=1458242654",
"company_logo_width": "444",
"company_logo_height": "250",
"company_name": "Buttercup Labs",
"company_description": "Buttercup Labs is the premier distributor of Pony-related security analytics. We have been protecting organizations from bad ponies for over 10 years now.\n\\n\\n\nEnjoy our freely available content for detecting bad ponies in your environment, and reach out to us for a demo or trial license of our premium Pony Detection app!\n\\n\\n\nHave you successfully found bad ponies in your own environment? Buttercup Labs is hiring! We are a wholly owned subsidiary of Buttercup Games, and are a proudly equal opportunity employer. We welcome ponies of all heights, colors, hoof styles, sexual orientations, and neurodiversities.",
"company_link": "http://buttercupgames.com/",
"dashboard": "showcase_custom?showcaseId=buttercuplabs_detect_bad_ponies",
"relevance": "Placeholder Text",
"help": "",
"howToImplement": "Placeholder Text",
"knownFP": "Placeholder Text",
"operationalize": "Placeholder Text",
"search": "index=buttercup sourcetype=content",
"data_source_categories": "DS003Authentication-ET02Failure|DS003Authentication-ET01Success",
"mitre_technique": "T1098|T1003",
"mitre_tactic": "TA0006"
}
}
Simple content
Simple content requires less configuration than other types of content:
{
"phantom_ec2_instance_isolation": {
"alertvolume": "Very Low",
"app": "Splunk_Phantom",
"category": "Account Compromise|IAM Analytics|Account Sharing|SaaS|Insider Threat",
"dashboard": "showcase_phantom?showcaseId=phantom_ec2_instance_isolation",
"data_source_categories": "VendorSpecific-aws-cloudtrail",
"description": "Isolate an EC2 instance by changing its security group in order to protect it from malicious traffic. This playbook can be started alone or used from another playbook after doing investigation and notification.",
"displayapp": "Splunk Phantom",
"domain": "Access",
"hasSearch": "No",
"help": "Simply deploy Splunk Phantom and work with your technical team to deploy this.",
"highlight": "Yes",
"howToImplement": "This playbook can be triggered off of several example searches available in the Splunk Security Essentials app to take immediate action to quarantine an instance when suspicious behavior has been detected.",
"icon": "phantom_logo.png",
"includeSSE": "Yes",
"journey": "Stage_5",
"name": "EC2 Instance Isolation",
"operationalize": "Depending on the use case, this playbook can be modified using several of the available Splunk Phantom apps to increase the scope of the actions taken in this playbook. For example, using the AWS WAF or AWS IAM app, additional actions can be added based on the type of alert triggered.",
"printable_image": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png",
"released": "3.0.0",
"relevance": "Compromised AWS credentials can allow a malicious actor access to currently running instances and configurations as well as the ability to start new instances and services. By detecting suspicious behavior early this playbook allows for a security team to react quickly and further investigate any suspicious behavior.",
"searchKeywords": "",
"usecase": "Advanced Threat Detection|Insider Threat|SOC Automation",
"visualizations": [
{
"panel": "row1cell1",
"path": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png",
"title": "EC2 Instance Isolation",
"type": "image"
}
]
}
}
Native content
When developing native content for SSE, you have additional fields available:
{
"new_cloud_provider": {
"SPLEase": "Medium",
"alertvolume": "High",
"app": "Splunk_Security_Essentials",
"category": "Data Exfiltration|Insider Threat|Shadow IT",
"dashboard": "showcase_first_seen_demo?ml_toolkit.dataset=New Cloud Provider for User - Demo",
"data_source_categories": "DS005WebProxyRequest-ET01RequestedWebAppAware",
"description": "<p>Detect a user who is accessing a cloud storage provider they've never used before.</p>",
"displayapp": "Splunk Security Essentials",
"domain": "Network",
"examples": [
{
"label": "Demo Data",
"name": "New Cloud Provider for User - Demo"
},
{
"label": "Live Data",
"name": "New Cloud Provider for User - Live"
},
{
"label": "Accelerated Data",
"name": "New Cloud Provider for User - Accelerated"
}
],
"hasSearch": "Yes",
"help": "<p>This example leverages the Detect New Values search assistant. Our dataset is an anonymized collection of Palo Alto Networks events. For this analysis, we are effectively grouping by username and app name after filtering for the category, which gives us a row for each username+appname combination. We check if the first time that has occurred was in the last day.</p>",
"highlight": "Yes",
"howToImplement": "<p>Implementation of this example (or any of the First Time Seen examples) is generally very simple. <ul><li>Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.</li><li>Save the search.</li></ul></p><p>For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you want to run this search more frequently, or if this search is too slow for your environment, leverage a lookup cache. For more on this, see the lookup cache drop-down list below and select the sample item. A window pop ups telling you more about this feature.</p>",
"icon": "Core_Use_Case.png",
"includeSSE": "Yes",
"journey": "Stage_2",
"killchain": "Actions on Objectives",
"knownFP": "<p class=\"disclaimer\">This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it accurately reflects the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.</p><p>Do not review these alerts directly (except for access to extremely sensitive systems), but instead use them for context or to aggregate risk (as mentioned under How To Respond).</p> ",
"mitre_tactic": "TA0010|TA0011",
"mitre_technique": "|T1048|T1102",
"name": "New Cloud Provider for User",
"operationalize": "<p>When this search returns values, validate whether the usage of this cloud provider is permitted by your policy, and investigate what data is being stored there. Common allowable scenarios can be uploading into a box folder provided by a vendor for secure support file upload, which might be allowable, versus the backup of data to a personal Google Drive account. Ultimately this search generates many shades of gray, so it's prudent to understand supporting information such as the amount of data transmitted before reaching out to the employee or their manager to determine next steps.</p>",
"phantomPlaybooks": [
"phantom_malicious_insider_containment",
"phantom_prompt_and_block_domain"
],
"printable_image": "/static/app/Splunk_Security_Essentials/images/printable_demo_images/new_cloud_provider.png",
"released": "2.2.0",
"relevance": "Data exfiltration techniques vary across the world, but certainly a very common approach taken in 2018 is to upload data to a non-corporate file storage solution. Tracking new file storage solutions end up in your environment is a key capability to track where data flows in your organization along with the adoption of Shadow IT.",
"searchKeywords": "",
"usecase": "Insider Threat|Security Monitoring"
}
}
Product-specific content
Splunk products have unique configurations that vary by product.
Splunk Enterprise Security
{
"search_name": "Change - Abnormally High Number of Endpoint Changes By User - Rule",
}
Splunk Enterprise Security Content Update
{
"escu_cis": "CIS 13",
"escu_data_source": "AWS CloudTrail logs",
"escu_nist": "DE.DP|DE.AE",
"escu_providing_technologies": "AWS",
"search_name": "ESCU - Abnormally High AWS Instances Terminated by User - Rule",
"story": "2e8948a5-5239-406b-b56b-6c50f1268af3"
}
The Enterprise Security Content Updates (ESCU) Story ID in the story field references the story object in the ShowcaseInfo.json file. The story object is a low-level field hosted at ShowcaseInfo['escu_stories']. This is the story detail referenced in the previous example code:
{
"2e8948a5-5239-406b-b56b-6c50f1268af3": {
"detections": [
"detection_abnormally_high_instance_termination",
"detection_ec2_instance_created_by_previously_unseen_user",
"detection_aws_activity_in_new_region",
"detection_abnormally_high_instances_launched"
],
"escu_category": [
"Cloud Security"
],
"investigations": [
"AWS Investigate User Activities By ARN",
"Get EC2 Instance Details by instanceId",
"Get Notable History",
"Get Notable Info",
"Get User Information from Identity Table",
"Investigate AWS activities via region name",
"Get EC2 Launch Details"
],
"modification_date": "2018-02-09",
"name": "Suspicious AWS EC2 Activities",
"narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.",
"references": [
"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"
],
"responses": [],
"story_id": "2e8948a5-5239-406b-b56b-6c50f1268af3",
"support": [
"Previously Seen EC2 Launches By User",
"Previously Seen AWS Regions"
]
}
}
Splunk User Behavior Analytics anomalies
{
"anomalies": [
"AT11",
"AT06"
],
"internal_id": "Potential_Flight_Risk_Exfiltration",
"long_description": "This threat brings to light users who are possible flight risks. However, in addition to being a flight risk, this user has also performed actions that signal that it may be possible they will exfiltrate data. Actions that lead to exfiltration of data in this instance are events such as: suspicious data movement, upload of information to a cloud file system, or a DLP external alarm. ",
"is_custom": "Yes",
}
Splunk User Behavior Analytics threats
{
"anomalies": [
"AT11",
"AT06"
],
"internal_id": "Potential_Flight_Risk_Exfiltration",
"long_description": "This threat brings to light users who are possible flight risks. However, in addition to being a flight risk, this user has also performed actions that signal that it may be possible they will exfiltrate data. Actions that lead to exfiltration of data in this instance are events such as: suspicious data movement, upload of information to a cloud file system, or a DLP external alarm. ",
"is_custom": "Yes",
}
Visualizations
SSE native search builders support custom visualizations including screenshots and dashboard panels.
For screenshots, use the following code:
{
"visualizations": [
{
"panel": "row1cell1",
"path": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png",
"title": "EC2 Instance Isolation",
"type": "image"
}
]
}
Because searches differ, define dashboard panel configurations like the one in this example in the search builder JSON file:
{
"visualizations": [
{
"dashboard": "General Windows and Linux Posture",
"header": "AV Data",
"panel": "row1cell1",
"search": "| `Load_Sample_Log_Data(Symantec Endpoint Protection Operations)` |stats max(eval(if(like(Event_Description, \"%LiveUpdate session ran successfully%\") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag=\"error\", _time, null))) as LatestError by Host_Name | eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, \"-3d\") OR LatestError > LatestUpdate , \"No\", \"Yes\") | lookup gdpr_system_category host as Host_Name| search category=* | stats count by Up_To_Date",
"title": "Percentage of In-Scope Hosts with Up To Date AV",
"type": "viz",
"vizParameters": {
"charting.chart": "pie",
"link.exportResults.visible": "false",
"link.inspectSearch.visible": "false",
"link.openPivot.visible": "false",
"link.openSearch.visible": "false",
"link.visible": "false",
"refresh.link.visible": "false",
"resizable": true
},
"vizType": "ChartElement"
},
{
"dashboard": "General Windows and Linux Posture",
"header": "AV Data",
"panel": "row1cell2",
"search": "| `Load_Sample_Log_Data(Symantec Endpoint Protection Operations)` |stats max(eval(if(like(Event_Description, \"%LiveUpdate session ran successfully%\") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag=\"error\", _time, null))) as LatestError by Host_Name | eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, \"-3d\") OR LatestError > LatestUpdate , \"No\", \"Yes\") | search Up_To_Date = Yes | lookup gdpr_system_category host as Host_Name| search category=*| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError) ",
"title": "Hosts with Up To Date AV",
"type": "viz",
"vizParameters": {
"link.exportResults.visible": "false",
"link.inspectSearch.visible": "false",
"link.openPivot.visible": "false",
"link.openSearch.visible": "false",
"refresh.link.visible": "false",
"resizable": true
},
"vizType": "TableElement"
}
]
}
Search builder
The search builder files are those used to display a file. SSE contains five search builder files:
| Dashboard | Dashboard name | JSON file | Notes |
|---|---|---|---|
| showcase_simple_search | Simple Search | showcase_simple_search.json | For the majority of native SSE content, this search builder runs a search string without any additional SPL. |
| showcase_first_seen_demo | First Time Seen | showcase_first_seen_demo.json | The first time this search builder takes a base dataset and two fields used for splitting, if that happens in the last 24 hours, the file applies logic for alerting. This search builder has high-scale versions, allowing users to cache the result to a lookup. A peer group option is available, also, allowing the search to find values that are new not only for the entity in question, but also for the peer group (or department, geo, and the like). |
| showcase_standard_deviation | Time Series Spike | showcase_standard_deviation.json | This search builder takes a base dataset that is already aggregated each day, a field representing a numerical measure, and a feature for the entity the system intends to analyze. This search builder then performs a standard-deviation analysis to find unusually high values. |
| showcase_phantom | Splunk Phantom | ShowcaseInfo | This search builder is used for Splunk Phantom content. |
| showcase_custom | Custom Content | ShowcaseInfo | This search builder is used for custom content and partner content. |
Schema
| JSON field name | Descriptive field | Search builder | Description | Examples |
|---|---|---|---|---|
| label | Name | All | Matches the examples.name field from the ShowcaseInfo.json file and must match the ID. | Emails With Lookalike Domains - Demo |
| value | Search | All | The search string. Line breaks in the SPL are implemented through \n and the number of lines must match the length of the description array. | index=abc \n |
| description | Line-by-Line SPL Documentation | All | An array that contains the line-by-line SPL docs. The number of elements in the array must match the number of \n values plus one. | "Base Data", "Count them", "Filter" |
| Prereqs | Array of Pre-Requisites | All | An array that contains all of the prerequisite objects. | |
| prereqs.field | Pre-Req Field | All | The field that determines whether the prerequisite is satisfied. | count |
| prereqs.greaterorequalto | Pre-Req Min Value | All | The value of the field in prereqs.field must be greater than or equal to. | 1 |
| prereqs.name | Pre-Req Name | All | The label provided to the user for this prerequisite. | "Must have data" |
| prereqs.resolution | Pre-Req Resolution | All | Description of how the user can satisfy a prerequisite. | Install an add-on. |
| prereqs.test | SPL for Pre-Req | All | The search that runs for prerequisite. | |
| actions_createNotable | Create Risk | All | Whether a notable event is created. Triggers Splunk Enterprise Security workflows. | 1 |
| actions_createRisk | Create Risk | All | Whether to create a risk object for a search. | 1 |
| actions_riskObject | Risk Object | All | The risk_object field, as aligned with the Splunk Enterprise Security risk framework. | Computer_Name |
| actions_riskObjectScore | Risk Score | All | The risk_score field, as aligned with the Splunk Enterprise Security risk framework. | 60 |
| actions_riskObjectType | Risk Object Type | All | The risk_object_type field, as aligned with the Splunk Enterprise Security risk framework. | system |
| actions_UBASeverity | UBA Severity | All | An indication that SSE must send an event to Splunk User Behavior Analytics with a severity. | 5 |
| visualizations | Array of Visualizations Objects | All | The native Splunk Viz or screenshot visualizations you want to include in SSE. | |
| visualizations.basesearch | Base Search | All | If defined, the value that initializes the base search and post-process in the visualizations.search file. Define this setting when you have multiple panels with input from the same dataset so the same search doesn't run multiple times. | |
| visualizations.dashboard | Dashboard Name | SSE Authors | The visualization that appears near the dashboard name when using automatic dashboarding. You can have 10–30 dashboards on each panel. | Essential Network Security |
| visualizations.description | Panel Description | SSE Authors | Optional description that appears when using automatic dashboarding. | Provides a running count of identified DNS connections over time. |
| visualizations.header | Dashboard Header | SSE Authors | The visualization that appears near the header when using automatic dashboarding. Use 1–5 panels for the header. | DNS Traffic |
| visualizations.hideInSearchBuilder | Hide in Search Builder | SSE Authors | If defined as "True", a visualization appears in automatic dashboards but not the search builder. | Obj: True |
| visualizations.panel | Panel ID | SSE Authors | The panel in which a visualization made in the search builder renders. The panel contains three columns and rows. | row1cell1 |
| visualizations.path | Image URL | SSE Authors | The path to the visualization for the visualizations.type file. | |
| visualizations.recommended | Is Base Search | SSE Authors | Whether to mark panels in the automatic dashboarding feature as Recommended. | Obj: True |
| visualizations.search | Search String | SSE Authors | The search string for the visualization. | |
| visualizations.title | Panel Title | SSE Authors | The title of the visualization. | DNS Traffic Over Time |
| visualizations.type | Image or Visualization | SSE Authors | Whether a visualization is an image or a Splunk Viz. | Image |
| visualization.vizParameters | Parameters For Native Viz | SSE Authors | The parameters referenced when you initialize Splunk Viz using SplunkJS. | |
| visualizations.vizType | Visualization Type | SSE Authors | What type a Splunk Viz is. Options are ChartElement, SingleElement, MapElement, and TableElement. | TableElement |
| OutlierPeerGroup | Peer Group | First Time Seen | The option to perform peer-group analysis. Deactivated by default but can be activated. | |
| outlierValueTracked1 | Value #1 | First Time Seen | First Time Seen splits by two values. Most often, the first value is the subject (for example, user, dest, src, and the like). | user |
| outlierValueTracked2 | Value #2 | First Time Seen | First Time Seen splits by two values. Most often, the second value is the unusual attribute (for example, geo, API, and the like). | eventName |
| cardinalityTest | Cardinality Test | Time Series Spike | The SPL that tests whether a split-by results in an excessive number of results. | |
| outlierSearchType | Search Type | Time Series Spike | Reserved for future use. Must be Avg currently. | Avg |
| outlierVariable | Numeric Measure | Time Series Spike | The value containing the count the system measures. | count |
| outlierVariableSubject | Subject | Time Series Spike | The subject or entity the system is monitoring. Options include user, src, dest, or any other Splunk field. | user |
| scaleFactor | # of StDevs | Time Series Spike | The number of standard deviations required for the system to consider a detection atypical. Usually, use 3 for anomaly detection and 10 for high confidence. | 6 |
| windowSize | windowSize | Time Series Spike | Not currently in use. Value must be 0. | 0 |
Search builder examples
Simple search
{
"DynDNS - Live": {
"actions_UBASeverity": 7,
"actions_createRisk": 1,
"actions_riskObject": "user",
"actions_riskObjectScore": 30,
"actions_riskObjectType": "user",
"description": [
"First we bring in our dataset of proxy logs.",
"Because we are looking for dynamic DNS providers, we're going to need to separate out subdomains from the registered domain. URL Toolbox is just the tool for this job!",
"Next we can use our lookup of DNS domains (see How to Implement). This adds a field called inlist with the value \"true\" for any matches.",
"And finally we can look for those records that are matches.",
"With our dataset complete, we just need to arrange the fields to be useful."
],
"label": "DynDNS - Live",
"prereqs": [{
"field": "count",
"greaterorequalto": 1,
"name": "Must have Proxy data",
"resolution": "Proxy data can come in many forms, including from Palo Alto Networks and other NGFWs, dedicated proxies like BlueCoat, or network monitoring tools like Splunk Stream or bro.",
"test": "| metasearch earliest=-2h latest=now index=* sourcetype=pan:threat OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* | head 100 | stats count "
},
{
"field": "count",
"greaterorequalto": 1,
"name": "Must have URL Toolbox Installed",
"resolution": "The URL Toolbox app, written by Cedric Le Roux, provides effective URL Parsing. Download <a href=\"https://splunkbase.splunk.com/app/2734/\">here</a>.",
"test": "| rest /services/apps/local | search disabled=0 label=\"URL Toolbox\" | stats count"
}
],
"value": "index=* sourcetype=pan:threat OR (tag=web tag=proxy) earliest=-20m@m earliest=-5m@m \n| eval list=\"mozilla\" | `ut_parse_extended(url,list)`\n| lookup dynamic_dns_lookup domain as ut_domain OUTPUT inlist\n| search inlist=true \n| table _time ut_domain inlist bytes* uri",
"visualizations": [{
"panel": "row1cell1",
"header": "DNS Traffic",
"dashboard": "Essential Network Security",
"description": "Provides a running count of identified DNS connections over time",
"search": "| `Load_Sample_Log_Data(Sample Firewall Data)` | search dest_port=53 OR app=dns | timechart count",
"title": "DNS Traffic Over Time",
"type": "viz",
"vizParameters": {
"charting.chart": "column"
},
"vizType": "ChartElement"
},
{
"panel": "row1cell2",
"header": "DNS Traffic",
"dashboard": "Essential Network Security",
"recommended": false,
"description": "Shows the top destinations for DNS traffic. These are your DNS servers, or a standard upstream DNS server.",
"basesearch": "index=* sourcetype=pan:threat OR (tag=web tag=proxy) (dest_port=53 OR app=dns)",
"search": "| `Load_Sample_Log_Data(Sample Firewall Data)` | search dest_port=53 OR app=dns | stats count by dest_ip | sort - count",
"title": "Likely Resolvers",
"type": "viz",
"vizParameters": {},
"vizType": "TableElement"
}
]
}
}
First-time seen
{
"AWS New API Call Per Peer Group - Live": {
"actions_UBASeverity": 7,
"actions_createRisk": 1,
"actions_riskObject": "user",
"actions_riskObjectScore": 30,
"actions_riskObjectType": "user",
"description": [
"First we bring in our basic dataset. In this case, AWS CloudTrail logs, filtered for individual APIs that we want to pay close attention to."
],
"label": "AWS New API Call Per Peer Group - Live",
"outlierPeerGroup": "peer_group_for_git_use_case.csv",
"outlierValueTracked1": "user",
"outlierValueTracked2": "eventName",
"prereqs": [{
"field": "count",
"greaterorequalto": 1,
"name": "Must have AWS CloudTrail data",
"resolution": "In order to run this search, you must have AWS CloudTrail data onboard. Visit the <a href=\"/app/Splunk_Security_Essentials/data_source?technology=AWS%20CloudTrail\">data onboarding guide for AWS CloudTrail in this app</a>, or browse to <a href=\"https://splunkbase.splunk.com/app/1876/\">apps.splunk.com</a> for more information.",
"test": "| tstats count where earliest=-2h latest=now index=* sourcetype=aws:cloudtrail"
}],
"value": "index=* sourcetype=aws:cloudtrail eventType=* NOT errorMessage=* NOT eventName=Describe* NOT eventName=Get* NOT eventName=List*"
}
}
Standard deviation
{
"GCP APIs Called More Often Than Usual Per Account - Live": {
"actions_UBASeverity": 2,
"actions_createRisk": 1,
"actions_riskObject": "data.protoPayload.authenticationInfo.principalEmail",
"actions_riskObjectScore": 10,
"actions_riskObjectType": "user",
"cardinalityTest": "index=* sourcetype=google:gcp:pubsub:message \n| bucket _time span=1d | stats dc(data.protoPayload.authenticationInfo.principalEmail) as count by _time",
"description": [
"First we bring in our basic GCP Audit logs, filtering out list activity.",
"Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.",
"Next we use stats to summarize the number of events per user per day."
],
"label": "GCP APIs Called More Often Than Usual Per Account - Live",
"outlierSearchType": "Avg",
"outlierVariable": "count",
"outlierVariableSubject": "data.protoPayload.authenticationInfo.principalEmail",
"prereqs": [{
"field": "count",
"greaterorequalto": 1,
"name": "Must have GCP Audit data",
"resolution": "In order to run this search, you must have GCP Audit data onboard. Browse to <a href=\"https://splunkbase.splunk.com/app/3088/\">apps.splunk.com</a> for more information.",
"test": "| tstats count where earliest=-2h latest=now index=\"*\" sourcetype=google:gcp:pubsub:message"
}],
"scaleFactor": 2,
"value": "index=* sourcetype=google:gcp:pubsub:message NOT data.protoPayload.methodName=v1*.list* NOT data.protoPayload.methodName=storage*.list* \n| bucket _time span=1d \n| stats count by data.protoPayload.authenticationInfo.principalEmail _time",
"windowSize": 0
}
}
Last modified on 03 July, 2023
| Best practices for integrating content with Splunk Security Essentials | Enrich custom content using the ShowcaseInfo.json file |
This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1
Download manual
Feedback submitted, thanks!