Finding-based detections available in Splunk Enterprise Security

Note: Finding-based detections in Splunk Enterprise Security are currently released as a preview feature. Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms. To provide feedback, visit the Voice of the Customer portal for finding-based detections and select Send Feedback.

View the available list of finding-based detections in Splunk Enterprise Security to use them to investigate security threats. You can also use these available detections as a model to create your own custom finding-based detections for threat investigation. For example, in the finding-based detection Findings Risk Threshold Exceeded for Entity Over 24 Hour Period, you can increase the risk score threshold by 200 instead of 100 over the last 24 hours if that works for your environment.

Note: You can rename a detection and configure a unique label for tracking purposes. However, renaming only applies to customized detections or clones of detections that are available in Splunk Enterprise Security. Alternatively, you can configure a customized name for a detection available in Splunk Enterprise Security. Renaming a detection applies to real-time and scheduled detections, whether they are turned on or off.

Use a REST search to obtain a list of detections that are available in Splunk Enterprise Security and extract the information in a table.

For example, use the following search to create a table with the app, security domain, name, and description of all the detections in your environment. 

| rest splunk_server=local count=0 /services/saved/searches  | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description

Use the following search to create a table with only the activated detections and adaptive response actions associated with those detections. 

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",")  | table title,actions

If you want to see the adaptive response actions for all detections, remove | where disabled=0.

Following are some examples of finding-based detections included in Splunk Enterprise Security:

Finding-based detection name Description SPL search
Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days Creates findings when the number of MITRE tactics exceeds 3 over the last 7 days. 
| tstats `summariesonly` `common_fbd_fields`, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where [ | generatetimerange "Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule" | return earliest, latest ] All_Risk.annotations.mitre_attack=* by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index | `get_mitre_annotations` | rename All_Risk.risk_object_type as risk_object_type, All_Risk.normalized_risk_object as normalized_risk_object | `generate_findings_summary` | stats list(*) as * limit=100, sum(int_risk_score_sum) as risk_score by `fbd_grouping(normalized_risk_object, risk_object_type)` | `dedup_and_compute_common_fbd_fields`, contributing_source=mvdedup(contributing_source), contributing_source_count=mvcount(contributing_source), annotations.mitre_attack=mvdedup('annotations.mitre_attack'), annotations.mitre_attack.mitre_tactic=mvdedup('annotations.mitre_attack.mitre_tactic'), mitre_tactic_id_count=mvcount('annotations.mitre_attack.mitre_tactic'), mitre_technique_id_count=mvcount('annotations.mitre_attack'), threat_object=mvdedup(threat_object), cim_entity_zone=mvdedup(cim_entity_zone) | fillnull value=0 mitre_tactic_id_count, mitre_technique_id_count | fields - int_risk_score_sum, int_findings_count, individual_threat_object_count, contributing_event_ids | `drop_dm_object_name("All_Risk")` | where mitre_tactic_id_count >= 3 and contributing_source_count >= 4 | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count, cim_entity_zone, contributing_source, contributing_source_count
Findings Risk Threshold Exceeded for Entity Over 24 Hour Period Searches the risk index and aggregates risk scores by entity and creates findings when the risk score for an object exceeds 100 over the last 24 hours. For example, if an entity has 8 related events, each with a calculated risk score, the search adds all the 8 scores together. This default finding-based detection has a default setting of a 24-hour search window. 
| tstats `summariesonly` `common_fbd_fields`, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where [ | generatetimerange "Threat - Findings Risk Threshold Exceeded for Entity Over 24 Hour Period - Rule" | return earliest, latest ] by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index | `get_mitre_annotations` | rename All_Risk.risk_object_type as risk_object_type, All_Risk.normalized_risk_object as normalized_risk_object | `generate_findings_summary` | stats list(*) as * limit=100, sum(int_risk_score_sum) as risk_score by `fbd_grouping(normalized_risk_object, risk_object_type)` | `dedup_and_compute_common_fbd_fields`, contributing_source=mvdedup(contributing_source), contributing_source_count=mvcount(contributing_source), threat_object=mvdedup(threat_object), cim_entity_zone=mvdedup(cim_entity_zone), annotations.mitre_attack=mvdedup('annotations.mitre_attack'), annotations.mitre_attack.mitre_tactic=mvdedup('annotations.mitre_attack.mitre_tactic'), mitre_tactic_id_count=mvcount('annotations.mitre_attack.mitre_tactic'), mitre_technique_id_count=mvcount('annotations.mitre_attack'), risk_threshold=100 | fillnull value=0 mitre_tactic_id_count, mitre_technique_id_count | fields - int_risk_score_sum, int_findings_count, individual_threat_object_count, contributing_event_ids | `drop_dm_object_name("All_Risk")` | where risk_score > risk_threshold | `get_risk_severity(risk_score)` | table `common_fbd_fields_results`, mitre_tactic_id_count, mitre_technique_id_count, cim_entity_zone, contributing_source, contributing_source_count, risk_threshold, severity