Create a detection to address a security use case or problem that you want to solve. For example, suspicious power shell commands or endpoint detection or response (EDR) alerts. Similarly, if you want to know when vulnerability scanners scan your network, or a high number of devices are infected with the same strain of malware, you can create a detection to detect that behavior and alert you. Use a detection to identify patterns in your data that can indicate a security risk.

Following are some potential use cases:

• Identify when high-risk users log in to machines infected with malware.
• Identify vulnerability scanning behavior in your network.
• Validate that your access control deprovisioning process is working as expected by monitoring inactive and expired account activity.
• Look for compromised accounts by identifying geographically impossible logins.

Develop a use case that you want the search to address before you start creating the search. In this example, we can create the Excessive Failed Logins detection, which is designed to detect brute force access attempts. A security analyst wants to know all the users that attempted to log in to an application and failed to type their passwords correctly at least six times within a certain period of time. The Excessive Failed Logins detection available in Splunk Enterprise Security captures that use case and performs the following functions:

• Search the authentication source events from an application.
• Count the number of failures by user.
• Create an alert for more than six failures over a selected time period.

This detection addresses the use case by searching authentication events, counting the number of access failures, and alerting if there are too many failures over a specific period of time.

As another example, a security analyst wants to know if more than 10 computers on the network failed to update their virus signatures for a week. The High Number of Hosts Not Updating Malware Signatures detection included in Splunk Enterprise Security captures that use case and performs the following functions:

• Search the antivirus source events.
• Evaluate the date of the last antivirus signature file update on a host.
• Compare the last updated date to the time that the search is running.
• Collect events where the last updated date is more than 7 days before the time that the search is running.
• Count the collected events.
• Create an alert if there are more than 10 collected events.

After you determine the security use case that you want your detection to address, use the following list to determine which data sources are relevant to the use case.

• Determine what data you need to address the use case.
• Determine which data models and data model objects contain that data in the Splunk app for CIM.
• Make sure that the data is in the data model.

In this case, the Excessive Failed Logins detection looks for data related to logins, so it uses the Authentication data model as the data source. By using a data model rather than searching a specific source type directly, the detection can search a wide variety of data sources related to authentication, such as operating systems, applications, without needing to be changed. Relying on data models in detections allows you to write one detection for multiple types of data.

For more information on data models and using detections to search for behavioral patterns in Splunk Enterprise Security, see the product documentation:

• Use detections to search for behavioral patterns in Splunk Enterprise Security.
• CIM fields per associated data model in the Splunk Common Information Model Add-on Manual.