Guidelines to create a custom finding-based detection
Splunk Enterprise Security uses risk-based alerting so that finding-based detections can provide high-confidence, aggregated alerts for investigations. To leverage risk-based alerting, you must customize finding-based detections as follows:
Validate a custom detection in the detection editor
You can validate the SPL search of a custom finding-based detection.
Follow these steps to validate the SPL in the detection editor:
- In Splunk Enterprise Security, go to Configure.
- Select Content, and then select Content management.
- Select Create new content and then select Detection to specify the type of detection that you want to create.
- Select Finding-based detection to create a detection based on high-confidence groups of findings around a given entity, behavior, or activity, which indicates a security incident.
- Select Submit to open the detection editor.
- In the finding-based detection editor, go to the Finding input type panel.
- Select Custom to create a custom finding-based detection.
- In the Custom field, use SPL to specify the custom conditions based on which a finding group can be created by the detection.
- Select Validate to verify that the SPL is valid.
Include macros in the finding-based detection
The SPL of the custom finding-based detection must include one of the following macros with 1 to 5 arguments:
- `fbd_grouping(1)`
- `fbd_grouping(2)`
- `fbd_grouping(3)`
- `fbd_grouping(4)`
- `fbd_grouping(5)`
`fbd_group_by` field, which is a part of the SPL search results if the `common_fbd_fields_results`  macro is also used. If you don't use the `fbd_grouping` macro, you must include a new `fbd_group_by` field in the SPL search results of your custom finding-based detection. If you don't use the 'fbd_group_by' field, multiple unrelated entries are grouped into one finding group, which might impact the display of the finding groups in the analyst queue. Following is an example of the SPL for a custom finding-based detection that includes the fbd_grouping and the common_fbd_fields_results macros: 
| tstats `summariesonly` `common_fbd_fields`, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where 
    [| `generate_time_range("Threat - ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 Days - Rule")` 
| return earliest, latest ] All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index 
| rename All_Risk.risk_object_type as risk_object_type, All_Risk.normalized_risk_object as normalized_risk_object, annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id1, annotations.mitre_attack.mitre_technique_id as mitre_technique_id1 
| `generate_findings_summary` 
| stats list(*) as * limit=1000, sum(int_risk_score_sum) as risk_score by `fbd_grouping(normalized_risk_object, risk_object_type)` 
| `dedup_and_compute_common_fbd_fields`, contributing_source=mvdedup(contributing_source), mitre_tactic_id1=mvdedup(mitre_tactic_id1), mitre_technique_id1=mvdedup(mitre_technique_id1), contributing_source_count=mvcount(contributing_source), mitre_tactic_id_count=mvcount(mitre_tactic_id1), mitre_technique_id_count=mvcount(mitre_technique_id1), threat_object=mvdedup(threat_object), cim_entity_zone=mvdedup(cim_entity_zone) 
| fillnull value=0 mitre_tactic_id_count, mitre_technique_id_count 
| rename mitre_tactic_id1 as annotations.mitre_attack.mitre_tactic_id, mitre_technique_id1 as annotations.mitre_attack.mitre_technique_id 
| eval annotations.mitre_attack='annotations.mitre_attack.mitre_technique_id' 
| fields - int_risk_score_sum, int_findings_count, individual_threat_object_count, contributing_event_ids 
| `drop_dm_object_name("All_Risk")` 
| where mitre_tactic_id_count >= 3 and contributing_source_count >= 4 
| table `common_fbd_fields_results`, annotations.mitre_attack.mitre_tactic_id, mitre_tactic_id_count, annotations.mitre_attack.mitre_technique_id, mitre_technique_id_count, cim_entity_zone, contributing_source, contributing_source_count, annotations.mitre_attackFollowing is an example of an SPL for a custom finding-based detection without the fbd_grouping macro: 
 fbd_group_by must be included in the SPL.| tstats `summariesonly` `common_fbd_fields`, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(source) as contributing_source, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk where 
    [| `generate_time_range("Threat - ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 Days - Rule")`
| return earliest, latest ] All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.normalized_risk_object, All_Risk.risk_object_type, index 
| rename All_Risk.risk_object_type as risk_object_type, All_Risk.normalized_risk_object as normalized_risk_object, annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id1, annotations.mitre_attack.mitre_technique_id as mitre_technique_id1 
| `generate_findings_summary` 
| stats list(*) as * limit=1000, sum(int_risk_score_sum) as risk_score by normalized_risk_object, risk_object_type, abc, def, ghi, jkl, mno, pqr 
| eval fbd_group_by=normalized_risk_object."-".risk_object_type."-".abc."-".def."-".ghi."-".jkl."-".mno."-".pqr 
| `dedup_and_compute_common_fbd_fields`, contributing_source=mvdedup(contributing_source), mitre_tactic_id1=mvdedup(mitre_tactic_id1), mitre_technique_id1=mvdedup(mitre_technique_id1), contributing_source_count=mvcount(contributing_source), mitre_tactic_id_count=mvcount(mitre_tactic_id1), mitre_technique_id_count=mvcount(mitre_technique_id1), threat_object=mvdedup(threat_object), cim_entity_zone=mvdedup(cim_entity_zone) 
| fillnull value=0 mitre_tactic_id_count, mitre_technique_id_count 
| rename mitre_tactic_id1 as annotations.mitre_attack.mitre_tactic_id, mitre_technique_id1 as annotations.mitre_attack.mitre_technique_id 
| eval annotations.mitre_attack='annotations.mitre_attack.mitre_technique_id' 
| fields - int_risk_score_sum, int_findings_count, individual_threat_object_count, contributing_event_ids 
| `drop_dm_object_name("All_Risk")` 
| where mitre_tactic_id_count >= 3 and contributing_source_count >= 4 
| table `common_fbd_fields_results`, annotations.mitre_attack.mitre_tactic_id, mitre_tactic_id_count, annotations.mIf the `dedup_and_compute_common_fbd_fields` macro is not included in the SPL for your custom finding-based detection, you must add is_finding_group="True" to the SPL of the custom detection in order for it to generate a finding group. 
Do the following if the `dedup_and_compute_common_fbd_fields` macro is not included in the SPL: 
- Add is_finding_groupto the table statement.
- Set is_finding_groupto True after an evaluation statement.
For example:
eval is_finding_group="True" ...
table `common_fbd_fields_results`, is_finding_group, ...Include the Risk data model in the finding-based detection
All finding-based detections must have the following base search, which includes the Risk data model:
| tstats `summariesonly` mode(All_Risk.risk_object) as risk_object, sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count, values(All_Risk.risk_object) as all_risk_objects, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_RiskInclude specific fields in the search to group findings
Additional fields can be added to the SPL search for the finding-based detection based on specific requirements. Adding fields in the SPL search helps to customize the display of findings in the analyst queue, the Risk Timeline, and the investigations
For example, the following SPL search groups findings by fields such as cim_entity_zone: 
| tstats `summariesonly` mode(All_Risk.risk_object) as risk_object, sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count, values(All_Risk.risk_object) as all_risk_objects, values(All_Risk.cim_entity_zone) as cim_entity_zone. dc(cim_entity_zone) as cim_entity_zone_count  from datamodel=Risk.All_Risk where All_Risk.cim_entity_zone=* where cim_entity_zone_count >= 10The following search adds the generate_time_range(<fbd_detection_name> macro and groups findings by cim_entity_zone in the SPL search: 
| tstats `summariesonly` mode(All_Risk.risk_object) as risk_object, sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count, values(All_Risk.risk_object) as all_risk_objects, values(All_Risk.cim_entity_zone) as cim_entity_zone. dc(cim_entity_zone) as cim_entity_zone_count  from datamodel=Risk.All_Risk where [ | generate_time_range(<fbd_detection_name> | return earliest, latest ] where All_Risk.cim_entity_zone=* where cim_entity_zone_count >= 10See also
For more information on finding-based detections, see the product documentation: