Follow these steps to create finding groups in Splunk Enterprise Security:

1. In the Splunk Enterprise Security app, go to Security content.
2. Select Content management.
3. Select Create new content and then select Detection to open the editor.
4. In the New findings-based detection editor, go to Finding input type.
5. Select a group type to combine the findings from the detection search results into high confidence finding groups. The following options are available to specify the criteria and group the findings from the detection search results:

   Group type	Description	Example
   Entity	Group findings by asset, identity, user, or device that can be used by Splunk Enterprise Security to identify potential security threats. Creates a finding group when findings for a common entity exceeds a count threshold.	If the number of findings created by a user Tom is greater than 10, those findings get nested together in the analyst queue.
   Threat object	Group findings by observables such as a URL, file hash, email address, domain, command line, IP addresses, registry keys, filenames, or file directory that poses an increased security risk. Creates a finding group when findings contain the same threat object for an entity and exceed a threshold.	If the number of findings created for an email address such as "sam@splunk.com" drops by 10, those findings get nested together in the analyst queue.
   Cumulative entity risk	Group findings by the total risk that an entity such as an asset, identity, user, or system might represent during a given period of time. Creates a finding group when findings reach a risk score threshold for an entity.	If the findings created for a system such as "localhost1234" have a risk score which rises by 100, those findings get nested together in the analyst queue.
   Kill Chain	Group findings based on the Cyber Kill Chain framework such as Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command, Control, Action on Objectives, which identifies the phases of a cyber-attack and helps to anticipate the sequential actions of an attacker. Creates a finding group when the findings exceed a threshold number for the phases in the Kill Chain.	If the number of Kill Chain phases for some findings is less than 10, those findings get nested together in the analyst queue.
   MITRE ATT&CK	Group findings by the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and techniques used to develop threat models and methodologies. Create a finding group when findings exceed a threshold for the number of MITRE ATT&CK tactics or techniques.	If the number of MITRE ATT&CK tactics or techniques for some findings is greater than 10, those findings get nested together in the analyst queue.
   Similar findings	Creates a finding group when the count of similar findings or intermediate findings exceeds a threshold.	If the number of similar findings is equal to 10, those findings get nested together in the analyst queue. Note: Only event-based detections can be selected, when you create finding groups using the '''Detection''' drop down menu under '''Similar findings'''. Finding-based detections create finding groups based on findings and intermediate findings whereas event-based detections create findings and intermediate findings. Finding-based detections must group based on findings and intermediate findings instead of grouping on finding groups.
   Custom	Creates a finding group when specific custom conditions in a custom search are met.	Enter a custom SPL search that specifies conditions and findings that meet those conditions get nested together in the analyst queue.

Configure the option to reopen finding groups in Splunk Enterprise Security

In Splunk Enterprise Security 8.x, a closed finding group in the analyst queue is automatically reopened if a finding or intermediate finding is added to the closed finding group.

In Splunk Enterprise Security version 8.2 and higher, you have the option to not reopen a closed finding group even if a new finding or intermediate finding is added to the closed finding group.

Follow these steps to specify how finding groups are saved and reopened in the analyst queue:

• In the Splunk Enterprise Security app, go to Security content.
• Select Content management.
• Select +Content and then select Detection to open the editor.
• In the New findings-based detection editor, go to Finding groups.
• Turn off the toggle for Reopen finding groups so that a closed finding group remains closed even if new findings or intermediate findings are added to it.
  Note: The setting to reopen finding groups is turned on by default.

Create lookback finding groups in Splunk Enterprise Security

You can select whether a finding-based detection can create lookback finding groups based on the first time the finding-based detection is run or after it is turned on again. Lookback finding groups helps to group historical findings or intermediate findings and can be defined in terms of days, hours, or minutes. For example, if you indicate that you want a lookback of 10 minutes, then it means that when the detection runs for the first time, say at 4:30 pm, it creates finding groups from 4:20pm to 4:30pm.

Follow these steps to create lookback finding groups:

1. In the Splunk Enterprise Security app, go to Security content.
2. Select Content management.
3. Select +Content and then select Detection to open the editor.
4. In the New findings-based detection editor, go to Time range.
5. In the Lookback time range field, enter a time range to group past events in an initial finding group when the detection first runs. If you do not want to have lookback finding groups, you can define the lookback time range as 0d, 0h, or 0m.

Create overlap finding groups in Splunk Enterprise Security

Create overlap finding groups so that an event that is part of one finding group can also be part of another finding group at the same time when a time overlap exists. This helps to prevent overlooking edge case events that might represent risk because they get tracked in two different finding groups. For example, a finding group might group events that occur on the same hour but an analyst might want to group events that occur at 1:59pm and events that occur at 2:05 pm together because they might represent risk from the same entity due to the proximity of their occurrence in time.

Use Splunk Enterprise Security to group events in finding groups that are past the usual earliest time. If an event is part of a previous finding group, it can also be part of the current finding group. An overlap between 0-50% of the max append time is supported. Thus, an overlap of 10% with a max append time of 30 minutes means 3 minutes of overlap, which means that the earliest time is 3 minutes earlier than usual.

1. In the Splunk Enterprise Security app, go to Security content.
2. Select Content management.
3. Select +Content and then select Detection to open the editor.
4. In the New findings-based detection editor, go to Time range.
5. In the Finding group overlap field, enter a percentage or a time based on the max append time.

For more information on findings and intermediate findings, see the product documentation:

Use findings for security monitoring in Splunk Enterprise Security