Create event-based detections in Splunk Enterprise Security

Create event-based detections to review the raw events ingested into the Splunk platform and create intermediate findings and findings, which might or might not indicate a potential security incident. Event-based detections replace what was formerly known as risk rules, which added risk events to the risk index using the risk analysis adaptive response action.

Create a detection SPL for an event-based detection

Follow these steps to create event-based detections in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select the Security content tab.
  2. Select Content management.
  3. Select +Content and then select Detection to specify the type of detection that you want to create. For example, select Event-based detection.
  4. Select Submit to open the detection editor.
  5. In the Edit event-based detection editor, enter the information to define the event-based detection.
    Note:
    Field    		 Description Example values
    Name The name of the detection.

    Note: Detection names cannot be longer than 83 characters. However, if you include the string prefix, such as "Threat - " and the string suffix such as "- Rule" to the detection name, the maximum character count for detections is 99 characters. Splunk Enterprise Security supports only detections ending with the string suffix "- Rule".
    		Excessive Failed Logins - Tutorial
    App The app where you want to store the detection and align with the type of detection that you plan to build. If you have a custom app for your deployment, you can store the detection there.

    Note: If you deactivate or remove the app where the search is stored, the detection is deactivated. The app context does not affect how or the data on which the detection runs.
    		SA-AccessProtection
    UI dispatch context The drop-down list to select an app used by the links in an email and other adaptive response actions. The app must be visible for links to work. None
    Security domain Organizes access to entities by a common security policy, security model, or security architecture that has dedicated dashboards, searches, and key indicators for monitoring security posture, detecting threats, and investigating incidents within that area. These predefined domains provide analysts with focused views, summarizing data from relevant security devices and systems to quickly understand risks and respond to events. Threat, Access, Audit, Network, Endpoint, Identity
    Description Information on what the detection looks for and the security use case addressed by the detection. Detects excessive number of failed login attempts (this is likely a brute force attack)
    Mode Flexible option to create detections manually or using wizards. You can manually write complex SPL directly with fine-tuned logic, or use guided wizards for initial setup and simpler use cases. Guided or Manual
    Search The SPL search for the detection to identify patterns, anomalies, and threats.
    Note: You have the option to preview the search using various time ranges. You can open the SPL in a separate Search panel and you can also validate the search by selecting Validate search.
  6. Go to Preview to specify the Preview time range to run the preview search. The default value is Last 24 hours.
  7. Select Open in search to run the preview search in a new search and reporting window without navigating away from the detection editor.
    Running a preview search lets you test the results of the finding-based detection from the detection editor and fine tune the detection for your use case.
  8. Select Validate search to verify that the SPL query has the correct syntax.

Specify the output type for event-based detections

Specify whether you want to create intermediate findings or findings using your event-based detection. You can also customize the display of intermediate findings and findings in the analyst queue on the Mission Control page by defining the specific fields associated with them.

Follow these steps to specify the output type that you want to create using event-based detections:

  1. In the detection editor, go to Analyst queue information.
  2. In Output, select whether you want to create findings or intermediate findings or both. You can also add the criteria to specify the display the findings and intermediate findings in the Analyst queue on the Mission Control page by specifying values for associated fields.

Create intermediate findings using event-based detections

You can use event-based detections to create intermediate findings that are low fidelity security alerts that signify suspicious activity but aren't full incidents and serve as building blocks that feed into higher-fidelity, aggregated findings.

  1. In Output, select Create intermediate findings to create intermediate findings
  2. Add a Risk message for the intermediate finding that is descriptive, concise, and provides context to help analysts understand what occurred before it is aggregated into a larger threat story. For example, Risk event for $risk_object_type$ $risk_object$ detected.
  3. In Intermediate finding score, specify a risk score for the intermediate finding.
  4. In Entity, specify an entity and a finding score for it. For example, the name to refer to an user, host, endpoint, server, domain, device, or IP address that can be assigned a risk score to track potential threats.
  5. In Entity type, specify an entity type. For example, a user, system or a custom entity type.
  6. Select +Add entity to add more entities and their associate scores and types.

Create findings using event-based detections

You can use event-based detections to create findings, which are consolidated security alerts or observations, representing suspicious activity such as a single unauthorized login or repeated network spikes and presented in the analyst queue for security analysts to investigate, triage, and manage. For more information, see Findings and intermediate findings in Splunk Enterprise Security.
Note: Adding an entity or assigning a finding score to it is optional.
  1. In Output, select Create findings to create findings.
  2. Use the table to specify how to the display the findings in the Analyst queue on the Mission Control page.
    Field Description Required?
    Finding name Name of the finding. Yes
    Description Information on the finding. Yes
    Entity Information on the user, host, endpoint, server, domain, device, or IP address that can be assigned a risk score, entity name, entity type, to track potential threats. No
    Investigation type Allows you to associate an investigation type that is pre-defined in the Findings and Investigations configuration section when configuring a detection. When a finding is created from the detection and transitions to an Investigation, the Investigation type assigned here is assigned to the investigation. Yes
    Severity Value assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes
    Default owner Tracks who is working on the finding but it starts blank, often with a 'New' status, until an analyst takes action. No
    Default status Tracks the lifecycle of the finding from New, In progress, Pending, Resolved, or Closed No
    Next steps Drop-down list of adaptive response actions. For example, Stream Capture, Nbstat, and so on. No
    Recommended actions List of recommended adaptive response action that you can select to run when specific findings are generated. For example, Add events to an investigation. No

Add threat objects to detections in Splunk Enterprise Security

Optionally, you can add observables or indicators of compromise (IOCs) such as a URL, file hash, or email address or entities such as IPs, domains, file hashes to your detection if they pose an increased security risk to your environment. Adding threat objects to detections allows you to enrich them with threat intelligence and link them to a broader risk context so that findings can be transformed into actionable insights by tagging them with known bad indicators.

  1. In the detection editor for event based detections, go to Threat objects.
  2. Select +Add threat object.
  3. In Threat object field, enter a value that represents an observable threat in your search results. For example, a domain name, IP address, file hash, command line, or process name.
  4. In Threat object type, enter the category of the threat object such as domain, ip_address, file_hash, user.

Configure conditions to trigger intermediate findings or findings

Configure trigger conditions to control when an event-based detection generates intermediate findings or findings. After you define trigger conditions, the detection search results check if they match the conditions. If the detection search results match the conditions, then intermediate findings or findings are generated.

You can set up trigger conditions to control when adaptive response actions are run:
  • Number of results: Adaptive response actions are run only if search result count meets threshold.
  • Number of hosts: Adaptive response actions are run only if distinct host count meets threshold.
  • Number of sources: Adaptive response actions are run only if distinct source count meets threshold.
  • Custom: Adaptive response actions are run only if custom search condition is true
Note: Trigger conditions act as a secondary condition against the results of the detection search.

For information on trigger conditions and configuring those conditions for a detection, see the following Splunk platform documentation:

Follow these steps to configure conditions to trigger the appropriate number of findings in event-based detections:

  1. In the Detection editor, scroll down to the section on Conditions
  2. In the Create when field, specify the condition to create intermediate findings or findings by selecting from one of the following options: Number of results, Number of hosts, Number of sources, Custom.
  3. Select one of two options: Once or For each result. After the event pattern occurs, the alert can trigger just once or one time for each result in the pattern. You can choose an option depending on the notification or other alert action behavior that you want. However, selecting either of the options does not impact the finding adaptive response actions, such as Send email.
    For Send email, if you select Once as the trigger frequency option, you trigger the alert only once for each time the search results match the specified condition and receive a single notification in your inbox. If you select For each result, you trigger multiple notifications but with the same number of findings. Trigger condition for Send Email is an exception and does not impact the total number of findings that are generated. Even if you receive multiple email notifications, many of the findings might be duplicates.

Throttle the number of adaptive response actions generated by a detection

Set up throttling to limit the number of adaptive response actions generated by a detection. When a detection matches an event, it triggers an adaptive response action.

By default, every result returned by the detection generates an adaptive response action. Typically, you might want only one alert of a certain type. You can use throttling to prevent a detection from creating more than one alert within a set period. To change the types of results that generate an adaptive response action, define trigger conditions. Some adaptive response actions allow you to specify a maximum number of results in addition to throttling.

Follow these steps to throttle the number of adaptive response actions generated by a detection:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Content, and then select Content management.
  3. Select the title of the detection you want to edit.
  4. Enter a Window duration. During this window, if an event value matches all of the Fields to group by the detection does not create an alert. After the window ends, the next matching event creates a new alert and applies the throttle conditions again.
  5. Enter the Fields to group by to specify which fields to use when matching similar events. If an event matches all the fields listed here, the detection does not create a new alert. You can define multiple fields. Available fields depend on the search fields that the detection returns.
  6. Save the detection.
Note: If you specify a field name in the Fields to group by that doesn't exist in the search results, Splunk Enterprise Security throttles all the results because the field is identical and null for all the results.

Throttling applies to any type of detection adaptive response action and occurs before finding suppression rules.

If you have throttling set for an existing detection, editing the details of the alert or the throttle configuration resets the throttling. This includes any changes to fields you throttle on, the SPL in the detection, the cron schedule, and so on. The change causes the throttle file, which notes how long to ignore events, to be removed. Therefore, the throttling does not occur until the next event triggers based on the new parameters.

When detection versioning is turned on, any change that is made to a detection is saved as a new version and that new version is not automatically turned on. This is because the previous version of the detection is still turned on until the detection engineer turns on the new version. Turning on the detection also resets throttling.

See also

For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation: