Create finding-based detections in Splunk Enterprise Security

Create and customize finding-based detections to create findings and finding groups in Splunk Enterprise Security for your specific security use case. Finding-based detections are based on findings, as opposed to events.

Risk-based alerting in Splunk Enterprise Security uses finding-based detections instead of typical correlation searches to generate risk-based findings so that alerting corresponds to the magnitude of the risk associated with the entity.

Finding-based detections can review events in both risk and notable indexes or in individual indexes.

An event-based detection scans multiple data sources only for defined patterns and performs an adaptive response action when it finds the pattern. A finding-based detection reviews the events in both the risk and notable indexes for anomalous events and threat activities and uses an aggregation of events impacting a single entity to generate finding groups. When the finding-based detection finds an entity associated with several risk events, the finding-based detection creates finding groups in Splunk Enterprise Security. When the risk scores associated with these findings surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the finding. The aggregated risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time.

In addition to a base detection search, finding-based detections can also include MITRE enrichment data such as:

  • Tactic_Name
  • Tactic Number
  • Technique
  • Technique Reference

For example:

You can use the default finding-based detections available in Splunk Enterprise Security Content Updates (ESCU).

Following are some examples of event-based detections that are enabled by default:

  • Risk - 7 Day ATT&CK Tactic Threshold Exceeded - Rule: A default finding-based detection that generates findings if 3 or more different MITRE tactics are seen and more than 4 distinct detections contributed to the risk level.
  • Risk - 24 Hour Risk Threshold Exceeded - Rule: A default finding-based detection that generates findings when a threshold for risk score exceeds a 24-hour period.

Following are some examples of finding-based detections that are disabled by default:

  • Threat - Findings ATT&CK Tactic Threshold Exceeded for Entity Over Previous 7 Days - Rule: A finding-based detection that generates finding groups when a threshold for MITRE ATT&CK tactics exceeds a 24-hour period.
  • Threat - Findings Risk Threshold Exceeded for Entity Over 24 Hour Period - Rule: A finding-based detection that generates finding groups when a threshold for risk score exceeds a 7-day period.

Using finding-based detections you can create high-confidence groups of findings around a given entity, behavior, or activity, which indicates that a security incident is occurring or has occurred. For example, Splunk Enterprise Security includes a finding-based detection that relies on the MITRE ATT&CK framework, all available intermediate findings, and findings for a given entity, to create a finding or finding group when a threshold of multiple MITRE tactics or techniques is met.

Sometimes multiple findings can be part of one security incident with the same root cause. Grouping findings can help reduce the time you spend updating each investigation and also helps you resolve them faster without alert fatigue. You can group up to 100 related findings together into a finding group to investigate and compare their data and update some of their fields simultaneously.

Findings in a finding group include a unique identifier or GUID that is generated during the creation of the finding or intermediate finding. The GUID gets added to the notable index and risk index.

You can preview the search for the finding-based detection in the detection editor. You can also run the search and test whether the results accurately reflect your use case by selecting a link in the detection editor that opens the preview search in a separate search and reporting window. You can also specify various preview time ranges for your search to fine tune your results.

Create a finding-based detection

Create a finding-based detection to create groups of findings and intermediate findings that are classified together based on a common entity of origin such as user or source and other risk criteria such as risk score, threat objects, and so on.
Note: Finding groups are updated as new findings are created by Splunk Enterprise Security.

Create a detection SPL for a finding-based detection

Prerequisite

  • Identify the security use case for your detection so that you can specify the various criteria and fields appropriately, to group your findings and intermediate findings into finding groups using a finding-based detection.

Follow these steps to create a finding-based detection:

  1. In Splunk Enterprise Security, go to Configure.
  2. Select Content, and then select Content management.
  3. Select Create new content and then select Detection to specify the type of detection that you want to create.
  4. Select Finding-based detection to create a detection based on high-confidence groups of findings and intermediate findings around a given entity, behavior, or activity, which indicates a security incident.
  5. Select Submit to open the detection editor.
  6. In the New finding-based detection page, enter the information to define the findiing-based detection.
    Field Description Example values
    Name The name of the detection.
    Note: Detection names cannot be longer than 83 characters. However, if you include the string prefix, such as "Threat - " and the string suffix such as "- Rule" to the detection name, the maximum character count for detections is 99 characters. Splunk Enterprise Security supports only detections ending with the string suffix "- Rule".
    		Excessive Failed Logins - Tutorial
    App The app where you want to store the detection and align with the type of detection that you plan to build. If you have a custom app for your deployment, you can store the detection there.
    Note: If you deactivate or remove the app where the search is stored, the detection is deactivated. The app context does not affect how or the data on which the detection runs.
    		SA-AccessProtection
    UI dispatch context The drop-down list to select an app used by the links in an email and other adaptive response actions. The app must be visible for links to work. None
    Security domain Organizes access to entities by a common security policy, security model, or security architecture that has dedicated dashboards, searches, and key indicators for monitoring security posture, detecting threats, and investigating incidents within that area. These predefined domains provide analysts with focused views, summarizing data from relevant security devices and systems to quickly understand risks and respond to events. Threat, Access, Audit, Network, Endpoint, Identity
    Description Information on what the detection looks for and the security use case addressed by the detection. Detects excessive number of failed login attempts (this is likely a brute force attack)
    Search The SPL search for the detection to identify patterns, anomalies, and threats.
    Note: You have the option to preview the search using various time ranges. You can open the SPL in a separate Search panel and you can also validate the search by selecting Validate search.
  7. Go to Preview to specify the Preview time range to run the preview search. The default value is Last 24 hours.
  8. Select Open in search to run the preview search in a new search and reporting window without navigating away from the detection editor.
    Running a preview search lets you test the results of the finding-based detection from the detection editor and fine tune the detection for your use case.
  9. Select Validate search to verify that the SPL query has the correct syntax.

Specify the display of finding groups on the analyst queue

You can specify how the finding groups created by the finding-based detections are displayed on the analyst queue in the Mission control page. Follow these steps to specify the display of finding groups on the analyst queue:

  1. In the New finding-based detection page, go to the Analyst queue information section and add the following information:
  2. Field Description Required
    Finding group message Name of the finding group. Yes
    Description Information on the finding group. Yes
    Investigation type Information on the service level agreements (SLAs) and response plans that are assigned to an investigation. You can associate an investigation type that is pre-defined. Yes
    Severity Value assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes
    Default owner Tracks who is working on the finding but it starts blank, often with a 'New' status, until an analyst takes action. No
    Default status Tracks the lifecycle of the finding from New, In progress, Pending, Resolved, or Closed No
    Drill-down searches Add a drill-down search for additional context to easily go to a search related to the finding group during an investigation. No
    Drill-down dashboard Add a drill-down dashboard for additional context to view multiple drill-down searches for a finding group during an investigation. No
    Next steps (Insert action) Add information on the adaptive response action or next steps taken to address the threat. You can also add a link to the action using the format: [[action|nameOfAction]] No
    Recommended actions List of recommended adaptive response actions that you can select to run when specific finding groups are generated. For example, Intelligence enrichment with Talos No

See also

For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation: