Estimate the volume of alerts from detection outputs in Splunk Enterprise Security
Use Splunk Enterprise Security to verify that your detections are efficient, effective, and non-disruptive to your security operations center (SOC) workflows.
Effective detection engineering requires balancing thorough threat coverage with manageable alert volumes. Without insight into how many alerts a detection generates, you might create rules that either miss real threats or inundate you with excessive alert noise. By testing and previewing the number of alerts such as findings and intermediate findings, generated by the detection directly in the editor, you can immediately assess the potential impact of the detection. This visibility helps to ensure that new detections deliver actionable, high-quality signals, thereby improving detection quality, reducing false positives, and preventing analyst overload before the detection is ever deployed into the SOC workflow.
You can use the Test panel in the Detection editor of Splunk Enterprise Security to review, test, and predict the volume of search results before turning on your detection. The ability to test detections lets you validate detection performance and fine-tune your rules based on your data, without manually leveraging Search and Reporting feature for testing. For example, you can run your detection over the past 24 hours to see if the number of findings aligns with your expectations, such as the expected 50 findings versus an excessive number of 100,000 findings.
-
Alerts: Running a detection search using this view includes alerts that are based on specific scheduling and filtering options selected in the search results. This view is useful if you want to narrow down the search results by identifying specific alert types and tune the detection for greater accuracy.
-
Raw logs: Running the detection search using this view includes all the raw events during a specified time frame in the detection search results, which can include duplicate events and increase alert volume and noise. This view is useful if you only want to review the number of raw events that a detcetion will generate in the search results.
The following figure provides sample test results to validate a detection. The figure displays estimated outputs from the detection based on the calculated average output which depends on the detection frequency across a specified time range.
- Findings: Estimated findings as defined in the UI for entities and threat objects.
- Intermediate Findings: Estimated intermediate findings as defined in the UI for entities and threat objects.
- Entities: Estimated entities related to the detection as defined in the UI for entities and threat objects.
- Omitted: Estimated results that have not been output due to conditions and throttling settings configured for the detection based on the calculated average output, detection frequency, and specified time range.
- Create a new event-based detection or open an existing detection in Splunk Enterprise Security. For more information, see Create finding-based detections in Splunk Enterprise Security.
- Ensure that all required fields are populated and select at least one finding or intermediate finding to be output.
- In Splunk Enterprise Security, go to Configure.
- Select Content, and then select Content management..
- Select Create new content and then create the detection.
- In the detection editor, go to the Test panel and select the time duration for which you want to run the detection. For example, Past 7 days.
- Select Test.
- Review the search results in the Search field of the detection editor.