Identify optimal detections for your security environment using Detection studio in Splunk Enterprise Security

Use Detection Studio in Splunk Enterprise Security to identify the most effective and powerful detections based on your data and security environment to improve search accuracy and reduce alert volume.
Note: In the Controlled Availability release stage, Splunk products might have limitations on customer access, features, maturity, and regional availability. For additional information on Controlled Availability please contact your Splunk representative.
Note: Detection Studio is available on AWS Cloud for both ES Essentials and Premier editions.

You can monitor the health and coverage of your detections by evaluating the overall quality, effectiveness, and operational status of your detections to ensure that your security infrastructure is accurately identifying potential threats as intended. Issues such as mis-configured data collection can lead to detection gaps. So, you can review if log sources are properly ingesting necessary data from endpoints, networks, and cloud infrastructure correctly.

You can verify if detection rules are working accurately and ensure that they are not generating excessive false positives (benign activity flagged as malicious) or silent false negatives (actual threats that go undetected). You can also review if required data fields are present and parsed correctly and the information needed for analysis (e.g., specific command-line arguments, IP addresses, usernames) is available and in the correct format.

You can also verify if your detection's coverage aligns with the threat landscape and the detections deployed cover a wide range of relevant adversary tactics and techniques, often mapped to frameworks such as the MITRE ATTACK.

Monitoring the health and coverage of your detections also validates if systems are up-to-date and operational and all security agents and software on managed devices are current, installed, and functioning properly.

Using Detection Studio in Splunk Enterprise Security helps to ensure a healthy detection environment so that security teams have confidence in their ability to protect digital assets, provide prompt incident response, and prioritize efforts to improve the overall security posture.

Components of Detection studio

Detection studio includes the following components:

  • Launchpad: A dashboard that provides an overview of the deployed and available detections to monitor the coverage and health of your security environment.

  • MITRE Att&CK coverage: Identifies the individual techniques that are used in a detection and drill-down into specific techniques to focus on the most relevant threats, specific threat actors, and data sources such as service creation events.

  • Detection library: Helps to analyze and deploy detections that are most actionable and relevant for your specific security environment.

  • Configure: Customize the detection priority and health algorithms for your specific security environment.

Key performance indicators of a detection

The key performance indicators of a detection can be classified into high-level and mid-level KPIs.

  • High-level KPIs: The high-level KPIs such as Priority and Health evaluate the key aspects of all the detections that are turned on or off. These KPIs update automatically using existing environment data. You can customize Priority and Health algorithms using Settings.
  • Mid-level KPIs: The mid-level KPIs such as Confidence, Impact, Performance, and Compatibility are granular measures of a detection’s expected behavior and help you to isolate and address specific outcomes and concerns.
    Key performance indicator Description
    Priority Priority is a roll‑up score indicating the additional coverage a detection provides, the detection's search-time performance, the detection's compatibility with data and knowledge objects in your environment, and the estimated search result volume. For more information, see Configure the urgency for findings in Splunk Enterprise Security
    Health Health is a roll‑up score indicating the detection's search-time performance, the detection's compatibility with data and knowledge objects in your environment, and estimated search result volume.
    Confidence A numerical score from 0–100 based on how many search results the detection's search returns over a set time, compared to a threshold. Detection Studio runs the search periodically to calculate this KPI.
    Impact A numerical score from 0–100 that measures the additional MITRE ATT&CK coverage that a detection can provide. Impact review the techniques and sub-techniques that a detection maps to, reviews the number of those techniques that are already covered by other detections, and then normalizes the remaining net new coverage into a single score.
    Performance A score representing how efficiently the detection runs and balancing detection value with search cost.
    Compatibility A pass or fail or value indicator how well the detection will work in the Splunk ES instance currently being used, based on the availability of key events or knowledge objects explicitly referenced in the search.
    Deployed state An off or on value that indicates whether the detection is deployed or available but not deployed in the security environment.