Deploy actionable detections using Detection Studio in Splunk Enterprise Security

Use the Detection library to find and evaluate detections for your specific environment. Detections are displayed in a table, which can be sorted and filtered using key details.

The Detection library helps to performs the following tasks:

  • Filter detections by key attributes, including key performance indicators (KPIs).

  • Sort detections in a table view.

  • Open a Preview panel to inspect detection logic, KPIs, and metadata.

  • Bookmark detections to review or deploy later.

The Preview panel provides you a detailed summary of any detection that you select in the table and lets you further explore KPI values without requiring you to open the detection editor. Use the Preview panel to confirm that a detection meets your KPI thresholds and is suitable for deployment in your environment.

  1. In Splunk Enterprise Security, access Detection library.
  2. In Detection library, use the Filter panel to narrow detections and identify those detections that are most relevant for your environment and use case.
The Detection library lets you effectively deploy actionable detections and ensures that your environment is monitored and secured according to your specific requirements by letting you perform the following tasks:
  • Filter detections to remove detections that don't align with your data or your current priorities. You can filter detections by KPI indicators such as priority, health, confidence, impact, performance, and compatibility; by Status such as deployed or available; by Security frameworks, tactics, and data so that you can align to MITRE ATT&CK and your telemetry; by Bookmarks to keep a short list of detections that you can potentially leverage.
  • Sort detections using the detection table by individual KPIs. Sorting by a single KPI helps to isolate specific issues such as low confidence, low compatibility, or poor performance so that you can focus your review.
  • Drill Down detections using the Preview panel to review any detection KPIs (priority, confidence, impact, health), detection logic, data requirements, related objects and dependencies. Drilling down on detections helps to determine whether issues stem from data gaps, configuration needs, or logic behavior.
  • Track detections by bookmarking them so that you can deploy them later or revisit them if data coverage changes.
The following table identifies the filter criteria for detections in the Detection library:
Filter criteria Description
Bookmarks

Show all detections or only bookmarked detections marked for follow-up.
Detection key performance indicators (KPIs)

  • Priority

  • Health

  • Confidence

  • Impact

  • Performance

  • Compatibility
Detection configuration

  • Status: Detections currently deployed or available.

  • Finding type: Detections that generate findings and intermediate findings.

  • Content type: Event-based or finding-based detection.
Data

  • Data model

  • Dataset
Framework Filter detections by ATT&CK tactics, techniques, or sub-techniques.
Author Filter detections by specific authors or teams.