Monitor detection coverage and health using Detection Studio in Splunk Enterprise Security

Use the Launchpad dashboard for a high-level overview of detection coverage and detection health. The Launchpad serves as a starting point to implement available detections in Splunk Enterprise Security or to identify health issues for detections that are turned on. The Detection coverage section of the Launchpad displays how effectively activated detections cover MITRE ATT&CK techniques and highlight potentially useful detections that might be turned on. The Detection health section of the Launchpad monitors the health of activated detections and flags the detections that must be tuned, investigated, or deactivated.

  • Overall detection technique coverage: Measures the overall MITRE ATT&CK coverage score for activated detections.

  • Detection coverage over time: A time-series view of the changes in MITRE ATT&CK coverage as detections are turned on, turned off, or updated.

  • Available detections by priority rank: Pie chart displaying the distribution of available detections by priority score, based on KPIs such as Performance, Compatibility, Impact, and Confidence. For more information, see Identify optimal detections for your security environment using Detection studio in Splunk Enterprise Security

  • Highest priority available detections: Table displaying the available detections with the highest priority scores to identify the detections that might be subsequently turned on.

  • Overall detection health: Displays the average health score for enabled detections.

  • Detection health over time Time-series view displaying the health score changes over time.

  • Detection techniques coverage rank: Pie chart showing health score distribution based on the Performance, Compatibility, and Confidence KPIs. For more information, see Identify optimal detections for your security environment using Detection studio in Splunk Enterprise Security

  • Lowest health deployed detections Table displaying activated detections with lowest health scores for investigation or tuning.

  1. In Splunk Enterprise Security, go to Security content and select Detection Studio.
  2. Go to Launchpad and use the time range selector such as Last month, Last quarter, Last year to focus on a period and track how the coverage and the health of a detection changes over time.
  3. Go to the Detection coverage section to view your overall coverage, coverage over time, and the highest priority detections recommended to improve coverage.
  4. Go to the Detection Health section to view the overall health of your detection, detection health over time, and the the detections with the lowest health that might need tuning, updates, or must be deactivated.