Tune detections in Splunk Enterprise Security

To optimize the performance of detections and reduce alert noise, you must adjust the detection SPL over the various stages of its life-cycle as follows:

Note: You can tune both event-based detections and finding-based detections in Splunk Enterprise Security.

Tune detections in real time to reduce false positives in Splunk Enterprise Security

Adjust your detection SPL in real time to reduce false positives and improve the accuracy of alerts. You can analyze and test detection search results to surface the root causes of alert noise without jeopardizing detection coverage by identifying field values that occur with high frequency or patterns and then modify your detection logic by excluding specific field values. Dynamically tuning detections helps to continuously optimize the security thresholds based on ongoing telemetry guidance without missing true threats.

You can rapidly review and filter query results to identify likely false positives, view field:values that are in the results, sort by prevalence, and view sample events to determine false positives. You can also link shared indicators or field values for more prescriptive relational exclusions. Throughout the process, you receive real-time feedback on the projected reduction in alert volume as exclusions are applied, thereby streamlining future tuning efforts and promoting consistency.
Note: Tuning detections in real time based on field exclusions is currently offered as a beta feature in Splunk Enterprise Security. Beta features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this Beta feature available in its sole discretion and may discontinue it at any time. Use of Beta features is subject to the Splunk General Terms.
  1. In Splunk Enterprise Security, go to Configure.
  2. Select Content, and then select Content management.
  3. In the Content management page, open the detection to which you want to make adjustments in the detection editor.
  4. In the Edit detection page, select Tuning mode to run the detection search against your security operation center's (SOC's) historical data over a defined time window and identify a prioritized list of field values such as usernames, hostnames, command lines, or IP addresses that are likely to generate alerts.
  5. Once the detection search runs, go to the Detection metrics in the left panel to view a summary of potential fields that might be excluded based on noise reduction percentages, total events, and similar field values, which might be contributing to alert noise. The fields and their values are listed in a table.
    Note: As you exclude field values from the detection, the detection SPL is dynamically updated with visual cues for exclusion logic such as NOT statements, which helps to understand the impact of your tuning of the detection logic.

  6. Select any of the fields in the table to view the Exclusion details on the right panel.

  7. Select Sample events to view the sample events created by the field that you selected, which helps to decide if the field is worth excluding from the detection.
    Note: You might see empty rows in Sample Events because the detection SPL filters out required fields such as _cd, _raw, _time, and source from the event data.
  8. Select Related fields to view the fields that are associated with the primary field that you selected from the main table. Using the Related fields tab you can view the field values and the sample events for these related fields to further narrow down false positives and create a relational exclusion. A relational exclusion is an exclusion where the Primary Field:Value AND the Related Field:Value are both true. For example, where NOT (source="logins.log" AND host="test-server") .
    Note: The Pending exclusions summary panel summarizes the number of total exclusions. direct exclusions, and relational exclusions. For example, if you excluded one field such as actionType with a value of NETWORK_CONNECTION and a related field such as instance_ID with a value of i-e1254378927492797, you have 1 direct exclusion, 1 related exclusion and 2 total exclusions that are listed in the Pending exclusions summary panel.
  9. Turn on or turn off various field and values to identify the impact of excluding specific fields from the detection search results. You can see detection metrics update in real time as you make exclusions or changes.
    Note: Excluding multiple fields with specific values often provide more accurate results than completely excluding a single field.

  10. Expand the field in Related fields to view 5 or fewer sample events that might be created and quickly identify if those events are benign and creating alert noise. Reviewing sample events and related events makes excluding fields and values from detections to be a more precise operation.

  11. Select Open in search to review all the search results for the detection in a new search and reporting window without navigating away from the detection editor. When you open the detection using Open in search, you can run the search with all the new exclusions incorporated and you can review the results to ensure that false positives are reduced. Running a preview search lets you test the results of the detection from the detection editor and fine tune the detection for your use case.
    Note: You can specify the time window such as 24 hours, Last 7 days, and so on to run the search results and further tune the detection. You can further optimize the detection SPL by appending the where clause at the beginning of the search query.
  12. Select Pending exclusions to see the field exclusions that you turned on so that you can review and verify that the listed exclusions what you wanted to turn on.
  13. Select Apply to review and apply the pending exclusion fields to the detection. The summary view provides information on the excluded fields, field values, the number of events that the field generates, and the potential percentage of noise reduction if the field is excluded from the detection.
  14. Select the checkbox to save the collection of pending exclusions as a lookup that you might use as a reference to create detections.
    Note: Once a lookup is created from the list of the exclusions that were identified when you tuned the detection, you must create the lookup definition manually before you can use the lookup to augment your SPL searches. To create a lookup definition, go to Settings and select Lookups and then select Lookup definitions .
  15. Enter a name for the lookup.
  16. (Optional)Enter some notes about the lookup.
  17. Select Save to save the changes to the detection once you have tuned the SPL as required.
    Note: SPL updates are not saved until you confirm and save the changes. All notes that you added are saved in the version history of the detection.