SSE Schema

Splunk Security Essentials has a standard format expected for content in the app. This format is spread across two types of files:

  1. Main: ShowcaseInfo.json
  2. For Native SSE Content: The Search Builder files (showcase_simple_search.json, showcase_first_seen_demo.json, showcase_standard_deviation.json)

For most users, the only file needed is ShowcaseInfo.json.

For partners, your configurations will be automatically merged into ShowcaseInfo.json (and you don’t need to worry about the Search Builder files). Find more detail on the Partner Integration page.

Below find detailed descriptions of the schemas, along with examples from several pieces of content in the app.

Table of Contents

ShowcaseInfo.json

Schema

Field Descriptions

For a guide on what each field means, view the Add Custom Content display, where detail is provided (and much of the configuration is automated). Here is a point-in-time reference:

JSON Field NameDescriptive FieldRelevanceDescriptionExamples
nameNameAllThe name of the example, e.g. “New Local Admin Account.” You should have a maximum of 150 characters, and avoid crazy punctuation.Basic Brute Force Detection
descriptionDescriptionAllThis is the key description of your custom content. Should generally be under 250-300 characters.
highlightFeaturedAllShould this show up as a featured example on the main page. When we build content, we target having approximately 15% of the content be featured, just the most prominent, highest value content.No
advancedtagsAdvanced TagsAllYou can optionally add advanced tags here, which will show up in the Advanced filter.Cool Search
alertvolumeAlert VolumeAllIs this a high volume search that will create lots of noise, or a low volume / high fidelity search that a human could handle the results of?Medium
bookmark_statusBookmarked StatusAllBookmark Status is how SSE tracks content, either simply “bookmarked” or even tracking implementation status, e.g. “Waiting On Data” or “Successfully Implemented.” Internal names only (see common_data_objects.js)bookmarked
categoryCategoryAllThe category is a user-specifable field (though it is generally advisable to choose from the standard choices provided via SSE)IAM Analytics
data_source_categoriesData Source Category or CategoriesAllThe data source category ID that maps to the types in Data Inventory and data_inventory.jsonDS003Authentication-ET02Failure
domainSecurity DomainAllThe security domain for this (not heavily leveraged, but assumed to be present). Valid options: Access, Network, Endpoint, Threat, Other.Access
hasSearchHas SearchAllDoes this detection include the search stringYes
iconIconAllThe icon that shows up on the main Security Content page (or wherever the tile exists). Logic implemented via BuildTile.js
journeyJourneyAllThe stage of the journey that this content will appear in.Stage_1
killchainKill Chain PhaseAllThe phase of the kill chainActions on Objectives
mitre_tacticMITRE ATT&CK and Pre-ATT&CK TacticsAllThe pipe-delimited list of the MITRE ATT&CK Tactic IDs, e.g., TA0001TA0006
mitre_techniqueMITRE ATT&CK and Pre-ATT&CK TechniquesAllThe pipe-delimited list of the MITRE ATT&CK Technique IDs, e.g., T1008T1110
releasedReleasedAllWhen was this content released?3.0.0
searchkeywordsSearch KeywordsAllThe in-browser search keywords automatically indexes the description, title, category, use case, how to respond, how to implement, known false positives, and help. But if you want to add some highly-weighted custom words (e.g., “AWS cloudtrail amazon web services”) then you can add them here, space separated.login log in logon log on sign
severitySeverityAllImpact indicates the severity of this event when it fires. It is not directly surfaced in the UI today, but is available as an enrichment field via the sseanalytics command.Medium
SPLEaseSPL EaseAllHow easy is this SPL to understand (for those looking at SSE just as a learning tool).Basic
usecaseUse CaseAllThe high level marketing-friendly use case for the use case.Security Monitoring
additional_contextArray of Custom PanelsAllOptional: Can provide custom panels
additional_context.detailCustom Panel: DetailAllSupports markdown. An optional text block.
additional_context.linkCustom Panel: LinkAllAn optional URL for users to learn more. If defined, a button will be added with the text “Learn More…”
additional_context.open_panelOpen Custom PanelAllWhether the custom panel should be open by default or not.
additional_context.searchCustom Panel: Code Block ContentsAllCan present SPL or any other raw code. Code highlighting implemented automatically.
additional_context.search_labelCustom Panel: Code Block TitleAllText-only, provides the label for the search, directly before the pre. Default if blank: “Search”Example
additional_context.search_langCustom Panel: Code Block LanguageAllOptional definition of which language the below code is in. Can leave empty for normal SPL, but could be provided as conf if you are printing config file options. In the event you really needed to print options such as python, the default languages for highlight.js are supported. (Valid options: properties, python, rust, less, perl, diff, scss, bash, shell, makefile, json, ini, http, coffeescript, css, objectivec, ruby, yaml, java, sql, apache, kotlin, xml, markdown, swift, plaintext, typescript, nginx, go, javascript, php, cs, lua, cpp)conf
additional_context.titleCustom Panel: TitleAllText-only, provides the name of the custom panel. Default if blank: “Additional Context”Config Settings
helpHelpAllThe value for the help field (less prominently displayed, generally less important). Supports markdown.
howToImplementHow to ImplementAllOptional text describing how to implement the detection. Supports markdown.
knownFPKnown False PositivesAllOptional text describing the known false positives that will be created for this search. Supports markdown.
operationalizeHow to RespondAllOptional text describing the how to respond when this search fires. Supports markdown.
printable_imagePrintable Image URLAllOptional field: When creating a PDF export, we will include a screenshot showing the demo results.
relevanceSecurity ImpactAll(Recommended) Text describing in lamens terms why this content is important. Supports markdown.
open_search_panelOpen Search PanelAllShould the search panel open by default. If a search string is provided, it will default to true unless this option specifies false.Text String: “False”
searchSearch StringAllOptional, the search itself.
search_nameSaved Search NameAllIf there is a standard saved search name that could be found via Correlation Search Introspection, put that search name here. This will map to the stanza name in savedsearches.conf, not to any pretty correlation search names in ES.ESCU - Abnormally High AWS Instances Terminated by User - Rule
company_descriptionCompany DescriptionPartnersIf you would like to present a description of your company when a user views this content, insert it here. Supports markdown.Your Short Marketing Description
company_linkCompany LinkPartnersIf you would like a “Learn More” link to appear after the description when a user views this content, provide the URL here.https://…/
company_logoCompany LogoPartnersIf you would like to present a logo for your organization when a user views this content, provide the URL and dimensions here. The height may not be more than 250 px, and the width may not be more than 500 pixels. For a good user experience, it is recommended not going more than 400x150px.https://…/yourlogo.png
company_logo_heightCompany Logo: HeightPartnersSpecify the height of your logo. (Your logo will be proportionately reduced if the height is > 250px)200
company_logo_widthCompany Logo: WidthPartnersSpecify the width of your logo. (Your logo will be proportionately reduced if the width is > 500px)400
company_nameCompany NamePartnersIf you would like to present the name for your organization when a user views this content, insert the name here.Your Org
create_data_inventoryCreate Data InventoryPartnersWhen present and set to True, it will create an entry in the Data Inventory and overwrite the existing data_source_categories for this detection. For more, see: Partner Integration: Populating Data InventoryObj: True
inSplunkSolved in SplunkPartnersIf you would like to track functionality that exists in the environment, but exists outside the realm of Splunk (for example, Carbon Black detection rules tied to specific MITRE ATT&CK tactics), you can mark it as outside of Splunk here.Yes
escu_cisESCU - CIS MappingESCU AuthorsES Content Update Specific: The CIS MappingCIS 13
escu_data_sourceESCU - Data SourceESCU AuthorsES Content Update Specific: The Data SourcesAWS CloudTrail logs
escu_nistESCU - NIST MappingESCU AuthorsES Content Update Specific: The NIST MappingDE.DP
escu_providing_technologiesESCU - Providing TechnologiesESCU AuthorsES Content Update Specific: The technologies that enable a detectionAWS
storyESCU - Story IDESCU AuthorsES Content Update Specific: Story ID2e8948a5-5239-406b-b56b-6c50f1268af3
examplesArray of Examples for DetectionSSE AuthorsFor each variety of the search (Live Data, Demo Data, Accelerated Data, etc.) another object is added to the examples array.
examples.labelName for ExampleSSE AuthorsThe name for the example (typically “Live Data” or similarly short)Live Data
examples.nameID in Search Builder JSONSSE AuthorsConfusingly, the “name” attribute is more the ID that will exist in the Search Builder JSON (e.g., showcase_simple_search.json). E.g., “Basic Brute Force - Live”. This field only appears in the browser URL, it’s never otherwise shown to users.
appAppSSE AuthorsProvides the name of the content (no spaces, special characters). For any custom content, overwritten with the channel definition.Splunk_Security_Essentials
dashboardDashboardSSE AuthorsIf you want to have users go to a dashboard when they click on the name, provide that dashboard name here. Usually a link including any fields appendedshowcase_simple_search?ml_toolkit.dataset=Basic Brute Force - Demo
displayappDisplay AppSSE AuthorsProvides the name of the content (user-readable version). For any custom content, overwritten with the channel definition.Splunk Security Essentials
visualizationsArray of Visualization ObjectsSSE AuthorsSSE has the option for visualizations. Those visualizations can be either native Splunk Viz or Screenshots.
visualizations.basesearchBase SearchSSE AuthorsIf defined, the search builder will initiate a base search with this value, and then a post-process with the value in visualizations.search. Use when you have multiple panels powered by the same dataset so that you don’t re-run the same search multiple times.
visualizations.dashboardDashboard NameSSE AuthorsWhen using the automatic dashboarding, this viz will be placed under this dashboard name. You may have 10-30 dashboard panels per dashboard.Essential Network Security
visualizations.descriptionPanel DescriptionSSE AuthorsFor automatic dashboarding, you can optionally add a paragraph-form description to the bottom of the panel.Provides a running count of identified DNS connections over time
visualizations.headerDashboard HeaderSSE AuthorsWhen using the automatic dashboarding, this viz will be placed under this header, on the dashboard. You’ll generally want a 1-5 panels for a header.DNS Traffic
visualizations.hideInSearchBuilderHide in Search BuilderSSE AuthorsIf you do not want to show a particular viz in the actual search builder but want it to be available in the automatic dashboarding feature, set this to true.Obj: True
visualizations.panelPanel IDSSE AuthorsWhen rendered on the search builder, this refers to which panel the viz is rendered in. There are three columns and three rows (two above the main output, one below)row1cell1
visualizations.pathImage URLSSE AuthorsFor visualizations.type = image, the path to that viz.
visualizations.recommendedIs Base SearchSSE AuthorsFor panels in the automatic dashboarding feature, you have the option to mark them as recommended (enabled by default) or not.Obj: True
visualizations.searchSearch StringSSE AuthorsThe search string for the viz
visualizations.titlePanel TitleSSE AuthorsThe title for this vizDNS Traffic Over Time
visualizations.typeImage or VisualizationSSE AuthorsA flag for whether it is an image or a Splunk Vizimage
visualizations.vizParametersParameters For Native VizSSE AuthorsWhen you initialize Splunk Viz via SplunkJS you pass an object with parameters (e.g., charting.chart: pie, etc.). Provide those parameters here.
visualizations.vizTypeVisualization TypeSSE AuthorsIf a splunk viz, a flag for what type it is. Valid options include: ChartElement, SingleElement, MapElement, TableElementTableElement
anomaliesUBA: Array of ShowcaseIDs for UBA AnomaliesUBA AuthorsUBA Specific: A list of the SSE ids for any UBA Anomalies that the Threat looks at. Each should resolve to a threat (generally, ID matches regex AT\d*)
contributes_to_threatsUBA: Array of ShowcaseIDs for UBA ThreatsUBA AuthorsUBA Specific: A list of the SSE ids for any UBA Threats that the Anomaly contributes to. Each should resolve to a threat (generally, ID matches regex TT\d*)TT01
detectionsUBA: Array of Detection ObjectsUBA AuthorsUBA Specific: Anomaly Types in UBA are powered by multiple detections. This array has an object for each of those detections.
detections.data_sourceUBA: Array of DSC IDsUBA AuthorsUBA Specific: Each DSC ID should resolve to the data_inventory.json, just like the data_source_categories field. Unlike that field, this is a proper JSON array rather than a pipe-delimited string.DS009EndPointIntel-ET01ProcessLaunch
detections.descriptionUBA: Description for the DetectionUBA AuthorsUBA Specific: Description of the Detection that powers an Anomaly Type.
detections.idUBA: ID for the DetectionUBA AuthorsNot currently used
detections.internal_idUBA: Internal ID for the DetectionUBA AuthorsNot currently used
detections.nameUBA: Detection NameUBA AuthorsUBA Specific: Name of the Detection that powers an Anomaly Type.
internal_idUBA: Internal IDUBA AuthorsNot currently used
is_customUBA: Is a Custom ThreatUBA AuthorsUBA Specific: Not currently used, but displays whether the threat is a rule-based custom threat, rather than an ML threat.Yes
long_descriptionUBA: Long DescriptionUBA AuthorsUBA Specific: A description field that is not subject to the character limits applied to the normal description field. This shows up when someone clicks into the UBA Anomaly or Threat

Except where noted above (UBA fields and arrays of objects), multi-value fields are populated with pipes separating each element. E.g., content that maps to Security Monitoring and Advanced Threat Detection would have:

{
    "usecase": "Security Monitoring|Advanced Threat Detection"
}

For a sense of valid values, consider looking at an example search:

| sseanalytics | fieldsummary | table field *count values

Examples

Custom or Partner Content

The app expects to download a JSON file. Each top-level key should be the ID of the showcase. See the following example:

{
    "buttercuplabs_detect_bad_ponies": {
        "name": "Detect Bad Ponies",
        "inSplunk": "yes",
        "journey": "Stage_1",
        "usecase": "Security Monitoring",
        "highlight": "Yes",
        "id": "buttercuplabs_detect_bad_ponies",
        "channel": "ButtercupLabs",
        "alertvolume": "Low",
        "severity": "Very High",
        "category": "Account Compromise",
        "description": "This detection uses advanced analytics to determine which ponies are not good.",
        "domain": "",
        "killchain": null,
        "SPLEase": "None",
        "searchkeywords": "",
        "advancedtags": "",
        "printable_image": "",
        "icon": "https://static.mylogocloud.com/shop/store/20180213730/assets/items/largeimages/SPK0153.jpg",
        "company_logo": "https://image.slidesharecdn.com/splunklivesfhowtoalignyourdailysplunkactivitiesbreakoutsession-160317192319/95/how-to-align-your-daily-splunk-activities-breakout-session-23-638.jpg?cb=1458242654",
        "company_logo_width": "444",
        "company_logo_height": "250",
        "company_name": "Buttercup Labs",
        "company_description": "Buttercup Labs is the premier distributor of Pony-related security analytics. We have been protecting organizations from bad ponies for over ten years now.\n\\n\\n\nEnjoy our freely available content for detecting bad ponies in your environment, and reach out to us for a demo or trial license of our premium Pony Detection app!\n\\n\\n\nHave you successfully found bad ponies in your own environment? Buttercup Labs is hiring! We are a wholly owns subsidiary of Buttercup Games, and are a proudly equal opportunity employer. We welcome ponies of all heights, colors, hoof styles, sexual orientations, and neuro-diversities.",
        "company_link": "http://buttercupgames.com/",
        "dashboard": "showcase_custom?showcaseId=buttercuplabs_detect_bad_ponies",
        "relevance": "Placeholder Text",
        "help": "",
        "howToImplement": "Placeholder Text",
        "knownFP": "Placeholder Text",
        "operationalize": "Placeholder Text",
        "search": "index=buttercup sourcetype=content",
        "data_source_categories": "DS003Authentication-ET02Failure|DS003Authentication-ET01Success",
        "mitre_technique": "T1098|T1003",
        "mitre_tactic": "TA0006"
    }
}

Simple Content

While you can configure a large volume of content in SSE, you don’t necessarily need to.

{
    "phantom_ec2_instance_isolation": {
        "alertvolume": "Very Low", 
        "app": "Splunk_Phantom", 
        "category": "Account Compromise|IAM Analytics|Account Sharing|SaaS|Insider Threat", 
        "dashboard": "showcase_phantom?showcaseId=phantom_ec2_instance_isolation", 
        "data_source_categories": "VendorSpecific-aws-cloudtrail", 
        "description": "Isolate an EC2 instance by changing its security group in order to protect it from malicious traffic. This playbook can be started alone or used from another playbook after doing investigation and notification.", 
        "displayapp": "Splunk Phantom", 
        "domain": "Access", 
        "hasSearch": "No", 
        "help": "Simply deploy Phantom and work with your technical team to deploy this.", 
        "highlight": "Yes", 
        "howToImplement": "This playbook can be triggered off of several example searches available in the Security Essentials app to take immediate action to quarantine an instance when suspicious behavior has been detected.", 
        "icon": "phantom_logo.png", 
        "includeSSE": "Yes", 
        "journey": "Stage_5", 
        "name": "EC2 Instance Isolation", 
        "operationalize": "Depending on the use case, this playbook can be modified using several of the available Phantom apps to increase the scope of the actions taken in this playbook. For example using the AWS WAF or AWS IAM app, additional actions can be added based on the type of alert triggered.", 
        "printable_image": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png", 
        "released": "3.0.0", 
        "relevance": "Compromised AWS credentials can allow a malicious actor access to currently running instances and configurations as well as the ability to start new instances and services. By detecting suspicious behavior early this playbook allows for a security team to react quickly and further investigate any suspicious behavior.", 
        "searchKeywords": "", 
        "usecase": "Advanced Threat Detection|Insider Threat|SOC Automation", 
        "visualizations": [
            {
                "panel": "row1cell1", 
                "path": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png", 
                "title": "EC2 Instance Isolation", 
                "type": "image"
            }
        ]
    }
}

Full-fledged Native Content

There are a variety of additional fields exposed to the native SSE content.

{
    "new_cloud_provider": {
        "SPLEase": "Medium", 
        "alertvolume": "High", 
        "app": "Splunk_Security_Essentials", 
        "category": "Data Exfiltration|Insider Threat|Shadow IT", 
        "dashboard": "showcase_first_seen_demo?ml_toolkit.dataset=New Cloud Provider for User - Demo", 
        "data_source_categories": "DS005WebProxyRequest-ET01RequestedWebAppAware", 
        "description": "<p>Detect a user who is accessing a cloud storage provider they've never used before.</p>", 
        "displayapp": "Splunk Security Essentials", 
        "domain": "Network", 
        "examples": [
            {
                "label": "Demo Data", 
                "name": "New Cloud Provider for User - Demo"
            }, 
            {
                "label": "Live Data", 
                "name": "New Cloud Provider for User - Live"
            }, 
            {
                "label": "Accelerated Data", 
                "name": "New Cloud Provider for User - Accelerated"
            }
        ], 
        "hasSearch": "Yes", 
        "help": "<p>This example leverages the Detect New Values search assistant. Our dataset is an anonymized collection of Palo Alto Networks events. For this analysis, we are effectively grouping by username and app name after filtering for the category, which will give us a row for each username+appname combination. We check if the first time that has occurred was in the last day.</p>", 
        "highlight": "Yes", 
        "howToImplement": "<p>Implementation of this example (or any of the First Time Seen examples) is generally very simple. <ul><li>Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.</li><li>Save the search.</li></ul></p><p>For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.</p>", 
        "icon": "Core_Use_Case.png", 
        "includeSSE": "Yes", 
        "journey": "Stage_2", 
        "killchain": "Actions on Objectives", 
        "knownFP": "<p class=\"disclaimer\">This is a strictly behavioral search, so we define \"false positive\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise.</p><p>You should not review these alerts directly (except for access to extremely sensitive system), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).</p> ", 
        "mitre_tactic": "TA0010|TA0011", 
        "mitre_technique": "|T1048|T1102", 
        "name": "New Cloud Provider for User", 
        "operationalize": "<p>When this search returns values, validate whether the usage of this cloud provider is permitted by your policy, and investigate to see what data is being stored there. Common allowable scenarios can be uploading into a box folder provided by a vendor for secure support file upload, which might be allowable, versus the backup of data to a personal Google drive account. Ultimately this search will generate many shades of gray, so it's prudent to understand supporting information such as the amount of data transmitted before reaching out to the employee or their manager to determine next steps.</p>", 
        "phantomPlaybooks": [
            "phantom_malicious_insider_containment", 
            "phantom_prompt_and_block_domain"
        ], 
        "printable_image": "/static/app/Splunk_Security_Essentials/images/printable_demo_images/new_cloud_provider.png", 
        "released": "2.2.0", 
        "relevance": "Data exfiltration techniques vary across the world, but certainly a very common approach taken in 2018 is to upload data to a non-corporate file storage solution. Tracking new file storage solutions end up in your environment is a key capability to track where data flows in your organization along with the adoption of Shadow IT.", 
        "searchKeywords": "", 
        "usecase": "Insider Threat|Security Monitoring"
    }
}

Product-Specific Varieties

Splunk’s premium products have a few product-specific configurations.

ES

{
    "search_name": "Change - Abnormally High Number of Endpoint Changes By User - Rule", 
}

ESCU

{
    "escu_cis": "CIS 13", 
    "escu_data_source": "AWS CloudTrail logs", 
    "escu_nist": "DE.DP|DE.AE", 
    "escu_providing_technologies": "AWS", 
    "search_name": "ESCU - Abnormally High AWS Instances Terminated by User - Rule", 
    "story": "2e8948a5-5239-406b-b56b-6c50f1268af3"
}

The ESCU Story ID defined in the “story” field is a reference to the story object in the ShowcaseInfo.json file. This is a lower-level field, hosted at ShowcaseInfo[‘escu_stories’]. Here is the story detail referenced above:

{
    "2e8948a5-5239-406b-b56b-6c50f1268af3": {
        "detections": [
            "detection_abnormally_high_instance_termination", 
            "detection_ec2_instance_created_by_previously_unseen_user", 
            "detection_aws_activity_in_new_region", 
            "detection_abnormally_high_instances_launched"
        ], 
        "escu_category": [
            "Cloud Security"
        ], 
        "investigations": [
            "AWS Investigate User Activities By ARN", 
            "Get EC2 Instance Details by instanceId", 
            "Get Notable History", 
            "Get Notable Info", 
            "Get User Information from Identity Table", 
            "Investigate AWS activities via region name", 
            "Get EC2 Launch Details"
        ], 
        "modification_date": "2018-02-09", 
        "name": "Suspicious AWS EC2 Activities", 
        "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", 
        "references": [
            "https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"
        ], 
        "responses": [], 
        "story_id": "2e8948a5-5239-406b-b56b-6c50f1268af3", 
        "support": [
            "Previously Seen EC2 Launches By User", 
            "Previously Seen AWS Regions"
        ]
    }
}

UBA Anomalies

{
    "contributes_to_threats": [
        "TT01", 
        "TT12", 
        "TT13", 
        "TT14", 
        "TT15", 
        "TT17", 
        "TT18", 
        "TT26", 
        "TT28", 
        "TT30", 
        "TT32", 
        "TT33", 
        "TT34"
    ], 
    "detections": [
        {
            "data_source": [
                "VendorSpecific-winsec", 
                "DS009EndPointIntel-ET01ProcessLaunch"
            ], 
            "description": "Checks application launches in Windows Event Log against a predefined list of known bad applications. ", 
            "id": "DM07", 
            "internal_id": "Blacklisted_Application", 
            "name": "Blacklisted Application"
        }
    ], 
    "internal_id": "Blacklisted_Application", 
    "long_description": "Triggered when an application is executed on an endpoint or server. Blacklisted applications are pre-defined in UBA and updated on a regular basis.", 
}

UBA Threats

{
    "anomalies": [
        "AT11", 
        "AT06"
    ], 
    "internal_id": "Potential_Flight_Risk_Exfiltration", 
    "long_description": "This threat brings to light users who are possible flight risks. However, in addition to being a flight risk, this user has also performed actions that signal that it may be possible he will exfiltrate data. Actions that lead to exfiltration of data in this instance are events such as: suspicious data movement, upload of information to a cloud file system, or a DLP external alarm. ", 
    "is_custom": "Yes", 
}

Visualizations

SSE’s native search builders support custom visualizations.

Screenshots

{
    "visualizations": [
        {
            "panel": "row1cell1", 
            "path": "https://raw.githubusercontent.com/phantomcyber/playbooks/4.5/ec2_instance_isolation.png", 
            "title": "EC2 Instance Isolation", 
            "type": "image"
        }
    ]
}

Splunk Dashboard Panels

You can provide a panel similar to the below, but because the search will generally be different depending on search being used (e.g., live data vs demo data) you should usually define this in the Search Builder JSON file (below). See more detail on this framework in that section.

{
    "visualizations": [
        {
            "dashboard": "General Windows and Linux Posture", 
            "header": "AV Data", 
            "panel": "row1cell1", 
            "search": "| `Load_Sample_Log_Data(Symantec Endpoint Protection Operations)`  |stats max(eval(if(like(Event_Description, \"%LiveUpdate session ran successfully%\") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag=\"error\", _time, null))) as LatestError by Host_Name   | eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, \"-3d\") OR LatestError > LatestUpdate , \"No\", \"Yes\") | lookup gdpr_system_category host as Host_Name| search category=* | stats count by Up_To_Date", 
            "title": "Percentage of In-Scope Hosts with Up To Date AV", 
            "type": "viz", 
            "vizParameters": {
                "charting.chart": "pie", 
                "link.exportResults.visible": "false", 
                "link.inspectSearch.visible": "false", 
                "link.openPivot.visible": "false", 
                "link.openSearch.visible": "false", 
                "link.visible": "false", 
                "refresh.link.visible": "false", 
                "resizable": true
            }, 
            "vizType": "ChartElement"
        }, 
        {
            "dashboard": "General Windows and Linux Posture", 
            "header": "AV Data", 
            "panel": "row1cell2", 
            "search": "| `Load_Sample_Log_Data(Symantec Endpoint Protection Operations)`  |stats max(eval(if(like(Event_Description, \"%LiveUpdate session ran successfully%\") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag=\"error\", _time, null))) as LatestError by Host_Name   | eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, \"-3d\") OR LatestError > LatestUpdate , \"No\", \"Yes\") | search Up_To_Date = Yes | lookup gdpr_system_category host as Host_Name| search category=*| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError) ", 
            "title": "Hosts with Up To Date AV", 
            "type": "viz", 
            "vizParameters": {
                "link.exportResults.visible": "false", 
                "link.inspectSearch.visible": "false", 
                "link.openPivot.visible": "false", 
                "link.openSearch.visible": "false", 
                "refresh.link.visible": "false", 
                "resizable": true
            }, 
            "vizType": "TableElement"
        }
    ]
}

Search Builder Content

The search builder files are those actually used to show off a file. There are five search builders in SSE:

DashboardDashboard NameJSON FileNotes
showcase_simple_searchSimple Searchshowcase_simple_search.jsonThis is for the majority of the native SSE content – it simply runs a search string without any additional SPL added.
showcase_first_seen_demoFirst Time Seenshowcase_first_seen_demo.jsonThe first time seen search builder takes a base dataset, two fields that we can split by, and automatically tacks on the logic for alerting if this happens for the first time in the last day. It has high scale versions, allowing users to cache the result to a lookup. It also has a peer group option, allowing the search to find values that are new not just for the entity in question, but also for their department (or peer group, or geo, or etc.)
showcase_standard_deviationTime Series Spikeshowcase_standard_deviation.jsonThe time series spike search builder takes a base dataset that is already aggregated per day, along with a field representing the numerical measure, and a field representing the entity being analyzed. It then does a standard deviation analysis to find unusually high values.
showcase_phantomSplunk PhantomN/A (Uses main ShowcaseInfo)This is used for Phantom content.
showcase_customCustom ContentN/A (Uses main ShowcaseInfo)This is used for custom content, and Partner content.

Schema

JSON Field NameDescriptive FieldSearch BuilderDescriptionExamples
labelNameAllThis matches the examples.name from ShowcaseInfo.json and must match the ID (referenced above)Emails With Lookalike Domains - Demo
valueSearchAllThe search string is contained here. Line breaks in the line-by-line SPL are implemented via \n and the # of lines should match the length of the description array.index=abc \n
descriptionLine-by-Line SPL DocumentationAllAn array tha contains the line-by-line SPL docs. The # of elements in the array must be equal to the # of ‘\n’s + 1 in the search (in effect: doing a split by ‘\n’ on the search will result in the same number).“Base Data”, “Count them”, “Filter”
prereqsArray of Pre-RequisitesAllAn array that contains all of the pre-req objects.
prereqs.fieldPre-Req FieldAllThe field that is analyzed to determine whether the pre-req is met. (Typically count)count
prereqs.greaterorequaltoPre-Req Min ValueAllThe value of the field in prereqs.field must be >= this value (Typically 1)1
prereqs.namePre-Req NameAllThe label provided to the user for this pre-req“Must have data”
prereqs.resolutionPre-Req ResolutionAllHow the user can remedy a failed pre-req. Typically “install this add-on” or “acquire this data.”
prereqs.testSPL for Pre-ReqAllThe search that is run for pre-reqs
actions_createNotableCreate NotableAllWhether a notable event should be created. (Typically 0, but could be 1 for high confidence detections.) Will trigger ES workflow.1
actions_createRiskCreate RiskAllWhether to create a risk object for this search. (Typically 1, but could be 0 if it doesn’t apply to the situation).1
actions_riskObjectRisk ObjectAllThe risk_object (aligning to ES Risk Framework)Computer_Name
actions_riskObjectScoreRisk ScoreAllThe risk_score (aligning to ES Risk Framework)60
actions_riskObjectTypeRisk Object TypeAllThe risk_object_type (aligning to ES Risk Framework)system
actions_UBASeverityUBA SeverityAllAn indication that the event should be sent to UBA, and the severity provided (1-9)5
visualizationsArray of Visualization ObjectsAllSSE has the option for visualizations. Those visualizations can be either native Splunk Viz or Screenshots.
visualizations.basesearchBase SearchAllIf defined, the search builder will initiate a base search with this value, and then a post-process with the value in visualizations.search. Use when you have multiple panels powered by the same dataset so that you don’t re-run the same search multiple times.
visualizations.dashboardDashboard NameAllWhen using the automatic dashboarding, this viz will be placed under this dashboard name. You may have 10-30 dashboard panels per dashboard.Essential Network Security
visualizations.descriptionPanel DescriptionAllFor automatic dashboarding, you can optionally add a paragraph-form description to the bottom of the panel.Provides a running count of identified DNS connections over time
visualizations.headerDashboard HeaderAllWhen using the automatic dashboarding, this viz will be placed under this header, on the dashboard. You’ll generally want a 1-5 panels for a header.DNS Traffic
visualizations.hideInSearchBuilderHide in Search BuilderAllIf you do not want to show a particular viz in the actual search builder but want it to be available in the automatic dashboarding feature, set this to true.Obj: True
visualizations.panelPanel IDAllWhen rendered on the search builder, this refers to which panel the viz is rendered in. There are three columns and three rows (two above the main output, one below)row1cell1
visualizations.pathImage URLAllFor visualizations.type = image, the path to that viz.
visualizations.recommendedIs Base SearchAllFor panels in the automatic dashboarding feature, you have the option to mark them as recommended (enabled by default) or not.Obj: True
visualizations.searchSearch StringAllThe search string for the viz
visualizations.titlePanel TitleAllThe title for this vizDNS Traffic Over Time
visualizations.typeImage or VisualizationAllA flag for whether it is an image or a Splunk Vizimage
visualizations.vizParametersParameters For Native VizAllWhen you initialize Splunk Viz via SplunkJS you pass an object with parameters (e.g., charting.chart: pie, etc.). Provide those parameters here.
visualizations.vizTypeVisualization TypeAllIf a splunk viz, a flag for what type it is. Valid options include: ChartElement, SingleElement, MapElement, TableElementTableElement
outlierPeerGroupPeer GroupFirst Time SeenFirst Time Seen can optionally do peer group analysis. This is disabled by default (though the user can always configure it!) but it is available to be specified here.
outlierValueTracked1Value #1First Time SeenFirst Time Seen splits by two values. Typically the first value is the subject (e.g., user, dest, src, etc.)user
outlierValueTracked2Value #2First Time SeenFirst Time Seen splits by two values. Typically the second value is the unusual attribute (e.g., geo, API, etc.)eventName
cardinalityTestCardinality TestTime Series SpikeSPL that tests to see if this split-by will result in an excessive number of results, overwhelming Splunk. Generally it is the core search, but instead of stats … by user it would be stats dc(user) as count
outlierSearchTypeSearch TypeTime Series SpikeReserved for future use, must be “Avg” todayAvg
outlierVariableNumeric MeasureTime Series SpikeThe value containing the “count” that we are measuring. Often “count” but could be any Splunk field.count
outlierVariableSubjectSubjectTime Series SpikeThe subject (or entity) we are monitoring. Typically user, src, or dest, but could be any Splunk field.user
scaleFactor# of StDevsTime Series SpikeHow many Standard Deviations away from avg is abnormal (aka z-score). Typically 3-10 in real world usage – 3 for anomaly detection, 10 for high confidence.6
windowSizewindowSizeTime Series SpikeNot used, must be 0.0

Examples

{
    "DynDNS - Live": {
        "actions_UBASeverity": 7,
        "actions_createRisk": 1,
        "actions_riskObject": "user",
        "actions_riskObjectScore": 30,
        "actions_riskObjectType": "user",
        "description": [
            "First we bring in our dataset of proxy logs.",
            "Because we are looking for dynamic dns providers, we're going to need to separate out subdomains from the registered domain. URL Toolbox is just the tool for this job!",
            "Next we can use our lookup of ddns domains (see How to Implement). This will add a field called inlist with the value \"true\" for any matches.",
            "And finally we can look for those records that are matches.",
            "With our dataset complete, we just need to arrange the fields to be useful."
        ],
        "label": "DynDNS - Live",
        "prereqs": [{
                "field": "count",
                "greaterorequalto": 1,
                "name": "Must have Proxy data",
                "resolution": "Proxy data can come in many forms, including from Palo Alto Networks and other NGFWs, dedicated proxies like BlueCoat, or network monitoring tools like Splunk Stream or bro.",
                "test": "| metasearch earliest=-2h latest=now index=* sourcetype=pan:threat OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* | head 100 | stats count "
            },
            {
                "field": "count",
                "greaterorequalto": 1,
                "name": "Must have URL Toolbox Installed",
                "resolution": "The URL Toolbox app, written by Cedric Le Roux, provides effective URL Parsing. Download <a href=\"https://splunkbase.splunk.com/app/2734/\">here</a>.",
                "test": "| rest /services/apps/local | search disabled=0 label=\"URL Toolbox\" | stats count"
            }
        ],
        "value": "index=* sourcetype=pan:threat OR (tag=web tag=proxy) earliest=-20m@m earliest=-5m@m \n| eval list=\"mozilla\" | `ut_parse_extended(url,list)`\n| lookup dynamic_dns_lookup domain as ut_domain OUTPUT inlist\n| search inlist=true \n| table _time ut_domain inlist bytes* uri",
        "visualizations": [{
                "panel": "row1cell1",
                "header": "DNS Traffic",
                "dashboard": "Essential Network Security",
                "description": "Provides a running count of identified DNS connections over time",
                "search": "| `Load_Sample_Log_Data(Sample Firewall Data)` | search dest_port=53 OR app=dns | timechart count",
                "title": "DNS Traffic Over Time",
                "type": "viz",
                "vizParameters": {
                    "charting.chart": "column"
                },
                "vizType": "ChartElement"
            },
            {
                "panel": "row1cell2",
                "header": "DNS Traffic",
                "dashboard": "Essential Network Security",
                "recommended": false,
                "description": "Shows the top destinations for DNS traffic. These should be your DNS servers, or a standard upstream DNS server.",
                "basesearch": "index=* sourcetype=pan:threat OR (tag=web tag=proxy) (dest_port=53 OR app=dns)",
                "search": "| `Load_Sample_Log_Data(Sample Firewall Data)` | search dest_port=53 OR app=dns | stats count by dest_ip | sort - count",
                "title": "Likely Resolvers",
                "type": "viz",
                "vizParameters": {},
                "vizType": "TableElement"
            }
        ]
    }    
}

First Time Seen

{
    "AWS New API Call Per Peer Group - Live": {
        "actions_UBASeverity": 7,
        "actions_createRisk": 1,
        "actions_riskObject": "user",
        "actions_riskObjectScore": 30,
        "actions_riskObjectType": "user",
        "description": [
            "First we bring in our basic dataset. In this case, AWS CloudTrail logs, filtered for individual APIs that we want to pay close attention to."
        ],
        "label": "AWS New API Call Per Peer Group - Live",
        "outlierPeerGroup": "peer_group_for_git_use_case.csv",
        "outlierValueTracked1": "user",
        "outlierValueTracked2": "eventName",
        "prereqs": [{
            "field": "count",
            "greaterorequalto": 1,
            "name": "Must have AWS CloudTrail data",
            "resolution": "In order to run this search, you must have AWS CloudTrail data onboard. Visit the <a href=\"/app/Splunk_Security_Essentials/data_source?technology=AWS%20CloudTrail\">data onboarding guide for AWS CloudTrail in this app</a>, or browse to <a href=\"https://splunkbase.splunk.com/app/1876/\">apps.splunk.com</a> for more information.",
            "test": "| tstats count where earliest=-2h latest=now index=* sourcetype=aws:cloudtrail"
        }],
        "value": "index=* sourcetype=aws:cloudtrail eventType=* NOT errorMessage=* NOT eventName=Describe* NOT eventName=Get* NOT eventName=List*"
    }
}

Standard Deviation

{
    "GCP APIs Called More Often Than Usual Per Account - Live": {
        "actions_UBASeverity": 2,
        "actions_createRisk": 1,
        "actions_riskObject": "data.protoPayload.authenticationInfo.principalEmail",
        "actions_riskObjectScore": 10,
        "actions_riskObjectType": "user",
        "cardinalityTest": "index=* sourcetype=google:gcp:pubsub:message \n| bucket _time span=1d | stats dc(data.protoPayload.authenticationInfo.principalEmail) as count by _time",
        "description": [
            "First we bring in our basic GCP Audit logs, filtering out list activity.",
            "Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.",
            "Next we use stats to summarize the number of events per user per day."
        ],
        "label": "GCP APIs Called More Often Than Usual Per Account - Live",
        "outlierSearchType": "Avg",
        "outlierVariable": "count",
        "outlierVariableSubject": "data.protoPayload.authenticationInfo.principalEmail",
        "prereqs": [{
            "field": "count",
            "greaterorequalto": 1,
            "name": "Must have GCP Audit data",
            "resolution": "In order to run this search, you must have GCP Audit data onboard. Browse to <a href=\"https://splunkbase.splunk.com/app/3088/\">apps.splunk.com</a> for more information.",
            "test": "| tstats count where earliest=-2h latest=now index=\"*\" sourcetype=google:gcp:pubsub:message"
        }],
        "scaleFactor": 2,
        "value": "index=* sourcetype=google:gcp:pubsub:message NOT data.protoPayload.methodName=v1*.list*  NOT data.protoPayload.methodName=storage*.list*  \n| bucket _time span=1d \n| stats count by data.protoPayload.authenticationInfo.principalEmail _time",
        "windowSize": 0
    }    
}