Correlation Search Introspection and Mapping

Tracking what content you have active is key to so much Splunk Security Essentials functionality (enriching the MITRE ATT&CK Matrix, guiding you to the right content, integrations with Splunk Enterprise Security, Risk-based Alerting, the Data Availability Dashboard). This can be accomplished through bookmarking (set status Implemented), but it’s often easier to configure via Correlation Search Introspection on the Bookmarked Content dashboard.

  1. Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy.
  2. To make the process of recording your active content easier if you’ve installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content.
  3. This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content.
  4. For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content.
  5. Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content.
  6. For content that doesn’t exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content.
  7. You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.).
  8. If you don’t have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked.