Prescriptive Content Recommendations

Table of Contents

Introduction

This app contains data and search introspection that we can leverage to provide very prescriptive recommendations. It requires a bit more setup, but provides concrete recommendations.

Pre-requisites

Enabled Products

In the app configuration, you can include / exclude different sources of content, allowing you to filter out Splunk solutions you might not own, or avoid seeing the free content from Splunk Security Essentials. Most users will leave this at the default settings.

  1. Find the Configuration menu in the navigation.

  2. Under Enabled Sources you can turn on or off different apps. This will apply globally across the app.

Data Inventory

Data Source Categories use standardized searches to find data configured with the tags that are used in Splunk’s Common Information Model. You can also add custom products that either don’t match the Common Information Model, or mark that you have products you expect to add in the future.

  1. The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data.

  2. Here’s an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements.

  3. When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated!

  4. There are four automated introspection steps that pulls a variety of data.

  5. For any sources or sourcetypes that are uncommon, you can tell the app what product it is.

  6. If you have a product that wasn’t detected, or you aren’t installing this app on your production search head, you can always manually add products by clicking Add Product. If you don’t have data for a DSC, you can say No Data Present.

Correlation Search Introspection and Mapping

Tracking what content you have active is key to so much Splunk Security Essentials functionality (enriching the MITRE ATT&CK Matrix, guiding you to the right content, integrations with Splunk Enterprise Security, Risk-based Alerting, the Data Availability Dashboard). This can be accomplished through bookmarking (set status Implemented), but it’s often easier to configure via Correlation Search Introspection on the Bookmarked Content dashboard.

  1. Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy.

  2. To make the process of recording your active content easier if you’ve installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content.

  3. This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content.

  4. For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content.

  5. Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content.

  6. For content that doesn’t exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content.

  7. You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.).

  8. If you don’t have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked.

Feature

Analytics Advisor Content Overview

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. You will find a number of visualizations geared toward simplifying the process of selecting content, and a drilldown to the Security Contents Page to start bookmarking and deploying it. There are also paired dashboards for MITRE ATT&CK and the Kill Chain, with purpose-built visualizations for those industry-standard models!

  1. The Content Overview dashboard is the centerpiece of the Analytics Advisor suite. This dashboard takes into account what data you have in your environment, what searches are active, and helps you see what content you can use next.

  2. Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.

  3. Any content labeled Active means that you have content (detections, correlations etc.) enabled in your environment.

  4. Any content labeled Available means that you have content that can be enabled with data already in Splunk.

  5. Any content labeled Needs data means that the data to support the content is missing in Splunk.

  6. The Available Content panel shows on a high level and how your environment stacks up against the content available. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.

  7. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.

  8. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.

  9. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.

Other Recommendations

Security Contents Page

The Security Contents Page is the main landing page for Splunk Security Essentials, providing a complete list of content and the ability to drill-down into any individual item. It’s the kicking off point for viewing all content in the app, and has a wealth of filters to help you hone in on exactly what you want.

  1. We’ve provided an introduction for this page and a detailed description of the Search Journey Stages listed below. To get the full details just click “Show all lines”.

  2. Use the filters below to find capabilities most relevant to you. For example, if you’re just starting out with Splunk for security and want to know what to begin with, you might opt to view all featured Stage 1 searches.

  3. Focus on specific business concern: You can opt to select Stage 6 (all the Splunk Content)…

  4. Drill down: Focus on a single issue, like Insider Threat.

  5. Filter on specific data sources you already have in Splunk. For example, see some immediate detections you can deploy by filtering on the specific data source, such as, “Email Logs.”

  6. In order to find and focus on exactly the examples you want adjust filters by hitting the menu icon. Don’t worry - All the settings you configure will be retained every time you open the page in this browser.

  7. Splunk Security Essentials is not about the filters… it’s about the different examples to help with your specific use cases. Scroll down below to see what examples match the filters you’ve configured and how to start getting value with Splunk.

  8. Each of the examples will give you a brief description, tell you the log sources, and also tell you any MITRE or Kill Chain phases.

  9. Click into an example to get more detail. With the examples that only need Splunk Enterprise, you’ll also be able to view the full search string, along with detailed documentation. That’s it for this tour! Start exploring the examples and see how to get the most from your data with Splunk.

MITRE ATT&CK-based Content Recommendations

With an understanding of what data you have, you can specify the types of security concerns you’re facing and then use MITRE ATT&CK to filter for the Splunk content related to MITRE Techniques that are associated with many different threat groups.

  1. Select a category of issue that you are concerned about. If desired, you can also adjust the default filters for data availability and popularity.

  2. You will be greeted by a list of content that is tied to ATT&CK techniques MITRE reports as being popular with many threat groups.

  3. This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.

Analytics Advisor MITRE ATT&CK Framework

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. The MITRE ATT&CK Overview dashboard even includes a customized MITRE ATT&CK Matrix that shows your level of coverage on MITRE ATT&CK while letting you filter for the data you have in the environment, or the threat groups that target you.

  1. Like the Analytics Advisor Content Overview dashboard, the MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.

  2. The MITRE ATT&CK Matrix tab shows the coverage in your environment against all techniques. By default the app will color the matrix based on all content (Total), but you can adjust the filters to show just what content is currently enabled in your environment (Active), what content is available to start using with your data (Available), or what content you could use if you ingested more data into Splunk (Needs Data).

  3. You can also get insight into the threat groups that target you by selecting those a group. The app will add a red icon for each technique associated with that threat group. If you don’t track a specific group, you can also filter for only the techniques popular with many groups.

  4. Finally, you can also highlight a specific data source directly in the matrix. This allows you to show the incremental value you’d get by adding an additional data source to your environment.

  5. The Chart View tab shows on a high level and how your environment stacks up against the content available and the MITRE ATT&CK Framework specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.

  6. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.

  7. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.

  8. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.

Analytics Advisor Cyber Kill Chain

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. The Kill Chain Overview dashboard even includes a custom vizualization designed to show what content is tied to different parts of the Kill Chain.

  1. Like the Analytics Advisor Content Overview dashboard, the Kill Chain Oveview dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.

  2. Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.

  3. Any content labelled Active means that you have content (detections, correlations etc.) enabled in your environment.

  4. Any content labelled Available means that you have content that can be enabled with data already in Splunk.

  5. Any content labelled Needs data means that the data to support the content is missing in Splunk.

  6. The Kill Chain tab shows the coverage in your environment against the Kill Chain steps. You can adjust what numbers are displayed in the visualisation to show Active/Available content.

  7. The Chart View tab shows on a high level and how your environment stacks up against the content available and the Cyber Kill Chain specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.

  8. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.

  9. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.

  10. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.