Skip to content

Logo

Splunk App for Detection Insights

Overview

A application for Splunk Enterprise Security providing additional insights into everything surrounding and/or impacting your security detections.

You can download the application package from Splunkbase here.

What is it ?

It's a tab-based dashboard built for Splunk Enterprise Security (ES) that provides additional views to help users answer the following questions easily (amongst others):

  • Which security detections in my environment have drilldowns or not? Are any using multiple drilldowns or drilldown dashboards (new features in recent ES versions)?
  • Which ones generate notables/risk/use other actions?
  • Which ones are mapped to <insert security framework here> or not?
  • Which ones trigger and what is the trend?
  • Do I have Next Steps defined for my detections?
  • Are any using Machine Learning Models? Are those model properly deployed/trained?
  • Are there configuration issues with any of my detections?
  • How are my searches/alerts/correlation searches scheduled? Are there bottlenecks or other issues?
  • How can I see changes made to my detections (enabled/disabled/modified)?
  • How do my current detections map to MITRE? What about triggered detections? What about other products I might have mapped to MITRE? How did my posture evolve vs. MITRE over time? etc.
  • What commands are used in my detections? Are any using commands known to be slower/have limits?
  • What is the performance of my detections/saved searches/data model accelerations? How does that compare to current search concurrency limits?
  • How can I audit my detections against my organization's standards easily?
  • ... and more!

It's meant to be integrated into your ES installation's navigation if desired. See details below.

What does it look like?

The additional views provides the following insights arranged over multiple tabs on the same dashboard:

Note

Whenever a detection is shown anywhere in the app, a link to edit it is provided for convenience which will open it in a new browser tab. You no longer need to navigate to Content Management in Enterprise Security to modify/fix a correlation rule, potentially losing context and valuable time.

Overview Tab

The Overview tab shows the number of currently enabled security detections as well as the total number of detections available. It also shows a number of high-level basic "checks" by default:

  • Detections that have a Contributing Event search or not
  • Detections that have multiple Contributing Event searches or not (a new feature in ES 7.2)
  • Detections that provide annotations aligned to a particular Security Framework or not (MITRE, KillChain, NIST, etc.)
  • Detections that have a particular Adaptive Response Action enabled (Notable, Risk, Threat Intel, SOAR, etc.)
  • Detections that make use of Next Steps or not
  • Detections that are configured to use Throttling or not

Note

These are configurable (add/enable/disable/edit/delete), see the Configuration section below for more details.

Tip

There are also additional checks that are available but which are disabled by default.

Overview

Any of the checks can be expanded to get more details around which detections match the corresponding check or not by using the caret on the left of each row. A link is provided for all detections enabling users to quickly edit them in a separate browser window.

Expanded Check Example

Finally, a sunburst visualization give users an idea of the distribution of Detections by Status, Security Domain & Data Model used.

Detection Details Tab

The Detection Details tab provides more information on selected Security Detection, including:

  • Their name, along with a link to edit the detection
  • Their triggering trend, as a sparkline (last 24hrs by default)
  • Their status (enabled/disabled)
  • Their source (application, etc.)
  • Their related security domain
  • Their type (Detection, Supporting, Hunting, etc.)
  • The main SPL Command used for the underlying search
  • If the detection uses a Machine Learning model or not
  • Any Adaptive Response actions used (Notable, Risk, etc.)
  • The risk score assigned, when relevant
  • Any potential issues

Note

The checks that look for potential issues are also configurable (add/enable/disable/edit/delete), see the Configuration section below for more details.

Detection Details

Any row can similarly be expanded here as well to provide more information:

Detection Details Expanded

The next panel will provide a view into any detection making use of special Asset Categories (from the Asset & Identities framework in ES) in their detection logic. This enables users to see those values and where they are used so they can better use/maintain/track them if desired.

Example

As an example, the ES Content Update detection ESCU - Detect New Login Attempts to Routers - Rule makes use of the category value router to identify the router devices in the environment for the rule and that is easy to miss unless you investigate rules very closely when you roll them out.

Clicking on the Category Value will open a drilldown search that will show you any Assets using this category value in your environment.

Detection Details

Finally, this tab also shows any changes to Security Detection over the selected time window:

Detection Changees

Note

The screenshot shown above is for Splunk Enterprise. This feature is a little more limited when using Splunk Cloud at the moment due to the unavailability of the _configTracker internal index. If this is a feature that would be valuable to you, I would encourage you to vote for it to be considered/added here.

MITRE Att&ck Details Tab

The MITRE Att&ck Details tab show you details around your detections and how they map to the MITRE Att&ck security framework. You can optionally view different versions of the MITRE matrices (Enterprise, ICS, Mobile, Containers, etc.). You'll be presented with:

  • Your current detection coverage
  • The additional coverage available but currently not in use
  • Coverage for other external solutions, if provided (see the Lookups section)

Detection Coverage MITRE

  • Triggered detections coverage

Triggered Detection Coverage MITRE

  • How your posture has evolved vs. MITRE based on changes to your Security Detections over time

Detection Changes Coverage MITRE

Tip

Added detections are simply counted as +1 while removed ones impart a -1 score. This allows the visualization to show you how your posture evolved over MITRE techniques over time.

Risk Based Alerting Details Tab

The Risk Based Alerting Details tab will give you insight into your Risk Based Alerting enabled detections, specifically.

It shows:

  • The number of detections that are Risk Rules (indicated by the use the Risk Analysis AR Action) out of all detections
  • Of those, how many have at least one Risk Object configured (normally should be 100%)
  • Of those, how many have at least one Threat Object configured
  • Views into the Risk Objects and Threat Objects used and in which detection(s)
  • A view into configured Risk Factors and if/how they are effectively used
  • Risk Messages that might be missing or invalid
  • Recommendations of potential output fields which might be leveraged as additional Risk Objects
  • Recommendations of potential output fields which might be leveraged as additional Threat Objects

It also provides details of common misconfigurations and/or valuable suggestions of potential Risk Objects/Threat Objects that might be added, based on the the fields the detection provides in its output.

Risk Based Alerting Details

Scheduling Details Tab

The Scheduling Details tab will provides an overview of your Security Detections' scheduling and optionally allow you to also see alerts and saved searches scheduled:

Secheduled Detections

Next, details on Scheduled Searches is also displayed, providing you with a clear view of anything related to scheduling your detections as well as potential issues:

Scheduled Search Details

Tip

The checks that look for potential issues are also configurable (add/enable/disable/edit/delete), see the Configuration section below for more details.

Additionally, a grouping by CRON schedule gives you an effective view into potential bottlenecks:

Scheduled Search Grouped

Tip

This is a great way to find misconfigured detections and/or CRON schedules that are overused.

The last panel on this tab gives you a visual overview of your scheduled searches distribution:

Scheduled Search Distribution

Performance Details Tab

The Performance Details tab gives users insight into the various concurrency search limits as well as detailed insight into search activity/volume/contention and performance.

Search Limits - Performance

Auditing Tab

The Audit tab allows users to see how detections fare against currently enabled audit checks (see the Configuration tab for those) and quickly see which checks are failing and how one might be able to correct them.

Audit

Any detection's row can be expanded to see audit result details:

Audit Details

Note

Only enabled checks which are of type detection or scheduling are considered here. Audit checks typically provide details on how a failed check can be fixed/remediated and that is also configurable on the Configuration tab.

Tip

A general auditing report (DetectionInsight - Auditing Report) is also available under the report section if required.

Audit Report

Configuration Tab

The Configuration tab allows users to manage audit checks, which includes the check name, type, logic as well as describing how to correct any issues found by those. The application provides a sizeable list of predefined checks, which you should review and adapt to your organization's best practices and operational requirements/preferences.

Note

A reference list of those is available here.

Configuration

You can control all the checks performed and displayed by the app, via the Configuration tab. This allows users to add new checks as well as disable/enable/modify/delete existing ones. Checks are basically the result of an eval statement, based on the fields provided by the base search, indicating if an issue is present or not.

See the configuration section for more details on configuring checks.

Next Step

What's Next? Learn more about how to install the application.

Notes & Feedback

I plan to keep on improving this application, for example by adding additional checks, reporting more potential issues, displaying scheduling bottlenecks in a better manner, allowing updates to underlying configurations directly, improving filters for auditing, etc.

If you have feedback on this application for Splunk ES (improvement ideas, issues, questions), feel free to reach out via Splunk Answers.

This app was run through AppInspect and any issues corrected to the best of my knowledge.

⭐ Credits

  • Thanks to people who provided help, support and initial feedback on this app. You know who you are!
  • Thanks for the great suggestions Dean Luxton!
  • Thanks for the sizeable support getting this app through the publishing process and on Splunkbase from the Splunk Security Product Labs (S2PL) team.
  • Many thanks to Mohammed Latif for the amazing MITRE Heat Map Visualization.
  • Inspiration from the great work done by Gabriel Vasseur.
  • Modal dialog code from the awesome Splunk Dev for All app by current and former Splunkers.
  • Message "Toasts" functionality from the JQuery Toast Plugin available here.
  • How Splunk Search Concurrency works diagram based on work and with support from Gerry D'Costa.
  • Tabs feature sourced very heavily from the blog post by Luke Murphey.