Checks Reference
The following table contains a list of all provided checks in the application for reference.
| Check ID | Name | Type | Default Status | Description |
|---|---|---|---|---|
| CHKDET0001 | Data Model with Errors | Detection | Active | Detection relies on data from a Data Model that reported errors when Splunk attempted to accelerate data in it |
| CHKDET0002 | Deprecated Data Model | Detection | Active | Detection is based on a Deprecated Data Model |
| CHKDET0003 | Description Missing | Detection | Active | Detection does not have a description |
| CHKDET0004 | Empty Data Model | Detection | Active | Detection relies on data from a Data Model that has no data |
| CHKDET0005 | RBA - Generates Zero Risk | Detection | Active | Detection does not add risk |
| CHKDET0006 | Missing ML Model | Detection | Active | Detection relies on a machine learning model which is missing |
| CHKDET0007 | No Actions Defined | Detection | Active | Detection has no Adaptive Response action defined |
| CHKDET0008 | No Security Domain | Detection | Active | Detection has no Security Domain |
| CHKDET0009 | Non-accelerated Data Model | Detection | Active | Detection relies on a Data Model which is not accelerated |
| CHKDET0010 | Not as per Naming Convention | Detection | Inactive | Detection does not follow Naming convention |
| CHKDET0011 | Not Mapped to MITRE | Detection | Active | Detection is not mapped to the MITRE ATT&CK Framework (Annotations) |
| CHKDET0012 | Owner no longer a User | Detection | Active | Detection owner is no longer a Splunk user |
| CHKDET0013 | RBA - Significant Risk Score Deviation | Detection | Active | Detection has a significant Risk Score deviation from average |
| CHKDET0014 | Application Context is not as expected | Detection | Active | Detection is in an unexpected Application Context |
| CHKDET0015 | Trigger alert when not set to: Number of Results | Detection | Active | Detection is not set to trigger based on the number of results |
| CHKDET0016 | Trigger is not set to: For Each Result | Detection | Active | Detection is not set to trigger once for each result |
| CHKDET0017 | Throttling Window should be 4h or more | Detection | Active | Detection Throttling Window is very small |
| CHKDET0018 | Fields to group by should be set | Detection | Active | Detection has no fields to Throttle by |
| CHKDET0019 | RBA - Risk Message should be set | Detection | Active | Detection is missing a Risk Message |
| CHKDET0020 | RBA - Risk Score should be set | Detection | Active | Detection is missing a Risk Score |
| CHKDET0021 | Search has non-ASCII characters | Detection | Active | Detection has non-human redable characters |
| CHKDET0022 | Search is not properly formatted | Detection | Active | Detection is not properly formatted |
| CHKDET0023 | Detection uses CIM fields directly | Detection | Active | Detection uses CIM fields with raw data, which can lead to performance issues |
| CHKDET0024 | Detection uses an incorrect Private Network CIDR Range | Detection | Active | Detection is using incorrect filters to look for RFC1918 networks |
| CHKDET0025 | Uses SPL commands with known limits | Detection | Active | Detection uses commands known to cause performance issues |
| CHKDET0026 | Use of ESCU detection marked Deprecated | Detection | Active | Detection is marked as Deprecated by the Splunk Threat Research Team in ESCU |
| CHKDET0027 | tstats command without summariesonly macro | Detection | Active | Detection does not use the summariesonly macro |
| CHKDET0028 | Contributing Events Search Missing | Detection | Active | Detection does not have any drilldown search |
| CHKDET0029 | No Next Steps Defined | Detection | Active | Detection does not have Next Steps defined |
| CHKDET0030 | RBA - No Risk Object Defined | Detection | Active | Detection (Risk Rule) without a Risk Object defined |
| CHKDET0031 | RBA - No Threat Object Defined | Detection | Active | Detection (Risk Rule) without a Threat Object defined |
| CHKDET0032 | High False Positive Ratio | Detection | Active | Detection has a high ratio of False Positives based on dispositions |
| CHKDET0033 | Possibly incompatible command for Index time search | Detection | Active | Detection has a command that is not usually compatible with this time configuration |
| CHKDET0034 | Search could use TERM() for improved performance | Detection | Active | Detection SPL could potentially make use of the TERM() predicate to improve performance |
| CHKDET0035 | Possible Incorrect Token Syntax in Risk Message | Detection | Active | Detection Risk Message likely has an invalid token |
| CHKDET0036 | Detection is missing SPL comments | Detection | Inactive | Detection SPL should make use of comments to document its logic |
| CHKOVR0001 | Detection generates Notable Events | Overview | Active | Detection generates Notable Events |
| CHKOVR0002 | Detection generates Risk | Overview | Active | Detection generates Risk (it's a Risk Rule) |
| CHKOVR0003 | Detection has a Contributing Event Search | Overview | Active | Detection has at least one drilldown search |
| CHKOVR0004 | Detection has Next Steps Defined | Overview | Active | Detection has Next Steps defined |
| CHKOVR0005 | Detection is mapped to Atomic Red Team Tests | Overview | Inactive | Detection is mapped to an Atomic Red Team test (Annotations) |
| CHKOVR0006 | Detection is mapped to KillChain | Overview | Active | Detection is mapped to the Killchain Security Framework |
| CHKOVR0007 | Detection is mapped to MITRE Att&ck | Overview | Active | Detection is mapped to the MITRE ATT&CK Security Framework |
| CHKOVR0008 | Detection uses Threat Intelligence Management Action | Overview | Active | Detection uses Splunk TIM Adaptive Response actions |
| CHKOVR0009 | Detection is Throttled | Overview | Active | Detection is throttled |
| CHKOVR0010 | Detection uses Other Actions | Overview | Active | Detection uses other actions (than Notable/Risk) |
| CHKOVR0011 | Risk Rule with Risk Object Defined | Overview | Active | Detection is a Risk Rule with a Risk Object defined |
| CHKOVR0012 | Risk Rule with Threat Object Defined | Overview | Active | Detection is a Risk Rule with a Threat Object defined |
| CHKOVR0013 | Detection has multiple Contributing Event Searches | Overview | Active | Detection has multiple Drilldown Searches defined |
| CHKOVR0014 | Detection has a Security Domain Defined | Overview | Inactive | Detection has a Security Domain defined |
| CHKOVR0015 | Detection is based on Index time | Overview | Active | Detection uses Index Time instead of Event Time |
| CHKOVR0016 | Detection has a Drilldown Dashboard | Overview | Active | Detection is configured to allow Drilldown to one or more dashboard(s) |
| CHKOVR0017 | Detection has Default Values Set | Overview | Active | Detection is configured with default values for generable Notable Events |
| CHKSCH0001 | Does not permit use of allow_skew | Scheduling | Active | Detection has the allow_skew setting configured |
| CHKSCH0002 | Active but not Scheduled | Scheduling | Active | Detection is enabled but not scheduled (should not happen from the UI) |
| CHKSCH0003 | Part of overused CRON Schedule | Scheduling | Active | Detection is part of a very busy CRON schedule |
| CHKSCH0004 | Real-time Scheduling | Scheduling | Active | Detection is scheduled in real-time mode |
| CHKSCH0005 | Scheduled Window not Auto | Scheduling | Active | Detection is not configured with schedule_window=auto |