Configuration

Ensuring the main lookups are created/populated

The application relies on lookups that needs to be initially created by the following Lookup Generating Searches:

• DetectionInsight - All Initial Checks - Lookup Gen
• DetectionInsight - All Datamodels - Lookup Gen
• DetectionInsight - All Dispositions - Lookup Gen
• DetectionInsight - All Saved Searches - Lookup Gen

Those take care of maintaining the backing lookups that drives most of the provided views. This is done for performance reasons as it's much faster currently then the native REST call (approx. 15-20x).

Tip

Most of these have a default hourly schedule - feel free to adapt them according to your needs.

Upon first opening the new view, if the lookups have not been populated yet, the application will automatically run the relevant searches for you:

Success

You can confirm that the lookup is properly populated separately by running the following search:

| inputlookup all_saved_searches.csv

If that returns events, it's correctly set up. The relevant Lookup Generating searches can also be found from the Reports tab in the application.

Warning

If any of these automatically run searches fail, just refresh the page. They should resume successfully.

Info

In case you would prefer to have real-time data for saved searches/correlation rules instead of relying on a lookup this is updated at intervals (at the cost of a performance hit), you can change the base search in the provided dashboard from:

to:

That's it!

Adding the provided Dashboard/view to Enterprise Security

To add the provided view to your Splunk Enterprise Security installation, navigate to Splunk Enterprise Security and from the application navigation go to Configure -> General -> Navigation. From there you can add the provided view directly using the Add New View button, or alternatively, add a new collection and then add the view into that new collection. The provided view is named Security Detections Insights. Ensure to save your changes to the navigation when done.

More details can be found here.

Here's an example of adding a new collection named Insights and then adding the provided view to it:

After refreshing the updated navigation should show your new collection and view:

Lookups

Two additional lookups are provided with this add-on to add contextual descriptions as tooltips for CIS20 controls and NIST functions/categories.

Additional MITRE product detections

Users can also optionally map MITRE detections from other products by adding the information to the other_mitre_detections_by_product.csv lookup file. Detections simply need to be mapped to the provided columns in that lookup:

Product,Detection,Additional_Information,Technique,Link

Note

The Additional_Information field can contain any information useful for reference you see fit. Detection is the detection name, the Product field is used for the panel filter in the app. The Link field is used to Link back to a webpage with details about the detection in question and is optional. Finally, the Technique field should follow the typical format for MITRE Techniques, Tnnnn or Tnnnn.nnn, e.g.: T1059, T1003.001.

For example:

If you'd like to generate this file from all the contrib lookups, you can use this shell command (assuming awk is installed):

cd $SPLUNK_HOME/etc/apps/Splunk_App_for_Detection_Insights/lookups
awk FNR!=1 contrib/*.csv >> other_mitre_detections_by_product.csv

Example

Working examples for the following are available under lookups/contrib:

• Atomic Red Team
• PurpleSharp
• Aurora Agent/SigmaHQ Rules
• Living off the Land Binaries (LOLBAS)
• Recorded Future
• ExtraHop

Tip

Information added to this lookup will become available in the MITRE Att&ck Details tab if provided:

Generating the contrib lookups

SigmaHQ/Aurora EDR

Example

Here's an example (MacOS/zsh) of generating the detection content provided with the Aurora EDR Agent, which is based on open source Sigma rules:

brew install yq
git clone git@github.com:SigmaHQ/sigma.git
cd sigma/rules
(echo "Product,Detection,Additional_Information,Technique,Link" && yq -N -o=csv '["SigmaHQ", .title, .description | trim | sub("\n", " "), .tags // [] | join(",") | sub("attack.t","T"), filename | sub("^\.","https://github.com/SigmaHQ/sigma/blob/master/rules/")]' ./**/*.yml) > sigma_mitre_detections.csv

Atomic Red Team

Example

Here's an example (MacOS/zsh) of generating the detection content provided by Atomic Red Team, from their GitHub repository:

sudo pip install csvkit

(echo "Product,Detection,Additional_Information,Technique,Link" && curl -k --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/Indexes/Indexes-CSV/index.csv | csvcut -c 4,5,6,2 | awk '{if (NR!=1) {print "Atomic Red Team",$1 " - " $2,$3,$4,"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/"$4"/"$4".md"}}' FS=, OFS=,) > art_mitre_detections.csv

Recorded Future (needs a valid entitlement)

Example

Here's an example (MacOS/zsh) of generating the Sigma rules detection content provided by Recorded Future, from their API (needs a valid API token):

brew install jq

echo "Product,Detection,Additional_Information,Technique,Link" && curl -s —request POST --location "https://api.recordedfuture.com/detection-rule/search" -H "Content-Type: application/json" -H "accept: application/json" -H "X-RFToken:<REDACTED>" -d "{\"filter\": {\"types\": [\"sigma\"]}, \"limit\":\"200\"}" | jq --raw-output '.result.[] | ["RecordedFuture", .title, .id, ([.rules[].entities[] | select(.type == "MitreAttackIdentifier").name] | join(",")), "https://app.recordedfuture.com/portal/analyst-note/shared/true/" + .id] | @csv' | grep -v ‘“”,”https://’

Living off the Land Binaries (LOLBAS)

Example

(echo "Product,Detection,Additional_Information,Technique,Link" && curl -s --location https://lolbas-project.github.io/api/lolbas.csv | csvcut -c 5,6,10,16 | awk '{if (NR!=1) {print "LOLBAS," $0}}') > living_off_the_land_binaries.csv

Configuring Checks

Multiple checks (50+) for common issues, auditing, best practices are provided by the app out of the box. Care has been taken to try and provide users with good defaults.

You can control all of those via the Configuration tab. You can for example disable/enable/modify/delete existing checks based on your preference or auditing policy and add new checks as required.

Checks come in three different types according to where they are shown:

• Overview Checks (shown on the Overview tab)
• Detection Checks (shown on the Detection Details tab)
• Scheduling Checks (shown on the Scheduling Details tab)

Note

The Detection and Scheduling checks are also used for performing Auditing.

These checks are based on the default set of fields provided by the following macros:

• get_overview_additional_data_formatting
• get_detection_additional_data_formatting
• get_scheduling_additional_data_formatting

Tip

Feel free to adapt these if you need additional fields for your checks.

The list of fields available and an example of the logic syntax for each check is provided when adding a new check:

Info

Whenever any check is added/modified/deleted a macro summarizing the logic of all the enabled checks gets updated accordingly. For reference, those are:

• get_overview_counts (Overview Checks)
• check_for_issues (Detection Checks)
• check_for_scheduling_issues (Scheduling Checks)

Drilldown/Linking to a Specific Tab in Detection Insights

Because this application was built using a single Dashboard with multiple tabs, it makes it harder to link to a specific tab using normal means. To support doing this from other applications, a special URL parameter/token named form.showTabIndex was implemented.
This allows passing the desired initial Tab that should be displayed when linking to the application, based on its index (0 based).

Example

Here's an illustrated example: