-
Notifications
You must be signed in to change notification settings - Fork 359
5.2 ‐ Detection Types and Status
Bhavin Patel edited this page Oct 9, 2024
·
1 revision
Splunk Security Content detections has a field called type these types will drive workflow in the future on the product, below are the current proposed types:
See https://car.mitre.org/Glossary for inspiration.
| Type | Description | Example |
|---|---|---|
| TTP | A TTP analytic is designed to detect a certain adversary tactic, technique or procedure. | Attempted Credential Dump From Registry via Reg exe |
| Baseline | A posture analytic is designed to help in the maintenance of the analytic or create a baseline of data for detections to leverage. | Baseline Of Cloud Instances Launched |
| Anomaly | An anomaly analytic triggers on behavior that is not normally observed. Anomalous may not be explicitly malicious but may be suspect. For example, detection of executables that have never been run before or a process using the network which does not normally use the network. Like Situational Awareness analytics, anomaly analytics don’t necessarily indicate an attack. | Abnormally High Number Of Cloud Infrastructure API Calls |
| Hunting | A detection that increases the risk of an asset or entity, although tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. | Common Ransomware Extensions |
| Correlation | An analytic that correlates various detection results to correlate a high level threat and its primary purpose is to generate a notable. | Windows Post Exploitation Risk Behavior |
| Investigation | These analytics are searches that leverage tokens and are used in the prebuilt panels shipped by ESCU for Investigative Workbench in ES | AWS Investigate Security Hub alerts by dest |
Below is a table showing how each type is configured out of the box in ESCU.
| Analytic Type | Generates Notable | Increases Risk (RBA) | Triggers Playbook | Tied to a Dashboard | Runs on CRON Schedule | Enabled OOB |
|---|---|---|---|---|---|---|
| Hunting | No | No | No | Yes | No | No |
| TTP | Yes | Yes | Yes | No | Yes | No |
| Baseline | No | Yes | Yes | No | Yes | No |
| Anomaly | No | Yes | No | No | Yes | No |
| Correlation | Yes | No | Yes | No | Yes | Yes |
| Investigation | No | No | No | Yes | No | No |
| Status | Explanation |
|---|---|
| Production | These are fully-tested detections in Splunk Enterprise Security environment with latest Splunk TAs installed against the associated attack data |
| Experimental | These detections DO NOT have an associated attack data because we were either not able to simulate the attack or that the attack data contains sensitive information that we were not able to publish to our attack data repository |
| Deprecated | These detections are deprecated and no longer supported or maintained by Splunk. Usually, the description of a deprecated detections have a note regarding why the said detection is deprecated and if there is a replacement detection available |