Your team is struggling with alert fatigue and too many false positives during incident review. You know that when seen together, certain notable events are more likely to represent a real threat than when they are seen in isolation. You want to limit your alerts to those groupings of notables, rather than individual occurrences.
The Event Sequencing engine allows you to create a workflow of correlation searches, with each subsequent one running only when specific notables occur. Within this workflow, you can also specify which fields to extract. This process is similar to writing a script to automate steps that you would have to take manually when tracking a variety of notable events and variables through a variety of correlation searches. The templates run as real-time searches and listen for incoming notable events
and risk modifiers that are triggered by the correlation searches.
You must be a Splunk Enterprise Security admin, or have the Edit Sequence Templates permission, to create sequenced events. When you have the correct permission:
- Navigate to Configure > Content > Content Management > Create New Content > Sequence Template.
The results of the Sequence Templates are Sequenced Events, which you can select in the Search Type dropdown menu in Incident Review.
- Fill in the name and description.
Then, select your Start correlation search, Transition correlation searches, and End correlation search. For each one, you will have a variety of configuration options to select from. This includes defining whether the transitional searches must occur in a given order or whether they can occur in any order. For more information, see Create sequence templates in Splunk Enterprise Security.
The following is an example of a sequenced event that can help you determine if a user's account has been compromised. While each of the transition correlation searches (either taken from the library or custom written) built into Splunk Enterprise Security) alone might generate a lot of false positives, when seen in combination with the start and end searches, you can be confident that this is an incident worth your time to investigate.
- Brute Force Access Behavior Detected
- Unusually Long Command Line
- Uncommon Processes On Endpoint
- Web Uploads to Non-corporate Sites by Users
- Suspicions Reg.exe Process
- Abnormally High Number of Endpoint Changes by User
If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to use:
- Security monitoring and incident investigation
- Risk-based alerting
- Assets and identities
- Security domain dashboards
- User intelligence
- Web intelligence
- Threat intelligence
- Protocol intelligence
Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.