Skip to main content
 
 
Splunk Lantern

Understanding the Event Sequencing engine

 

Your team is struggling with alert fatigue and too many false positives during incident review. You know that when seen together, certain notable events are more likely to represent a real threat than when they are seen in isolation. You want to limit your alerts to those groupings of notables, rather than individual occurrences.

Solution

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

The Event Sequencing engine allows you to create a group of correlation searches, with each subsequent one running only when specific notables occur. Within these searches, you specify which fields to extract. This process is similar to writing a script to automate steps that you would have to take manually when tracking a variety of notable events and variables through a variety of correlation searches. The sequence templates you create run as real-time searches, listening for incoming notable events and risk modifiers that are triggered by the correlation searches.

Configuration

You must be a Splunk Enterprise Security admin, or have the Edit Sequence Templates permission, to create sequenced events. When you have the correct permission:

  1. Navigate to Configure > Content > Content Management > Create New Content > Sequence Template.

    The results of the Sequence Templates are Sequenced Events, which you can select in the Search Type dropdown menu in Incident Review.

  2. Fill in the name and description.

Then, select your Start correlation search, Transition correlation searches, and End correlation search. For each one, you will have a variety of configuration options to select from. This includes defining whether the transitional searches must occur in a given order or whether they can occur in any order. For more information, see Create sequence templates in Splunk Enterprise Security.

Example

The following is an example of a sequenced event that can help you determine if a user's account has been compromised. While each of the transition correlation searches (either taken from the library or custom written) built into Splunk Enterprise Security) alone might generate a lot of false positives, when seen in combination with the start and end searches, you can be confident that this is an incident worth your time to investigate.

  1. Start
    1. Brute Force Access Behavior Detected
  2. Transitions
    1. Unusually Long Command Line
    2. Uncommon Processes On Endpoint
    3. Web Uploads to Non-Corporate Sites by Users
    4. Suspicions Reg.exe Process
  3. End
    1. Abnormally High Number of Endpoint Changes by User

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to use:

  • Security monitoring and incident investigation
  • Risk-based alerting
  • Assets and identities
  • Security domain dashboards
  • User intelligence
  • Web intelligence
  • Threat intelligence
  • Protocol intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.