-
Notifications
You must be signed in to change notification settings - Fork 331
Detection Analytic Types
Lou Stella edited this page May 16, 2024
·
8 revisions
Splunk Security Content detections has a field called type these types will drive workflow in the future on the product, below are the current proposed types:
See https://car.mitre.org/Glossary for inspiration.
| Type | Description | Example |
|---|---|---|
| TTP | A TTP analytic is designed to detect a certain adversary tactic, technique or procedure. | Attempted Credential Dump From Registry via Reg exe |
| Baseline | A posture analytic is designed to help in the maintenance of the analytic or create a baseline of data for detections to leverage. | Baseline Of Cloud Instances Launched |
| Anomaly | An anomaly analytic triggers on behavior that is not normally observed. Anomalous may not be explicitly malicious but may be suspect. For example, detection of executables that have never been run before or a process using the network which does not normally use the network. Like Situational Awareness analytics, anomaly analytics don’t necessarily indicate an attack. | Abnormally High Number Of Cloud Infrastructure API Calls |
| Hunting | A detection that increases the risk of an asset or entity, although tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. | Common Ransomware Extensions |
| Correlation | An analytic that correlates various detection results to correlate a high level threat and its primary purpose is to generate a notable. | Spreading Ransomware Infection |
| Investigation | An analytic that is used to investigate an entity or asset, usually executed after another analytic type finds results as a next step in the workflow. They are executed after a result is found as | AWS Investigate User Activities By ARN |
Below is a table showing how each type is configured out of the box in ESCU.
| Analytic Type | Generates Notable | Increases Risk (RBA) | Triggers Playbook | Tied to a Dashboard | Runs on CRON Schedule | Enabled OOB |
|---|---|---|---|---|---|---|
| Hunting | No | No | No | Yes | No | No |
| TTP | Yes | Yes | Yes | No | Yes | No |
| Baseline | No | Yes | Yes | No | Yes | No |
| Anomaly | No | Yes | No | No | Yes | No |
| Correlation | Yes | No | Yes | No | Yes | Yes |
| Investigation | No | No | Yes | No | No | No |