Try in Splunk Security Cloud

Description

This search correlations detections by repository and risk_score

  • Type: Correlation
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-06
  • Author: Patrick Bareiss, Splunk
  • ID: 8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687

ATT&CK

ID Technique Tactic
T1204.003 Malicious Image Execution
T1204 User Execution Execution
`signals` 
| fillnull 
| stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository 
| sort - risk_score 
| where risk_score > 80 
| `correlation_by_repository_and_risk_filter`

Associated Analytic Story

How To Implement

For Dev Sec Ops POC

Required field

  • _time

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
70.0 70 100 Correlation triggered for user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1