Correlation by Repository and Risk

Description

This search correlations detections by repository and risk_score

Type: Correlation
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
Datamodel:
Last Updated: 2021-09-06
Author: Patrick Bareiss, Splunk
ID: 8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687

ATT&CK

ID	Technique	Tactic
T1204.003	Malicious Image	Execution

T1204

User Execution

Execution

Search

`signals` 
| fillnull 
| stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository 
| sort - risk_score 
| where risk_score > 80 
| `correlation_by_repository_and_risk_filter`

Associated Analytic Story

Dev Sec Ops

How To Implement

For Dev Sec Ops POC

Required field

_time

Kill Chain Phase

Actions on Objectives

Known False Positives

unknown

RBA

Risk Score	Impact	Confidence	Message
70.0	70	100	Correlation triggered for user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1

Twitter Facebook LinkedIn