Try in Splunk Security Cloud

Description

This search correlations detections by repository and risk_score

  • Type: Correlation
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2021-09-06
  • Author: Patrick Bareiss, Splunk
  • ID: 8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687

Annotations

ATT&CK
ID Technique Tactic
T1204.003 Malicious Image Execution
T1204 User Execution Execution
Kill Chain Phase
  • Actions on Objectives
NIST
  • PR.DS
  • PR.AC
  • DE.CM
CIS20
  • CIS 13
CVE
1
2
3
4
5
6
`signals` 
| fillnull 
| stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository 
| sort - risk_score 
| where risk_score > 80 
| `correlation_by_repository_and_risk_filter`

Macros

The SPL above uses the following Macros:

Note that correlation_by_repository_and_risk_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time

How To Implement

For Dev Sec Ops POC

Known False Positives

unknown

Associated Analytic story

RBA

Risk Score Impact Confidence Message
70.0 70 100 Correlation triggered for user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1