Analytics Story: Critical Alerts
Description
This analytic story contains detections that monitor critical alerts data from security tools ingested into Splunk. By correlating these alerts and enriching them with MITRE ATT&CK annotations and other risk events, it offers a nuanced perspective on potential threats and security posture of your organization.
Why it matters
Monitoring alerts from security tools is crucial because they act as an early warning system for potential threats. High and critical alerts signal serious issues that could compromise your systems if not addressed promptly. By keeping an eye on these alerts, you can quickly identify and respond to threats, minimizing damage and protecting sensitive data. This proactive approach not only strengthens your security posture but also ensures you're ready to tackle any compliance requirements by maintaining a detailed record of significant security events. This story has rules that integrates and assesses critical alerts from Endpoint, DLP, and firewall sources in Splunk. By correlating alerts and adding MITRE annotations, it provides a comprehensive view of customer risk. It triggers an alert when critical alerts are detected, preserving the source and assigning risk scores. This helps security analysts understand threats and respond effectively.
Detections
Name | Technique | Type |
---|---|---|
Detect Spike in AWS Security Hub Alerts for EC2 Instance | None | Anomaly |
Detect Spike in AWS Security Hub Alerts for User | None | Anomaly |
Detect Critical Alerts from Security Tools | None | TTP |
Microsoft Defender ATP Alerts | None | TTP |
Microsoft Defender Incident Alerts | None | TTP |
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS Security Hub | AWS | aws:securityhub:finding |
aws_securityhub_finding |
MS Defender ATP Alerts | N/A | ms:defender:atp:alerts |
ms_defender_atp_alerts |
MS365 Defender Incident Alerts | N/A | ms365:defender:incident:alerts |
ms365_defender_incident_alerts |
Windows Defender Alerts | Windows | mscs:azure:eventhub:defender:advancedhunting |
eventhub://windowsdefenderlogs |
References
- https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts
- https://docs.splunk.com/Documentation/CIM/5.3.2/User/UsetheCAM
Source: GitHub | Version: 1