Creating Custom Content in Splunk Security Essentials

Splunk Security Essentials is a free app that you can install into Splunk that includes many out-of-the-box alerts for security use cases. These alerts are called Security Content.

You can create your own Custom Security Content in Security Essentials using the Scanner search commands, allowing you to get coverage on log sources you have in S3.

Scanner users will often take a high-volume log source that is expensive to ingest directly into Splunk (eg. AWS CloudTrail, DNS logs, XDR logs, etc.) and store them in S3. They then point Scanner's indexers at those logs and configure Splunk to search those logs via Scanner commands and create alerts. This gives them alert coverage on high-volume log sources for much less cost.

Here is how you can get started creating custom security content that uses Scanner's commands.

Option 1: Clone existing content, then convert it to use Scanner search commands

  1. Navigate to Splunk Security Essentials in your app sidebar.

  2. Click Content in the top navigation bar and select Security Content.

  3. Search for content you would like to duplicate into Scanner.

    1. For example, let's say you have moved your AWS CloudTrail logs into S3 for Scanner search.

    2. Click Data Sources dropdown. Click Clear all to clear the filters. Select AWS.

  4. Click on a tile containing security content you'd like to translate to Scanner.

  5. Click on the Clone this Content into Custom Content button.

  6. Fill out the Required fields in the content, like Alert Volume, Severity, etc. You can initially guess at what these values should be and edit later.

  7. Click Search fields.

  8. Edit the query such that it uses a Scanner command to fetch data, like | scannertable q="..." as the first command in the query pipeline.

    1. You may have to make some changes to the query. Scanner does not support all of of Splunk's query language features.

    2. It can be beneficial to iterate on the query in a Search view first, and then copy-paste the result into the query box in your content.

  9. When you are done, you can open the content in search and create an alert from it.

Option 2: Create new content

  1. Navigate to Splunk Security Essentials in your app sidebar.

  2. Click Content in the top navigation bar and select Custom Content.

  3. Click Add Custom Content.

  4. Fill in the Required fields. You can optionall fill in the Metadata fields and Descriptive fields as well.

  5. In Search fields, enter a query that uses a Scanner command to fetch data, like | scannertable q="...".

Example: Converting Security Content related to AWS CloudTrail CreateAccessKey events

In Splunk Security Essentials, there is built-in security content called ASL AWS CreateAccessKey. The Splunk query looks something like this:

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` |`asl_aws_createaccesskey_filter`

The original Splunk query is fairly advanced, but a simpler and similarly effective query using the Scanner search command is the following:

| scannertable q="%ingest.source_type: 'aws:cloudtrail' and 
  eventName: 'CreateAccessKey' and 
  (not errorCode: *)
  | rename 
    responseElements.accessKey.userName as createdForUser, 
    userIdentity.arn as createdByArn
  | stats 
    count() as createAccessKeyCount, 
    min(eventTime) as firstTime, 
    max(eventTime) as lastTime 
    by createdByArn, createdForUser"

We recommend iteratively developing your security content queries in the Search view in Splunk, and then copy-pasting the result into your Custom Security Content. Even better, you might want to iterate on the query in the Search view in Scanner to use Scanner's strong auto-complete functionality.

PreviousDashboardsNextScanner for Grafana

Last updated