https://api.splunkresearch.com/schemas/detections.jsonA object that defines the parameters for detecting things using various Splunk capabilities
| Abstract | Extensible | Status | Identifiable | Custom Properties | Additional Properties | Defined In |
|---|---|---|---|---|---|---|
| Can be instantiated | Yes | Experimental | No | Forbidden | Permitted |
| Property | Type | Required | Nullable | Defined by |
|---|---|---|---|---|
| asset_type | string |
Optional | No | Detection Manifest (this schema) |
| baselines | object[] |
Optional | No | Detection Manifest (this schema) |
| confidence | enum |
Required | No | Detection Manifest (this schema) |
| creation_date | string |
Required | No | Detection Manifest (this schema) |
| data_metadata | object |
Required | No | Detection Manifest (this schema) |
| description | string |
Required | No | Detection Manifest (this schema) |
| detect | object |
Required | No | Detection Manifest (this schema) |
| eli5 | string |
Required | No | Detection Manifest (this schema) |
| entities | enum[] |
Optional | No | Detection Manifest (this schema) |
| how_to_implement | string |
Required | No | Detection Manifest (this schema) |
| id | string |
Required | No | Detection Manifest (this schema) |
| investigations | object[] |
Optional | No | Detection Manifest (this schema) |
| known_false_positives | string |
Required | No | Detection Manifest (this schema) |
| maintainers | object[] |
Required | No | Detection Manifest (this schema) |
| mappings | object |
Optional | No | Detection Manifest (this schema) |
| modification_date | string |
Required | No | Detection Manifest (this schema) |
| name | string |
Optional | No | Detection Manifest (this schema) |
| original_authors | object[] |
Required | No | Detection Manifest (this schema) |
| product_type | enum |
Required | No | Detection Manifest (this schema) |
| references | string[] |
Optional | No | Detection Manifest (this schema) |
| responses | object[] |
Optional | No | Detection Manifest (this schema) |
| security_domain | enum |
Required | No | Detection Manifest (this schema) |
| spec_version | integer |
Optional | No | Detection Manifest (this schema) |
| version | string |
Required | No | Detection Manifest (this schema) |
* |
any | Additional | Yes | this schema allows additional properties |
Designates the type of asset being investigated
asset_type
- is optional
- type:
string - defined in this schema
string
"Endpoint"An array of the baseline objects to exectute before the detection
baselines
- is optional
- type:
object[] - defined in this schema
Array type: object[]
All items must be of the type:
object with following properties:
| Property | Type | Required |
|---|---|---|
id |
string | Required |
name |
string | Required |
type |
Optional |
UUID of the baseline object
id
- is required
- type:
string
string
c096f721-8842-42ce-bfc7-74bd8c72b7c3name of baseline object
name
- is required
- type:
string
string
Discover DNS recordsType of baseline to execute
type
- is optional
- type:
enum
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
phantom |
|
splunk |
|
uba |
splunkConfidence that detected behavior is malicious
confidence
- is required
- type:
enum - defined in this schema
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
high |
|
medium |
|
low |
"high"The date the story manifest was created
creation_date
- is required
- type:
string - defined in this schema
string
"2019-02-14"Information about the date being ingested
data_metadata
- is required
- type:
object - defined in this schema
object with following properties:
| Property | Type | Required |
|---|---|---|
data_eventtypes |
array | Optional |
data_models |
array | Optional |
data_source |
array | Required |
data_sourcetypes |
array | Optional |
providing_technologies |
array | Required |
A list of eventtypes, if any, used by this search
data_eventtypes
- is optional
- type:
string[]* at least0items in the array
Array type: string[]
All items must be of the type:
string
wineventlogA list of data models, if any, used by this search
data_models
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of data models, if any, used by this search",
"examples": [
"Network_Resolution"
],
"items": {
"enum": [
"Alerts",
"Application_State",
"Authentication",
"Certificates",
"Change_Analysis",
"Change",
"Malware",
"Email",
"Identity_Management",
"Network_Resolution",
"Network_Traffic",
"Vulnerabilities",
"Web",
"Network_Sessions",
"Updates",
"Risk",
"Endpoint"
],
"simpletype": "`enum`",
"meta:enum": {
"Alerts": "",
"Application_State": "",
"Authentication": "",
"Certificates": "",
"Change_Analysis": "",
"Change": "",
"Malware": "",
"Email": "",
"Identity_Management": "",
"Network_Resolution": "",
"Network_Traffic": "",
"Vulnerabilities": "",
"Web": "",
"Network_Sessions": "",
"Updates": "",
"Risk": "",
"Endpoint": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}Network_ResolutionA high-level description of the type of data needed for this search to complete
data_source
- is required
- type:
string[]* at least0items in the array
Array type: string[]
All items must be of the type:
string
DNSThe list of sourcetypes, if any, used by this search
data_sourcetypes
- is optional
- type:
string[]* at least0items in the array
Array type: string[]
All items must be of the type:
string
stream:dnsA list of technologies that provide this data
providing_technologies
- is required
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of technologies that provide this data",
"examples": [
"Bro"
],
"items": {
"enum": [
"Apache",
"AWS",
"Bro",
"Microsoft Windows",
"Linux",
"macOS",
"Netbackup",
"Splunk Enterprise",
"Splunk Enterprise Security",
"Splunk Stream",
"Active Directory",
"Bluecoat",
"Carbon Black Response",
"Carbon Black Protect",
"CrowdStrike Falcon",
"Microsoft Exchange",
"Nessus",
"Palo Alto Firewall",
"Qualys",
"Sysmon",
"Tanium",
"Ziften",
"OSquery"
],
"simpletype": "`enum`",
"meta:enum": {
"Apache": "",
"AWS": "",
"Bro": "",
"Microsoft Windows": "",
"Linux": "",
"macOS": "",
"Netbackup": "",
"Splunk Enterprise": "",
"Splunk Enterprise Security": "",
"Splunk Stream": "",
"Active Directory": "",
"Bluecoat": "",
"Carbon Black Response": "",
"Carbon Black Protect": "",
"CrowdStrike Falcon": "",
"Microsoft Exchange": "",
"Nessus": "",
"Palo Alto Firewall": "",
"Qualys": "",
"Sysmon": "",
"Tanium": "",
"Ziften": "",
"OSquery": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}BroA description of what the detection is designed to find
description
- is required
- type:
string - defined in this schema
string
"The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day."detect
- is required
- type:
object - defined in this schema
object with following properties:
| Property | Type | Required |
|---|---|---|
phantom |
Optional | |
splunk |
Optional | |
uba |
Optional |
phantom
- is optional
- type: reference
splunk
- is optional
- type: reference
uba
- is optional
- type: reference
Explain it like I am 5 - A detail description of the SPL of the search, written in a style that can be understood by a future Splunk expert
eli5
- is required
- type:
string - defined in this schema
string
"Using a lookup `discover_dns_records` generated by support search \"Discover DNS records\" we check previous network traffic and make sure the responses have not changed."A list of entities that is outputed by the search...
entities
- is optional
- type:
enum[] - at least
0items in the array - defined in this schema
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of entities that is outputed by the search...",
"examples": [
"dest",
"user"
],
"items": {
"enum": [
"accessKeyId",
"arn",
"awsRegion",
"bucketName",
"City",
"Country",
"dest_port",
"dest",
"event_id",
"instanceId",
"message_id",
"networkAclId",
"process_name",
"process",
"recipient",
"Region",
"resourceId",
"session_id",
"src_ip",
"src_mac",
"src_user",
"src",
"user"
],
"simpletype": "`enum`",
"meta:enum": {
"accessKeyId": "",
"arn": "",
"awsRegion": "",
"bucketName": "",
"City": "",
"Country": "",
"dest_port": "",
"dest": "",
"event_id": "",
"instanceId": "",
"message_id": "",
"networkAclId": "",
"process_name": "",
"process": "",
"recipient": "",
"Region": "",
"resourceId": "",
"session_id": "",
"src_ip": "",
"src_mac": "",
"src_user": "",
"src": "",
"user": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}"dest""user"A discussion on how to implement this search, from what needs to be ingested, config files modified, and suggested per site modifications
how_to_implement
- is required
- type:
string - defined in this schema
string
The unique identifier for the detection
id
- is required
- type:
string - defined in this schema
string
"To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \"Discover DNS record\"."An array of the investigation objects to exectute on the detection results
investigations
- is optional
- type:
object[] - defined in this schema
Array type: object[]
All items must be of the type:
object with following properties:
| Property | Type | Required |
|---|---|---|
id |
string | Required |
name |
string | Required |
product_type |
string | Required |
UUID of the investigation object
id
- is required
- type:
string
string
bc11a8cf-35e7-4bb2-8140-e756cc06fd72Name of investigation object
name
- is required
- type:
string
string
Get DNS Server History for a hostType of investigation object
product_type
- is required
- type:
enum
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
phantom |
|
splunk |
|
uba |
splunkScenarios in which detected behavior is benig, coupled with suggestions on how to verify the behavior
known_false_positives
- is required
- type:
string - defined in this schema
string
"Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate."An array of the current maintainers of the Analytic Story.
maintainers
- is required
- type:
object[] - defined in this schema
Array type: object[]
All items must be of the type:
object with following properties:
| Property | Type | Required |
|---|---|---|
company |
string | Required |
email |
string | Required |
name |
string | Required |
Company associated with the person maintaining this search
company
- is required
- type:
string
string
SplunkEmail address of the person maintaining this search
email
- is required
- type:
string
string
daftpunk@splunk.comName of the person maintaining this search
name
- is required
- type:
string
string
Daft PunkMappings to various industry standards and frameworks
mappings
- is optional
- type:
object - defined in this schema
object with following properties:
| Property | Type | Required |
|---|---|---|
cis20 |
array | Optional |
emoji |
array | Optional |
kill_chain_phases |
array | Optional |
mitre_attack |
array | Optional |
nist |
array | Optional |
A list of critical security controls this search helps you implement
cis20
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of critical security controls this search helps you implement",
"examples": [
"CIS 12"
],
"items": {
"enum": [
"CIS 1",
"CIS 2",
"CIS 3",
"CIS 4",
"CIS 5",
"CIS 6",
"CIS 7",
"CIS 8",
"CIS 9",
"CIS 10",
"CIS 11",
"CIS 12",
"CIS 13",
"CIS 14",
"CIS 15",
"CIS 16",
"CIS 17",
"CIS 18",
"CIS 19",
"CIS 20"
],
"simpletype": "`enum`",
"meta:enum": {
"CIS 1": "",
"CIS 2": "",
"CIS 3": "",
"CIS 4": "",
"CIS 5": "",
"CIS 6": "",
"CIS 7": "",
"CIS 8": "",
"CIS 9": "",
"CIS 10": "",
"CIS 11": "",
"CIS 12": "",
"CIS 13": "",
"CIS 14": "",
"CIS 15": "",
"CIS 16": "",
"CIS 17": "",
"CIS 18": "",
"CIS 19": "",
"CIS 20": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}CIS 12A list of security emojis that will help UBA understand this alert as an external alarm
emoji
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of security emojis that will help UBA understand this alert as an external alarm",
"examples": [
"EndPoint"
],
"items": {
"enum": [
"EndPoint",
"AD",
"Firewall",
"ApplicationLog",
"IPS",
"CloudData",
"Correlation",
"Printer",
"Badge"
],
"simpletype": "`enum`",
"meta:enum": {
"EndPoint": "",
"AD": "",
"Firewall": "",
"ApplicationLog": "",
"IPS": "",
"CloudData": "",
"Correlation": "",
"Printer": "",
"Badge": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}EndPointA list of kill-chain phases to which the search applies
kill_chain_phases
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of kill-chain phases to which the search applies",
"examples": [
"Reconnaissance"
],
"items": {
"enum": [
"Reconnaissance",
"Weaponization",
"Delivery",
"Exploitation",
"Installation",
"Command and Control",
"Actions on Objectives"
],
"simpletype": "`enum`",
"meta:enum": {
"Reconnaissance": "",
"Weaponization": "",
"Delivery": "",
"Exploitation": "",
"Installation": "",
"Command and Control": "",
"Actions on Objectives": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}ReconnaissanceA list of the techniques and tactics identified by the search
mitre_attack
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of the techniques and tactics identified by the search",
"examples": [
"Defense Evasion",
"Initial Access"
],
"items": {
"enum": [
"Initial Access",
"Execution",
"Persistence",
"Privilege Escalation",
"Defense Evasion",
"Credential Access",
"Discovery",
"Lateral Movement",
"Collection",
"Exfiltration",
"Command and Control",
"Command and Control Protocol",
"Commonly Used Port",
"Custom Cryptographic Protocol",
"DLL Injection",
"DLL Search Order Hijacking",
"DLL Side-Loading",
"Data Compressed",
"Data Encrypted",
"Data Obfuscation",
"Data Staged",
"Data Transfer Size Limits",
"Data from Local System",
"Data from Network Shared Drive",
"Data from Removable Media",
"Disabling Security Tools",
"Email Collection",
"Execution through API",
"Exfiltration Over Alternative Protocol",
"Exfiltration Over Command and Control Channel",
"Exfiltration Over Other Network Medium",
"Exfiltration Over Physical Medium",
"Exploitation of Vulnerability",
"Fallback Channels",
"File Deletion",
"File System Logical Offsets",
"File System Permissions Weakness",
"File and Directory Discovery",
"Graphical User Interface",
"Hypervisor",
"Indicator Blocking",
"Indicator Removal from Tools",
"Indicator Removal on Host",
"Input Capture",
"InstallUtil",
"Legitimate Credentials",
"Local Network Configuration Discovery",
"Local Network Connections Discovery",
"Local Port Monitor",
"Logon Scripts",
"MSBuild",
"Masquerading",
"Modify Existing Service",
"Modify Registry",
"Multi-Stage Channels",
"Multiband Communication",
"Multilayer Encryption",
"NTFS Extended Attributes",
"Network Service Scanning",
"Network Share Connection Removal",
"Network Sniffing",
"New Service",
"Obfuscated Files or Information",
"Pass the Hash",
"Pass the Ticket",
"Path Interception",
"Peripheral Device Discovery",
"Permission Groups Discovery",
"PowerShell",
"Process Discovery",
"Process Hollowing",
"Query Registry",
"Redundant Access",
"Registry Run Keys / Start Folder",
"Regsvcs/Regasm",
"Regsvr32",
"Remote Desktop Protocol",
"Create Account",
"Remote File Copy",
"Remote Services",
"Remote System Discovery",
"Replication Through Removable Media",
"Rootkit",
"Rundll32",
"Scheduled Task",
"Scheduled Transfer",
"Screen Capture",
"Scripting",
"Security Software Discovery",
"Security Support Provider",
"Service Execution",
"Service Registry Permissions Weakness",
"Shared Webroot",
"Shortcut Modification",
"Software Packing",
"Standard Application Layer Protocol",
"Standard Cryptographic Protocol",
"Standard Non-Application Layer Protocol",
"System Information Discovery",
"System Owner/User Discovery",
"System Service Discovery",
"System Time Discovery",
"Taint Shared Content",
"Third-party Software",
"Timestomp",
"Two-Factor Authentication Interception",
"Uncommonly Used Port",
"Video Capture",
"Valid Accounts",
"Web Service",
"Web Shell",
"Windows Admin Shares",
"Windows Management Instrumentation Event Subscription",
"Windows Management Instrumentation",
"Windows Remote Management",
"Winlogon Helper DLL",
"Exploitation for Privilege Escalation"
],
"simpletype": "`enum`",
"meta:enum": {
"Initial Access": "",
"Execution": "",
"Persistence": "",
"Privilege Escalation": "",
"Defense Evasion": "",
"Credential Access": "",
"Discovery": "",
"Lateral Movement": "",
"Collection": "",
"Exfiltration": "",
"Command and Control": "",
"Command and Control Protocol": "",
"Commonly Used Port": "",
"Custom Cryptographic Protocol": "",
"DLL Injection": "",
"DLL Search Order Hijacking": "",
"DLL Side-Loading": "",
"Data Compressed": "",
"Data Encrypted": "",
"Data Obfuscation": "",
"Data Staged": "",
"Data Transfer Size Limits": "",
"Data from Local System": "",
"Data from Network Shared Drive": "",
"Data from Removable Media": "",
"Disabling Security Tools": "",
"Email Collection": "",
"Execution through API": "",
"Exfiltration Over Alternative Protocol": "",
"Exfiltration Over Command and Control Channel": "",
"Exfiltration Over Other Network Medium": "",
"Exfiltration Over Physical Medium": "",
"Exploitation of Vulnerability": "",
"Fallback Channels": "",
"File Deletion": "",
"File System Logical Offsets": "",
"File System Permissions Weakness": "",
"File and Directory Discovery": "",
"Graphical User Interface": "",
"Hypervisor": "",
"Indicator Blocking": "",
"Indicator Removal from Tools": "",
"Indicator Removal on Host": "",
"Input Capture": "",
"InstallUtil": "",
"Legitimate Credentials": "",
"Local Network Configuration Discovery": "",
"Local Network Connections Discovery": "",
"Local Port Monitor": "",
"Logon Scripts": "",
"MSBuild": "",
"Masquerading": "",
"Modify Existing Service": "",
"Modify Registry": "",
"Multi-Stage Channels": "",
"Multiband Communication": "",
"Multilayer Encryption": "",
"NTFS Extended Attributes": "",
"Network Service Scanning": "",
"Network Share Connection Removal": "",
"Network Sniffing": "",
"New Service": "",
"Obfuscated Files or Information": "",
"Pass the Hash": "",
"Pass the Ticket": "",
"Path Interception": "",
"Peripheral Device Discovery": "",
"Permission Groups Discovery": "",
"PowerShell": "",
"Process Discovery": "",
"Process Hollowing": "",
"Query Registry": "",
"Redundant Access": "",
"Registry Run Keys / Start Folder": "",
"Regsvcs/Regasm": "",
"Regsvr32": "",
"Remote Desktop Protocol": "",
"Create Account": "",
"Remote File Copy": "",
"Remote Services": "",
"Remote System Discovery": "",
"Replication Through Removable Media": "",
"Rootkit": "",
"Rundll32": "",
"Scheduled Task": "",
"Scheduled Transfer": "",
"Screen Capture": "",
"Scripting": "",
"Security Software Discovery": "",
"Security Support Provider": "",
"Service Execution": "",
"Service Registry Permissions Weakness": "",
"Shared Webroot": "",
"Shortcut Modification": "",
"Software Packing": "",
"Standard Application Layer Protocol": "",
"Standard Cryptographic Protocol": "",
"Standard Non-Application Layer Protocol": "",
"System Information Discovery": "",
"System Owner/User Discovery": "",
"System Service Discovery": "",
"System Time Discovery": "",
"Taint Shared Content": "",
"Third-party Software": "",
"Timestomp": "",
"Two-Factor Authentication Interception": "",
"Uncommonly Used Port": "",
"Video Capture": "",
"Valid Accounts": "",
"Web Service": "",
"Web Shell": "",
"Windows Admin Shares": "",
"Windows Management Instrumentation Event Subscription": "",
"Windows Management Instrumentation": "",
"Windows Remote Management": "",
"Winlogon Helper DLL": "",
"Exploitation for Privilege Escalation": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}Defense EvasionInitial AccessA list of the NIST controls the search helps you implement
nist
- is optional
- type:
enum[]* at least0items in the array
Array type: enum[]
All items must be of the type: Unknown type ``.
{
"description": "A list of the NIST controls the search helps you implement",
"examples": [
"ID.AM",
"PR.PT"
],
"items": {
"enum": [
"ID.AM",
"ID.RA",
"PR.DS",
"PR.IP",
"PR.AC",
"PR.PT",
"PR.AT",
"PR.MA",
"DE.CM",
"DE.DP",
"DE.AE",
"RS.MI",
"RS.AN",
"RS.RP",
"RS.IM",
"RS.CO",
"RC.IM",
"RC.CO"
],
"simpletype": "`enum`",
"meta:enum": {
"ID.AM": "",
"ID.RA": "",
"PR.DS": "",
"PR.IP": "",
"PR.AC": "",
"PR.PT": "",
"PR.AT": "",
"PR.MA": "",
"DE.CM": "",
"DE.DP": "",
"DE.AE": "",
"RS.MI": "",
"RS.AN": "",
"RS.RP": "",
"RS.IM": "",
"RS.CO": "",
"RC.IM": "",
"RC.CO": ""
}
},
"minItems": 0,
"type": "array",
"uniqueItems": true,
"simpletype": "`enum[]`"
}ID.AMPR.PTThe date of the most recent modification to the search
modification_date
- is required
- type:
string - defined in this schema
string
"2019-02-14"The name of the detection
name
- is optional
- type:
string - defined in this schema
string
"DNS record changed"A list of the original authors of the search
original_authors
- is required
- type:
object[] - defined in this schema
Array type: object[]
All items must be of the type:
object with following properties:
| Property | Type | Required |
|---|---|---|
company |
string | Required |
email |
string | Required |
name |
string | Required |
Company associated with the person who originally authored the search
company
- is required
- type:
string
string
SplunkEmail address of the person who originally authored the search
email
- is required
- type:
string
string
daftpunk@splunk.comName of the person who originally authored the search
name
- is required
- type:
string
string
Daft PunkThe type of detection
product_type
- is required
- type:
enum - defined in this schema
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
uba |
|
splunk |
|
phantom |
"phantom"A list of URLs that give more information about the search
references
- is optional
- type:
string[] - at least
0items in the array - defined in this schema
Array type: string[]
All items must be of the type:
string
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"An array of the response objects to exectute on the detection results
responses
- is optional
- type:
object[] - defined in this schema
Array type: object[]
All items must be of the type:
object with following properties:
| Property | Type | Required |
|---|---|---|
id |
string | Required |
name |
string | Required |
product_type |
Required |
UUID of the Respose object
id
- is required
- type:
string
string
1169w17b-ef78-4b59-aae8-5369073014e1Name of Response Object
name
- is required
- type:
string
string
DNS Hijack ReponseType of baseline to execute
product_type
- is required
- type:
enum
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
phantom |
|
splunk |
|
uba |
phantomThe high-level security area to which the search belongs
security_domain
- is required
- type:
enum - defined in this schema
The value of this property must be equal to one of the known values below.
| Value | Description |
|---|---|
access |
|
endpoint |
|
network |
|
threat |
"endpoint"The version of the detection specification this manifest follows
spec_version
- is optional
- type:
integer - defined in this schema
integer
"2.0"The version of the detection
version
- is required
- type:
string - defined in this schema
string
"1"| Property | Type | Group |
|---|---|---|
| correlation_rule | object |
https://api.splunkresearch.com/schemas/detections.json#/definitions/uba |
| event_type | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/uba |
| model | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/uba |
| model_version | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/uba |
| phantom_server | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/phantom |
| playbook_name | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/phantom |
| playbook_url | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/phantom |
| sensitivity | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/phantom |
| severity | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/phantom |
| threat_category | string |
https://api.splunkresearch.com/schemas/detections.json#/definitions/uba |
Various fields to enhance usability in Enterprise Security
correlation_rule
- is optional
- type:
object - defined in this schema
object with following properties:
| Property | Type | Required |
|---|---|---|
notable |
object | Optional |
risk |
object | Optional |
schedule |
object | Required |
search |
string | Required |
suppress |
object | Optional |
Various fields associated with creating a notable event
notable
- is optional
- type:
object
object with following properties:
| Property | Type | Required |
|---|---|---|
nes_fields |
string | Required |
rule_description |
string | Required |
rule_title |
string | Required |
A list of suggested fields to be used for notable-event suppression
nes_fields
- is required
- type:
string
string
Description of the notable event that will display in Incident Review
rule_description
- is required
- type:
string
string
Title of the notable event that will display in Incident Review
rule_title
- is required
- type:
string
string
Fields associated with assigning risk to objects
risk
- is optional
- type:
object
object with following properties:
| Property | Type | Required |
|---|---|---|
risk_object |
string | Required |
risk_object_type |
array | Required |
risk_score |
integer | Required |
TThe field to which you are assigning risk
risk_object
- is required
- type:
string
string
The type of object to which you are assigning risk
risk_object_type
- is required
- type:
enum[]* between0and1items in the array
Array type: enum[]
All items must be of the type:
string
Score assigned to risk_object
risk_score
- is required
- type:
integer
integer
Various fields to assist in scheduling the search
schedule
- is required
- type:
object
object with following properties:
| Property | Type | Required |
|---|---|---|
cron_schedule |
string | Optional |
earliest_time |
string | Optional |
latest_time |
string | Optional |
Schedule of the search in cron format
cron_schedule
- is optional
- type:
string
string
The earliest time the search should run in Splunk format
earliest_time
- is optional
- type:
string
string
The latest time tes search should run against in Splunk format
latest_time
- is optional
- type:
string
string
The search (in SPL) executed within core Splunk
search
- is required
- type:
string
string
Fields associated with suppressing the creation of multiple alerts
suppress
- is optional
- type:
object
object with following properties:
| Property | Type | Required |
|---|---|---|
suppress_fields |
string | Required |
suppress_period |
string | Required |
The fields to base the suppression on
suppress_fields
- is required
- type:
string
string
The length of time the suppression should be in effect
suppress_period
- is required
- type:
string
string
An anomaly or threat.
event_type
- is optional
- type:
string - defined in this schema
string
"anomaly"The name of the Splunk UBA model that detected the anomaly.
model
- is optional
- type:
string - defined in this schema
string
"UBA Model"Url of the playbook on Phantom website.
model_version
- is optional
- type:
string - defined in this schema
string
"2.0"IP address and username of the phantom server. Currently, we will ship this value as automation (hostname) and we encourage the users to modify those values according to their environment. Eg: automation (hostname)
phantom_server
- is optional
- type:
string - defined in this schema
string
"automation (hostname)"Name of the playbook. This name should be the same as the name on phantom community repository on github with underscores and appended with community/<playbook_name>. The playbooks are hosted on https://github.com/phantomcyber/playbooks. Eg: community/simple_network_enrichment
playbook_name
- is optional
- type:
string - defined in this schema
string
"community/dns_hijack_detect_playbook"Url of the playbook on Phantom website.
playbook_url
- is optional
- type:
string - defined in this schema
string
"https://my.phantom.us/4.1/playbook/dns-hijack-investigation/"TLP colors (white, green, amber or red)
sensitivity
- is optional
- type:
string - defined in this schema
string
"green"Severity in phantom (High, Medium, Low)
severity
- is optional
- type:
string - defined in this schema
string
"high"The category of a threat in Splunk UBA.
threat_category
- is optional
- type:
string - defined in this schema
string
"Malware"