Analytics Stories for Splunk Enterprise Security, Part 2: Creating and Sharing (Because Sharing is Caring) Use Cases

Dear Buttercup,

The tips on the use case functionality have been helpful and I like how the content can be organized. Unfortunately, I couldn’t actually figure out how to do it myself. This has cut down on my opportunities to go for drinks at The Tavern. The passing of time and all of its crimes is making me sad again. I have to get these use cases shared out with our partners! Can you help me?

Sterling from State College

Thanks for the follow-up, Sterling, and sorry to hear about you missing out. Hopefully we can quickly fix you up and get you on your way!

Use cases are created by creating a configuration file called analyticstories.conf. Inside of this file you will have all of the key information around the use case as well as the specifics about each search as individual stanzas. Since I already have one created, we are going to walk through it so that you can see what a completed analytic story would look like. Let’s take a look at some of the key values.

The first section of the analyticstories.conf file is the stanza for the story itself. Notice that the searches that make up the story are called out by name, the narrative, category, maintainer and versioning are all called out in this stanza. A good practice is to ensure that everything I am showing here is completed. Not all of these fields are required, but it is important to provide context to the use case, particuarly if you are sharing it broadly.

If you want to see the specification file with a full listing of mandatory and optional fields, you can check it out at $SPLUNK_HOME/splunk/etc/apps/SA-ThreatIntelligence/README/analyticstories.conf.spec

The other portion of the analyticstories.conf file are stanzas pertaining to the searches that are included in the analytic story. Here we can see any annotations that pertain to frameworks, as well as other metadata that describe the composition of the search. It is important to note that the search itself is not being written into this file. These are always being written to the savedsearches.conf file, just like they are for every other saved search.

If we jump over to our savedsearches.conf file, we can see the correlation search that is part of the analytic story, just like any other correlation search. We are not showing the entire search, but we can see that this search generates a notable in the network security domain as well as the drill-down associated with it. Also notice the name of the stanza here and how it ties to the stanza in the analyticstories.conf as well as the name of the search in the story as well. Hopefully this provides a good understanding of how the pieces fit together.

Now, Sterling, you are probably thinking, I don’t want to do this all in conf files, do you have a UI that I can work with instead?

The answer is yes, we do, but like anything else, it is important to understand what is occurring behind the scenes in case you need to make a quick tweak or two.

Let’s look at how this would work in the UI. Navigate to Configure - All Configurations and select Content Management from the list.

This should look familiar because this is where we craft correlation searches and build other content. If you were going to create a new use case you click the Create New Content button in the top right of the screen and select Analytic Story

Since we already have a use case built, let’s look at it. We can edit an existing analytic story by clicking on it, btw.

The top section covers many of the pieces we addressed in the conf file. You are not seeing it in this screenshot but there is also a Last Updated and Version fields that are filled in as well. The second half of the screen captures the searches that are part of the story as well as the kind of search as well as who the maintainer of the content is. I could say that’s all there is to it, but in reality there is a little more configuration that needs to take place, but the remainder of it takes place within the searches themselves. If you already have a search in your use case, you can click Edit to manipulate it, but if you are adding a search to the use case, select Add Search.

Continuing with our earlier example, we are going to click Edit on the Port 4444 detection. When we look at the search, we can see that actual search syntax is not here, again this is in the savedsearches.conf and can be viewed elsewhere in Splunk, but we are not carrying this over here, we are just looking to describe the search. One thing to highlight is that we can highlight words like Network_Traffic in the How To Implement section by putting what are called grave accents( ` ) around the word. Not sure what a grave accent is? You aren’t the only one, I had to figure out what I was going to call it as I was writing this. Fun fact, the grave accent is the same symbol that is on either side of a macro when it is called in Splunk, so just make sure you use this and all will be well!

The last portion in the search is to annotate the search to a specific framework, if desired. Here you can see that there are two annotations. The first is my own mapping the specific technique to the search, in this case Uncommonly Used Port. The second one is one of the four reserved framework names that I mentioned earlier. This one combines tactics and techniques from MITRE ATT&CK. Depending on how you want to slice this, you may be fine with it or you may want more granularity. Either way, you can add these annotations. For reference, the other reserved annotated values besides mitre_attack are kill_chain_phases, cis20, and nist

Once you save your searches and the analytic story, you can deploy or distribute it. From the Content Management screen, filter on Type: Analytic Story and select the story you want to export. Click Edit selection - Export.

A pop-up is provided to name the app that the content is being exported to. A label is also required as well as version and build numbers. We will see these values at the file level and when we load the app into our other system. In this case, we should create a reasonably descriptive name for our counterparts to understand what we are providing them and complete the other required fields and click Export.

Depending on the size of the export, Splunk Enterprise Security will take a moment and then present a pop-up saying the content is exported to an app along with a handy link to download the app now. If you click Close prior to downloading the app, all is not lost, the .spl file can be found at $SPLUNK_HOME/etc/apps/SA-Utils/local/data/appmaker/.

After downloading the file, you will be treated to a file that looks something like this. Notice the App Name and the Version and the Build number carries into the filename.

At this point Sterling, your job is done, you have created the use case that you wanted to share. Well done. Treat yourself to a lovely breakfast at The Waffle Shop on College Avenue content with the knowledge of a job well done.

The recipient of your use case has a pretty light lift, but let’s walk through that in case he calls you while you are digging into your pancakes looking for some help.

Because the use case is packaged and exported like an app, we can treat it like any other app. Have the remote system upload an app just like they would any other time and click Upload. If this is an updated use case, make sure the Upgrade app checkbox is checked.

The app will upload and when completed, we can see it loaded. Note the Name is the Label that we set at export and note the Folder name and Version align as well. 

To validate that it has loaded properly, go to the Use Case Library to view the use cases. You should see our Analytic Story. Note that the name of the story is what we called it on the original system, but look on the far right of the Use Case Library and notice that the App is listed as APT-VM TTPs, the same name as it appears on the Apps page.

If for some reason you don’t see your use case there are a few things to look at including making sure that the app is being exported globally and it may not contain an analyticstories.conf file. Also, make sure you have a version of ES of 5.2 or greater that supports Analytic Stories.

Sterling, I hope this has been helpful. Creating use cases provides an easy mechanism to group content logically and share it broadly while providing additional context and insight into each search. 

Until next time,

John Stoner

Posted by