We have a prospective client interested in knowing what our reporting capabilities are, and I would like to pull a list of reports that Splunk ES already has pre-configured out of the box. We currently don't have Splunk installed so I'm wondering if there is a public repository or page that has this information.
AFAIK, there is no published list. The documentation says to run this query to get a list. I added the part about ESCU, since that's not ES OOTB.
| rest splunk_server=local count=0 /services/saved/searches
| where (match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") AND NOT match(title, "^ESCU - "))
| rename title as csearch_name
| table csearch_name, description
Since this doesn't help if you don't have ES installed, here is what I get for results. HTH.
csearch_name | description |
Access - Account Deleted - Rule | Detects user and computer account deletion |
Access - Brute Force Access Behavior Detected - Rule | Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack) |
Access - Brute Force Access Behavior Detected Over 1d - Rule | Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack) |
Access - Cleartext Password At Rest - Rule | Detects cleartext passwords being stored at rest (such as in the Unix passwd file) |
Access - Completely Inactive Account - Rule | Discovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access. |
Access - Concurrent App Accesses - Rule | Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse. |
Access - Default Account Usage - Rule | Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools. |
Access - Default Accounts At Rest - Rule | Discovers the presence of default accounts even if they are not being used. Default accounts should be disabled in order to prevent an attacker from using them to gain unauthorized access to remote hosts. |
Access - Excessive Failed Logins - Rule | Detects excessive number of failed login attempts (this is likely a brute force attack) |
Access - Geographically Improbable Access Detected - Rule | Alerts on access attempts that are improbable based on time and geography. |
Access - High or Critical Priority Individual Logging into Infected Machine - Rule | Detects users with a high or critical priority logging into a malware infected machine |
Access - Inactive Account Usage - Rule | Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used. |
Access - Insecure Or Cleartext Authentication - Rule | Detects authentication requests that transmit the password over the network as cleartext (unencrypted) |
Access - Short-lived Account Detected - Rule | Detects when a account or credential is created and then removed a short time later. This may be an indication of malicious activities. |
Asset - Asset Ownership Unspecified - Rule | Alerts when there are assets that define a specific priority and category but do not have an assigned owner. |
Audit - Anomalous Audit Trail Activity Detected - Rule | Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised. |
Audit - Expected Host Not Reporting - Rule | Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should be providing a constant stream of logs in order to determine why the host has failed to provide log data. |
Audit - Personally Identifiable Information Detection - Rule | Detects personally identifiable information (PII) in log files. Some software will inadvertently provide sensitive information in log files and thus causing the information to be exposed unnecessarily to those reviewing the log files. |
Audit - Potential Gap in Data - Rule | Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data. |
Audit - Untriaged Notable Events - Rule | Alerts when notable events have not been triaged |
Change - Abnormally High Number of Endpoint Changes By User - Rule | Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications. |
Endpoint - Anomalous New Listening Port - Rule | Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed. |
Endpoint - Anomalous New Processes - Rule | Alerts when an anomalous number hosts are detected with a new process. |
Endpoint - Anomalous New Services - Rule | Alerts when an anomalous number hosts are detected with a new service. |
Endpoint - Anomalous User Account Creation - Rule | Alerts when a previously unseen account is created on multiple hosts. |
Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule | Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures. |
Endpoint - High Number Of Infected Hosts - Rule | Alerts when a high total number of infected hosts is discovered. |
Endpoint - High Or Critical Priority Host With Malware - Rule | Alerts when an infection is noted on a host with high or critical priority. |
Endpoint - Host Sending Excessive Email - Rule | Alerts when an host not designated as an e-mail server sends excessive e-mail to one or more target hosts. |
Endpoint - Host With Excessive Number Of Listening Ports - Rule | Alerts when host has a high number of listening services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server) or is not running a firewall. |
Endpoint - Host With Excessive Number Of Processes - Rule | Alerts when host has a high number of processes. This may be due to an infection or a runaway process. |
Endpoint - Host With Excessive Number Of Services - Rule | Alerts when host has a high number of services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server). |
Endpoint - Host With Multiple Infections - Rule | Alerts when a host with multiple infections is discovered. |
Endpoint - Multiple Primary Functions Detected - Rule | Multiple Primary Functions Detected |
Endpoint - Old Malware Infection - Rule | Alerts when a host with an old infection is discovered (likely a re-infection). |
Endpoint - Outbreak Observed - Rule | Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infection |
Endpoint - Prohibited Process Detection - Rule | Alerts when a service in the prohibited process list is detected. |
Endpoint - Prohibited Service Detection - Rule | Alerts when a service in the prohibited service list is detected. |
Endpoint - Recurring Malware Infection - Rule | Alerts when a host has an infection that has been re-infected remove multiple times over multiple days. |
Endpoint - Should Timesync Host Not Syncing - Rule | Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI). |
Identity - Activity from Expired User Identity - Rule | Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). |
Identity - High Volume Email Activity with Non-corporate Domains - Rule | Alerts on high volume email activity by a user to non-corporate domains. |
Identity - Web Uploads to Non-corporate Domains - Rule | Alerts on high volume web uploads by a user to non-corporate domains. |
Network - Excessive DNS Failures - Rule | Alerts when a host receives many DNS failures in a short span |
Network - Excessive DNS Queries - Rule | Alerts when a host starts sending excessive DNS queries |
Network - Excessive HTTP Failure Responses - Rule | Alerts when a host generates a lot of HTTP failures in a short span of time |
Network - High Volume of Traffic from High or Critical Host - Rule | Alerts when a system of high or critical severity generates a high volume of outbound web activity. This may indicate that the system has been compromised. |
Network - Network Device Rebooted - Rule | Increases the risk score of network devices that have been rebooted. |
Network - Policy Or Configuration Change - Rule | Detects changes to policies of the network protection devices (such as firewall policy changes). |
Network - Substantial Increase in an Event - Rule | Alerts when a statistically significant increase in a particular intrusion event is observed. |
Network - Substantial Increase in Port Activity (By Destination) - Rule | Alerts when a statistically significant increase in events on a given port is observed. |
Network - Unapproved Port Activity Detected - Rule | Detects the use of ports that are prohibited. Useful for detecting the installation of new software or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet). |
Network - Unroutable Host Activity - Rule | Alerts when activity to or from a host that is unroutable is detected. |
Network - Unusual Volume of Network Activity - Rule | Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets |
Network - Vulnerability Scanner Detection (by event) - Rule | Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique event. |
Network - Vulnerability Scanner Detection (by targets) - Rule | Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts. |
Threat - Same Error On Many Systems - Rule | Alerts when multiple systems are exhibiting the same errors |
Threat - Threat List Activity - Rule | Alerts when any activity matching threat intelligence is detected. |
Threat - UEBA Anomaly Detected (Risk) - Rule | Detects UBA anomaly events |
Threat - UEBA Threat Detected (Notable) - Rule | Detects UBA threat events |
Threat - UEBA Threat Detected (Risk) - Rule | Detects UBA threat events |
Threat - Watchlisted Events - Rule | Alerts when an event is discovered including text has been identified as important. This rule triggers whenever an event is discovered with the tag of "watchlist". |
Web - Abnormally High Number of HTTP Method Events By Src - Rule | Alerts when a host has an abnormally high number of HTTP requests by http method. |