Simplifying the Analyst Experience with Finding-based Detections

What's next?

Here are a few more resources you might find helpful:

Blogs: ​

• What’s New in Splunk Enterprise Security 8.4 | ES Premier GA​
• Finding Based Detections General Availability​

Documentation: ​

• Create finding-based detections in Splunk Enterprise Security

Here are a few top of mind questions from the live Tech Talk

Q. Is FBD in Security Enterprise only? If so, what about Security Essentials for smaller infrastructures or installations in "closed" networks?

A. Finding-based detection (FBD) is a feature of Enterprise Security and available with Enterprise Security Essentials edition at no additional cost if you have that edition.

Q. It is worth mentioning that these finding-based detections are just boosting what the risk intermediate alerts do as they can also add findings?

A. Yes, this is true. FBD's group both findings and intermediate findings that have common entities.

Q. What is the time complexity of detect cycle?

A. FBDs run every 5 minutes by default and are fairly lightweight. By default the time window (max append time) is 7 days or 24 hours. That is how long the group keeps getting new findings and intermediate findings grouped together into that common group.

Q. So the Event-based Detections that are displayed under the Findings-based Detection in Mission Control, are those pulling only Findings, Intermediate Findings, or both? 

A. An FBD can consume either or both Findings or Intermediate Findings. Both are consumed by default. 

Q. If I have FBD's that I created and started using during the Beta stage. Will those work now with ES 8.4 with FBD being GA?

A. Any FBD's that were in the product or customized FBD's that were created during the Beta stage will no longer work in ES 8.4.  This is because the underlying macros that FBD's use and rely on were refactored to simplify the base FBD search and enhance scalability.

Q. Do we need an initial event-based detection to be generated to have a finding-based detection created?

A. The Event-based detections are the first stage of detections. The output of event-based detections are the inputs into finding-based detections which have the responsibility of grouping those outputs into a common finding group.

Q. Does every time a finding group reopen does the max append time get reset? Or is this based on when the group initial opened?

A. No, the max append time does not reset. The time depends on when it initially started. The Finding Group that is reopened is the same finding group that was initially opened with all the same grouped stuff and just growing context. 

Q. Can you show how you drill downed into intermediate findings again? 

A. The intermediate findings are accessible anywhere you can click in to see the risk-event timeline. This is from the intermediate findings count on the Analyst Queue, and from within an Investigation too. 

Q. Can you expand intermediate in finding groups?

A. Yes intermediate findings are visually see in the Risk event timeline that Jerald demo'ed, and also in the Investigation view if the finding group is promoted to an investigation.