Splunk Enterprise Security

Does anyone know where I can find a list of OOTB reports generated by Splunk ES?

adnankhan5133
Communicator

We have a prospective client interested in knowing what our reporting capabilities are, and I would like to pull a list of reports that Splunk ES already has pre-configured out of the box. We currently don't have Splunk installed so I'm wondering if there is a public repository or page that has this information.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

AFAIK, there is no published list.  The documentation says to run this query to get a list. I added the part about ESCU, since that's not ES OOTB.

 

| rest splunk_server=local count=0 /services/saved/searches 
| where (match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") AND NOT match(title, "^ESCU - "))
| rename title as csearch_name
| table csearch_name, description

 

Since this doesn't help if you don't have ES installed, here is what I get for results.  HTH.

  

csearch_namedescription
Access - Account Deleted - RuleDetects user and computer account deletion
Access - Brute Force Access Behavior Detected - RuleDetects excessive number of failed login attempts along with a successful attempt (this could indicate a successful brute force attack)
Access - Brute Force Access Behavior Detected Over 1d - RuleDetects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)
Access - Cleartext Password At Rest - RuleDetects cleartext passwords being stored at rest (such as in the Unix passwd file)
Access - Completely Inactive Account - RuleDiscovers accounts that are no longer used. Unused accounts should be disabled and are oftentimes used by attackers to gain unauthorized access.
Access - Concurrent App Accesses - RuleAlerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.
Access - Default Account Usage - RuleDiscovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools.
Access - Default Accounts At Rest - RuleDiscovers the presence of default accounts even if they are not being used. Default accounts should be disabled in order to prevent an attacker from using them to gain unauthorized access to remote hosts.
Access - Excessive Failed Logins - RuleDetects excessive number of failed login attempts (this is likely a brute force attack)
Access - Geographically Improbable Access Detected - RuleAlerts on access attempts that are improbable based on time and geography.
Access - High or Critical Priority Individual Logging into Infected Machine - RuleDetects users with a high or critical priority logging into a malware infected machine
Access - Inactive Account Usage - RuleDiscovers previously inactive accounts that are now being used. This may be due to an attacker that successfully gained access to an account that was no longer being used.
Access - Insecure Or Cleartext Authentication - RuleDetects authentication requests that transmit the password over the network as cleartext (unencrypted)
Access - Short-lived Account Detected - RuleDetects when a account or credential is created and then removed a short time later. This may be an indication of malicious activities.
Asset - Asset Ownership Unspecified - RuleAlerts when there are assets that define a specific priority and category but do not have an assigned owner.
Audit - Anomalous Audit Trail Activity Detected - RuleDiscovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files in order to hide their actions, therefore, this may indicate that the system has been compromised.
Audit - Expected Host Not Reporting - RuleDiscovers hosts that are longer reporting events but should be submitting log events. This rule is used to monitor hosts that you know should be providing a constant stream of logs in order to determine why the host has failed to provide log data.
Audit - Personally Identifiable Information Detection - RuleDetects personally identifiable information (PII) in log files. Some software will inadvertently provide sensitive information in log files and thus causing the information to be exposed unnecessarily to those reviewing the log files.
Audit - Potential Gap in Data - RuleDetects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.
Audit - Untriaged Notable Events - RuleAlerts when notable events have not been triaged
Change - Abnormally High Number of Endpoint Changes By User - RuleDetects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits, filesystem, user, and registry modifications.
Endpoint - Anomalous New Listening Port - RuleAlerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the devices have been compromised or have had new (and potentially vulnerable) software installed.
Endpoint - Anomalous New Processes - RuleAlerts when an anomalous number hosts are detected with a new process.
Endpoint - Anomalous New Services - RuleAlerts when an anomalous number hosts are detected with a new service.
Endpoint - Anomalous User Account Creation - RuleAlerts when a previously unseen account is created on multiple hosts.
Endpoint - High Number of Hosts Not Updating Malware Signatures - RuleAlerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.
Endpoint - High Number Of Infected Hosts - RuleAlerts when a high total number of infected hosts is discovered.
Endpoint - High Or Critical Priority Host With Malware - RuleAlerts when an infection is noted on a host with high or critical priority.
Endpoint - Host Sending Excessive Email - RuleAlerts when an host not designated as an e-mail server sends excessive e-mail to one or more target hosts.
Endpoint - Host With Excessive Number Of Listening Ports - RuleAlerts when host has a high number of listening services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server) or is not running a firewall.
Endpoint - Host With Excessive Number Of Processes - RuleAlerts when host has a high number of processes. This may be due to an infection or a runaway process.
Endpoint - Host With Excessive Number Of Services - RuleAlerts when host has a high number of services. This may be an indication that the device is running services that are not necessary (such as a default installation of a server).
Endpoint - Host With Multiple Infections - RuleAlerts when a host with multiple infections is discovered.
Endpoint - Multiple Primary Functions Detected - RuleMultiple Primary Functions Detected
Endpoint - Old Malware Infection - RuleAlerts when a host with an old infection is discovered (likely a re-infection).
Endpoint - Outbreak Observed - RuleAlerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infection
Endpoint - Prohibited Process Detection - RuleAlerts when a service in the prohibited process list is detected.
Endpoint - Prohibited Service Detection - RuleAlerts when a service in the prohibited service list is detected.
Endpoint - Recurring Malware Infection - RuleAlerts when a host has an infection that has been re-infected remove multiple times over multiple days.
Endpoint - Should Timesync Host Not Syncing - RuleDetects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by some regulatory compliance standards (such as PCI).
Identity - Activity from Expired User Identity - RuleAlerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed).
Identity - High Volume Email Activity with Non-corporate Domains - RuleAlerts on high volume email activity by a user to non-corporate domains.
Identity - Web Uploads to Non-corporate Domains - RuleAlerts on high volume web uploads by a user to non-corporate domains.
Network - Excessive DNS Failures - RuleAlerts when a host receives many DNS failures in a short span
Network - Excessive DNS Queries - RuleAlerts when a host starts sending excessive DNS queries
Network - Excessive HTTP Failure Responses - RuleAlerts when a host generates a lot of HTTP failures in a short span of time
Network - High Volume of Traffic from High or Critical Host - RuleAlerts when a system of high or critical severity generates a high volume of outbound web activity. This may indicate that the system has been compromised.
Network - Network Device Rebooted - RuleIncreases the risk score of network devices that have been rebooted.
Network - Policy Or Configuration Change - RuleDetects changes to policies of the network protection devices (such as firewall policy changes).
Network - Substantial Increase in an Event - RuleAlerts when a statistically significant increase in a particular intrusion event is observed.
Network - Substantial Increase in Port Activity (By Destination) - RuleAlerts when a statistically significant increase in events on a given port is observed.
Network - Unapproved Port Activity Detected - RuleDetects the use of ports that are prohibited. Useful for detecting the installation of new software or a successful compromise of a host (such as the presence of a backdoor or a system communicating with a botnet).
Network - Unroutable Host Activity - RuleAlerts when activity to or from a host that is unroutable is detected.
Network - Unusual Volume of Network Activity - RuleDetects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique sources or a high volume of firewall packets
Network - Vulnerability Scanner Detection (by event) - RuleDetects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each vulnerability check tends to trigger a unique event.
Network - Vulnerability Scanner Detection (by targets) - RuleDetects a potential vulnerability scanner by detecting devices that have triggered events against a large number of unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they are scanning a network for vulnerable hosts.
Threat - Same Error On Many Systems - RuleAlerts when multiple systems are exhibiting the same errors
Threat - Threat List Activity - RuleAlerts when any activity matching threat intelligence is detected.
Threat - UEBA Anomaly Detected (Risk) - RuleDetects UBA anomaly events
Threat - UEBA Threat Detected (Notable) - RuleDetects UBA threat events
Threat - UEBA Threat Detected (Risk) - RuleDetects UBA threat events
Threat - Watchlisted Events - RuleAlerts when an event is discovered including text has been identified as important. This rule triggers whenever an event is discovered with the tag of "watchlist".
Web - Abnormally High Number of HTTP Method Events By Src - RuleAlerts when a host has an abnormally high number of HTTP requests by http method.
---
If this reply helps you, an upvote would be appreciated.
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!