Tuning Framework For Splunk

The Tuning Framework is a custom framework built in Splunk to facilitate tuning detection rules to suppress false positives or adjust risk score for Risk Based Alerting. The framework implements a small number of lookups and macros to dynamically suppress events or adjust risk scores for all correlation searches based on any combination of fields within the events. For most Splunk environments, this will enhance analysts ability to quickly tune rules and greatly reduce the lift from Splunk administrators. **The Tuning Framework for Splunk Risk Score override functionality is not compatible with the Enterprise Security Risk Analysis Adaptive Response ** Analysts can use the Add Entry dashboard to add a combination of correlation search names, fields, and values to tuning lookups which will be used to suppress or adjust risk score for any events that match the specified criteria. This is done by constructing dynamic chunks of SPL to form searches and eval statements based on the contents of the lookups. By doing this, we can use a single lookup for tuning all correlation searches without having to anticipate the different combinations of fields analyst may need to match on. The risk score adjustment works whether you have implemented a macro based version of RBA or are using the Risk Analysis adaptive response action. *Note: Versions prior to 1.0.3 have several bugs - please update to 1.0.3* Huge shout out to Splunk user *john_dagostino* for identifying and providing fixes for these issues!!!