Welcome to the new Splunkbase! To return to the old Splunkbase, click here.
Collections
Apps
Submit an App
Tuning Framework For Splunk app icon

Tuning Framework For Splunk

The Tuning Framework is a custom framework built in Splunk to facilitate tuning detection rules to suppress false positives or adjust risk score for Risk Based Alerting. The framework implements a small number of lookups and macros to dynamically suppress events or adjust risk scores for all correlation searches based on any combination of fields within the events. For most Splunk environments, this will enhance analysts ability to quickly tune rules and greatly reduce the lift from Splunk administrators. **The Tuning Framework for Splunk Risk Score override functionality is not compatible with the Enterprise Security Risk Analysis Adaptive Response ** Analysts can use the Add Entry dashboard to add a combination of correlation search names, fields, and values to tuning lookups which will be used to suppress or adjust risk score for any events that match the specified criteria. This is done by constructing dynamic chunks of SPL to form searches and eval statements based on the contents of the lookups. By doing this, we can use a single lookup for tuning all correlation searches without having to anticipate the different combinations of fields analyst may need to match on. The risk score adjustment works whether you have implemented a macro based version of RBA or are using the Risk Analysis adaptive response action. *Note: Versions prior to 1.0.3 have several bugs - please update to 1.0.3* Huge shout out to Splunk user *john_dagostino* for identifying and providing fixes for these issues!!!

Built by Donald Murchison
splunk product badge
Latest Version 1.0.3
August 22, 2023
Compatibility
Not Available
Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2, 7.1, 7.0
Rating

0

(0)

Log in to rate this app
Support
Tuning Framework For Splunk support icon
Not Supported
The Tuning Framework is a custom framework built in Splunk to facilitate tuning detection rules to suppress false positives or adjust risk score for Risk Based Alerting. The framework implements a small number of lookups and macros to dynamically suppress events or adjust risk scores for all correlation searches based on any combination of fields within the events. For most Splunk environments, this will enhance analysts ability to quickly tune rules and greatly reduce the lift from Splunk administrators. **The Tuning Framework for Splunk Risk Score override functionality is not compatible with the Enterprise Security Risk Analysis Adaptive Response ** Analysts can use the Add Entry dashboard to add a combination of correlation search names, fields, and values to tuning lookups which will be used to suppress or adjust risk score for any events that match the specified criteria. This is done by constructing dynamic chunks of SPL to form searches and eval statements based on the contents of the lookups. By doing this, we can use a single lookup for tuning all correlation searches without having to anticipate the different combinations of fields analyst may need to match on. The risk score adjustment works whether you have implemented a macro based version of RBA or are using the Risk Analysis adaptive response action. *Note: Versions prior to 1.0.3 have several bugs - please update to 1.0.3* Huge shout out to Splunk user *john_dagostino* for identifying and providing fixes for these issues!!!

Categories

Created By

Donald Murchison

Source Code

Type

app

Downloads

328

Licensing

Splunk Answers

Resources

Login to report this app listing