# Splunk SPL Detection Rule Template ## Rule Metadata | Field | Value | |---|---| | Rule Name | | | Rule ID | | | Description | | | Author | | | Date Created | | | Last Modified | | | Severity | | | MITRE ATT&CK | | | Data Sources | | | Status | Draft / Testing / Production / Retired | ## SPL Query ```spl | tstats summariesonly=true count from datamodel= where by , _time span= | rename ".*" as * | stats by | where | lookup asset_lookup ip as src OUTPUT asset_name, asset_priority | lookup identity_lookup identity as user OUTPUT department, manager | eval severity=case(, "critical", , "high", true(), "medium") | eval description="" | eval mitre_technique="" ``` ## Detection Logic ### What This Rule Detects ### Data Sources Required | Source | Sourcetype | Index | Required Fields | |---|---|---|---| | | | | | ### Threshold Justification ### Enrichment Details ## Testing Plan ### True Positive Test ``` Step 1: Step 2: Step 3: Expected Result: ``` ### False Positive Analysis | Scenario | Source | Mitigation | |---|---|---| | | | | ## Tuning History | Date | Change | Reason | Impact | |---|---|---|---| | | | | | ## Correlation Search Configuration ``` Schedule: */15 * * * * Time Window: earliest=-20m latest=now Suppress: 1h by src_ip Notable Event Security Domain: threat Adaptive Response: ``` ## Analyst Guidance ### Triage Steps 1. 2. 3. ### Escalation Criteria - ### Related Rules -