Welcome to the wonderful world of Risk-Based Alerting!
RBA is Splunk's method to aggregate low-fidelity security events as interesting observations tagged with security metadata to create high-fidelity, low-volume alerts.
See the web based documentation at https://splunk.github.io/rba/
Useful SPL from the RBA community for working with risk events.
Simple XML or JSON for Splunk dashboards to streamline risk analysis.
Splunk's Threat Research Team has an incredible library of over 1000 detections in the Splunk's Enterprise Security Content Updates library. You can use Marcus Ferrera and Drew Church's awesome ATT&CK Detections Collector to pop out a handy HTML file of relevant ESCU detections for you to align with MITRE ATT&CK.