topic Re: How to generate a report based on utilisation of Enterprise Security in Splunk Enterprise Security

How to generate a report based on utilisation of Enterprise Security

cYcJo7 — Thu, 18 Jan 2024 11:15:31 GMT

Hello,

is it possible to analyse the utilisation of enterprise security, I assume it is currently not used in our company, but I would like to be able to prove this in statistics

Thanks

Pad

Re: How to generate a report based on utilisation of Enterprise Security

PickleRick — Thu, 18 Jan 2024 11:29:59 GMT

#define <utilisation> please

Re: How to generate a report based on utilisation of Enterprise Security

cYcJo7 — Thu, 18 Jan 2024 11:34:44 GMT

Thank you for your quick reply, I would like to know if Enterprise security is used at all in our company. So is it used 1-2 times a year or has it only been used 10 times in the last 3 months?

Re: How to generate a report based on utilisation of Enterprise Security

PickleRick — Thu, 18 Jan 2024 12:45:23 GMT

Again - there are several different approaches you can have about "using ES" but what I'd do to get a rough idea if the solution is indeed being used:

1. Check if it's configured - are there correlation searches defined, are there user/asset mappings defined/synchronised, are sources decently onboarded (CIM-compliant)

2. Does anyone actually open ES app views in webui (you should be able to find it in internal logs).

3. What is the status of your notables and investigations - do you see any traces of anyone working on them?

4. What is the version of your ESCU app? How long ago it's been updated?

Re: How to generate a report based on utilisation of Enterprise Security

cYcJo7 — Fri, 19 Jan 2024 08:39:47 GMT

Thank you very much, that has helped me.

Have a good one