topic Enterprise security app in Splunk Enterprise Security

Enterprise security app

BRFZ — Fri, 21 Mar 2025 14:12:52 GMT

Hello,

I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app.

Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it.

Re: Enterprise security app

gargantua — Fri, 21 Mar 2025 14:38:35 GMT

Hi there,

Splunk Enterprise Security (ES) is a sort of extra layer to Splunk Enterprise, and it brings you more integrated possibilities :

More possibilities when it come to create Alerts (Called Notable in ES. [this name must have changed in version 8 though])
An Alert Managment system (Incident Review) which allows a team to watch alerts and investigate them
IOC detection and managment system
Tons of useful dashboards

All of that heavely relies on,

Your data :

If the data you're already ingesting into Splunk Enterprise is CIM compliant
Documentation : https://docs.splunk.com/Documentation/CIM/6.0.2/User/Overview
How well this data is mapped to Splunk Datamodels

Everything is well explained in this page : https://docs.splunk.com/Documentation/ES/8.0.2/Install/DataSourcePlanning

Identities (login accounts) and Assets (hosts) :

You must give to Splunk ES a list of :

identities of account names of the users of your organization
hostnames / IP adresses of the assets of your organization

This process is explained on this page : https://docs.splunk.com/Documentation/ES/8.0.2/Admin/VerifyAssetIdentityData

Configuring ES to its full potential can take some time and energy but it worth it.

Best,
Ch.

Re: Enterprise security app

livehybrid — Fri, 21 Mar 2025 15:34:56 GMT

Hi @BRFZ

If your data is landing in Splunk then the next thing you'll probably want to start looking at is ensuring that it is CIM compliant and then starting to enable/create Rules, based on your requirements.

To do this properly you want to make sure it is planned out well and have clear requirements, rather than enabling lots of Rules sporadically!

Some good resources to check out are:

Splunk Lantern - https://lantern.splunk.com/Security/Getting_Started/Getting_started_with_ES

Splunk Security Essentials - https://splunkbase.splunk.com/app/3435

Splunk ES 101 video - https://www.youtube.com/watch?v=Euas6lCK-LE

Splunk ES Certified Admin training path - https://www.splunk.com/en_us/training/certification-track/splunk-es-certified-admin.html

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Enterprise security app

lakshman239 — Mon, 24 Mar 2025 09:53:59 GMT

@BRFZ As @livehybrid and @gargantua explained, those links and materials will help you to understand ES better at your own pace. Having said that, if you have already ingested your data sources on to Splunk ( on-prem or on to splunk cloud), your ES should be able to use those data.

ES comes with number of out of box dashboards and these rely on CIM compliance of your data source. Refer to requirements here, if you plan to use any of these dashboards.
Suggest reviewing your use cases and see how you can make sure of the datamodels for improved searches and triage. If you want the search results to be available in the incident review screen for triage, analysis, you would need to create/configure your detections/rules/alerts as correlation searches.