topic Re: Confirm data is in Splunk Enterprise security in Splunk Enterprise Security

Confirm data is in Splunk Enterprise security

iherb_0718 — Mon, 21 Dec 2020 05:47:45 GMT

Hi splunkers,

I run splunk cloud and recently worked with Support to install Splunk Enterprise Security.

Within splunk enterprise security how do I confirm that it is correlating all of my indexes? The reason for asking is that I am not seeing any notable events. I assume by default, splunk enterprise, out of the box, would see all my indexes and correlate to it's pre-built alerts.

Re: Confirm data is in Splunk Enterprise security

scelikok — Mon, 21 Dec 2020 10:19:59 GMT

Hi, @iherb_0718,

On default install, all correlation searches are disabled. You should enable the ones that works for your ingested data at Configure > Content > Content Management page. You should also check if acceleration enabled for the data models that may have CIM complaint data at (this should already have been done before installation of ES).

Re: Confirm data is in Splunk Enterprise security

iherb_0718 — Mon, 21 Dec 2020 15:10:30 GMT

Sceilikok,

Thank you. Yes the data models for cim compliant data have acceleration enabled. I need to go enable the alerts in content management. For the most part, should those alerts work out of the box or do I need to drill into them and tune it?

Re: Confirm data is in Splunk Enterprise security

scelikok — Mon, 21 Dec 2020 16:43:48 GMT

@iherb_0718, they may work but it is best practice review, test and tune (if needed) them before enable. This will help you to have less false positive alerts and also prevent unnecessary load.

If this reply helps you, upvote is appreciated.