All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Security Essentials : How to set content/use-case as active

xzinou2
Engager
‎11-25-2020 07:29 AM

Hello,

I've been trying this app Splunk Security Essentials on a test instance of Splunk and I have difficulty setting content/use-case as "active".

My main goal is to have a representation of all my existing production alerts on Mitre Att&ck matrice.

I created use-cases in "Custom Content" and enabled exiting ones. On the "Manage Bookmarks" page I have few use-cases, all "Successfully Implemented", but when on the Mitre Overview page none is active, all content have "needs data" status :

example.png

 

I'm sorry if I'm missing something obvious and thank you in advance for your support.

Kind regards.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-08-2021 06:39 AM
Spoiler
 

Hi

 

In order for it to be marked as active in the Analytics Advisor you also need to mark the data source as available. You can either do this manually under Data Inventory and the datasource required for you search, or the automatic way, also under Data Inventory. by click the green button in the top right. 

Let me know how you get along. 

Johan

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xzinou2
Engager
‎12-01-2020 01:55 AM

Hello,

Does anybody has any idea about this please ?

Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-08-2021 06:39 AM
Spoiler
 

Hi

 

In order for it to be marked as active in the Analytics Advisor you also need to mark the data source as available. You can either do this manually under Data Inventory and the datasource required for you search, or the automatic way, also under Data Inventory. by click the green button in the top right. 

Let me know how you get along. 

Johan

 

0 Karma
Reply
Solved! Jump to solution

Ksr1982
Explorer
‎02-23-2021 05:21 AM

Hi,

I have difficulty setting content/use-case as "active". I did update the Data Inventory and the data source required for you search.
Can you support me if I am missing anything

Best Regards.

0 Karma
Reply
Solved! Jump to solution

xzinou2
Engager
‎01-12-2021 01:40 AM

Hello Johan,

Thank you for your reply.

It did work finally on the production instance. It seems that even with the data source set as available under Data Inventory, the associated SPL search should return results otherwise the status will remains as "Needs data".

I'm marking your reply as a solution.

Thanks again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...