How to create multiple new custom data source cate...

julio-luz · ‎08-24-2022

Hello

I would like to create multiple new custom data source categories to use them in a Partner Integration app on Splunk Security Essentials.

I already read this documentation, then I was able to create a single new custom data source category. However, when trying to create multiple custom data source categories by changing the "company_name" of other security contents, there were no updates to the existing data source categories. Therefore, they were not created and only the first data source category that I had created continued to appear.

Finally, I noticed the following snippet in the SSE documentation in the "Populating Data Inventory" section: "[...] it will take any detections that have a create_data_inventory=true configuration. For the first piece of content that it finds, it will add a new item to data_inventory output [...]". And then I was in doubt if the app is really programmed to create only a new data source category informed, not creating the others, after having created the first.

So I have the following questions:
1. Is it possible to create multiple new custom data source categories?
2. How could I create them?

How to create multiple new custom data source categories on Splunk Security Essentials?

other

Enterprise Security Content Update (ESCU) v3.54.0

Using Machine Learning for Hunting Security Threats

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...