Splunk Enterprise Security

Confirm data is in Splunk Enterprise security

iherb_0718
Path Finder

Hi splunkers,

I run splunk cloud and recently worked with Support to install Splunk Enterprise Security. 

Within splunk enterprise security how do I confirm that it is correlating all of my indexes?  The reason for asking is that I am not seeing any notable events.  I assume by default, splunk enterprise, out of the box, would see all my indexes and correlate to it's pre-built alerts. 

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi, @iherb_0718

On default install, all correlation searches are disabled. You should enable the ones that works for your ingested data at Configure > Content > Content Management page. You should also check if acceleration enabled for the data models that may have CIM complaint data at  (this should already have been done before installation of ES). 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

@iherb_0718, they may work but it is best practice review, test and tune (if needed) them before enable. This  will help you to have less false positive alerts and also prevent unnecessary load.  

 

If this reply helps you, upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

iherb_0718
Path Finder

Sceilikok,  

Thank you. Yes the data models for cim compliant data have acceleration enabled.  I need to go enable the alerts in content management.  For the most part, should those alerts work out of the box or do I need to drill into them and tune it?  

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi, @iherb_0718

On default install, all correlation searches are disabled. You should enable the ones that works for your ingested data at Configure > Content > Content Management page. You should also check if acceleration enabled for the data models that may have CIM complaint data at  (this should already have been done before installation of ES). 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...