Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Enterprise security app

BRFZ
Communicator
‎03-21-2025 07:12 AM

Hello,

I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app.

Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it.

0 Karma
Reply

lakshman239
Influencer
‎03-24-2025 02:53 AM

@BRFZ  As @livehybrid and @gargantua explained, those links and materials will help you to understand ES better at your own pace. Having said that, if you have already ingested your data sources on to Splunk ( on-prem or on to splunk cloud), your ES should be able to use those data.

  • ES comes with number of out of box dashboards and these rely on CIM compliance of your data source. Refer to  requirements here, if you plan to use any of these dashboards.
  • Suggest reviewing your use cases and see how you can make sure of the datamodels for improved searches and triage. If you want the search results to be available in the incident review screen for triage, analysis, you would need to create/configure your detections/rules/alerts as correlation searches.
Tags (1)
0 Karma
Reply

livehybrid
Champion
‎03-21-2025 08:34 AM

Hi @BRFZ 

If your data is landing in Splunk then the next thing you'll probably want to start looking at is ensuring that it is CIM compliant and then starting to enable/create Rules, based on your requirements.

To do this properly you want to make sure it is planned out well and have clear requirements, rather than enabling lots of Rules sporadically!

Some good resources to check out are:

Splunk Lantern - https://lantern.splunk.com/Security/Getting_Started/Getting_started_with_ES

Splunk Security Essentials - https://splunkbase.splunk.com/app/3435

Splunk ES 101 video - https://www.youtube.com/watch?v=Euas6lCK-LE

Splunk ES Certified Admin training path - https://www.splunk.com/en_us/training/certification-track/splunk-es-certified-admin.html

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

gargantua
Path Finder
‎03-21-2025 07:37 AM

Hi there,

Splunk Enterprise Security (ES) is a sort of extra layer to Splunk Enterprise, and it brings you more integrated possibilities :

  • More possibilities when it come to create Alerts (Called Notable in ES. [this name must have changed in version 8 though])
  • An Alert Managment system (Incident Review) which allows a team to watch alerts and investigate them
  • IOC detection and managment system
  • Tons of useful dashboards

All of that heavely relies on,

Your data :

Everything is well explained in this page : https://docs.splunk.com/Documentation/ES/8.0.2/Install/DataSourcePlanning

Identities (login accounts) and Assets (hosts) :

You must give to Splunk ES a list of :

  • identities of account names of the users of your organization
  • hostnames / IP adresses of the assets of your organization

This process is explained on this page : https://docs.splunk.com/Documentation/ES/8.0.2/Admin/VerifyAssetIdentityData

 

Configuring ES to its full potential can take some time and energy but it worth it.

Best,
Ch.

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top