Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fine-tuning Enterprise Security?

Stefanie
Builder
‎02-03-2022 05:47 AM

Hello everyone!

I'm looking for assistance with fine-tuning Enterprise Security.

I've been working hard with configuring ES to start generating notable events. 

We're getting lots of events! Almost 73k Access Notables, 66 Endpoint Notables, 2.4k Network Notables, 0 Identity Notables, 11 Audit Notables, and 3.8k Threat Notables. 

What does a typical fine-tuning entail? Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria? What else could I be missing? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neerajs_81
Builder
‎02-09-2022 11:43 PM

Yes. In Short - 
# 1 -  Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned

# 2 Under "Content Management" , review the prebuilt searches that come with ES by default.  In our environment, we disabled all the default ones because those generate lot of noise.  Perform a detailed review which ones you want to keep and disable the rest.

#3 Under each  Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc.    Check which ones don't need a notable to be triggered.

# 4  Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

neerajs_81
Builder
‎02-09-2022 11:43 PM

Yes. In Short - 
# 1 -  Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned

# 2 Under "Content Management" , review the prebuilt searches that come with ES by default.  In our environment, we disabled all the default ones because those generate lot of noise.  Perform a detailed review which ones you want to keep and disable the rest.

#3 Under each  Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc.    Check which ones don't need a notable to be triggered.

# 4  Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).

 

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎02-10-2022 05:33 AM

Thank you! That was exactly what I was looking for.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...