Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Fine-tuning Enterprise Security?

Stefanie
Builder
‎02-03-2022 05:47 AM

Hello everyone!

I'm looking for assistance with fine-tuning Enterprise Security.

I've been working hard with configuring ES to start generating notable events. 

We're getting lots of events! Almost 73k Access Notables, 66 Endpoint Notables, 2.4k Network Notables, 0 Identity Notables, 11 Audit Notables, and 3.8k Threat Notables. 

What does a typical fine-tuning entail? Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria? What else could I be missing? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neerajs_81
Builder
‎02-09-2022 11:43 PM

Yes. In Short - 
# 1 -  Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned

# 2 Under "Content Management" , review the prebuilt searches that come with ES by default.  In our environment, we disabled all the default ones because those generate lot of noise.  Perform a detailed review which ones you want to keep and disable the rest.

#3 Under each  Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc.    Check which ones don't need a notable to be triggered.

# 4  Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

neerajs_81
Builder
‎02-09-2022 11:43 PM

Yes. In Short - 
# 1 -  Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned

# 2 Under "Content Management" , review the prebuilt searches that come with ES by default.  In our environment, we disabled all the default ones because those generate lot of noise.  Perform a detailed review which ones you want to keep and disable the rest.

#3 Under each  Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc.    Check which ones don't need a notable to be triggered.

# 4  Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).

 

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎02-10-2022 05:33 AM

Thank you! That was exactly what I was looking for.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...