Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to turn on use cases using Splunk Security Essentials?

jas0049
New Member
‎07-06-2019 06:50 AM

I have identified the log sources and corresponding use cases and book marked.
e.g. Basic Brute Force Detection for this use case data is available. In my environment we have ES as well. now what to do next??? ... how I can turn on the use cases or how notable event will work for the use cases?

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2019 11:02 AM

I just clone it, and during that process change the name (we have a custom prefix that we use), change the app to SplunkEnterpriseSecurity. That way all of my live content is in ES where it should be and when I fix it so that it actually works in my environment (they all require fixing), I have not modified the original.

0 Karma
Reply

mrccasi
Explorer
‎05-18-2020 12:48 AM

Hi @woodcock, i am using Splunk SE to learn splunk security. But I am a bit confused on how to use it. Should I make a dashboard and copy the SPL to that dashboard? How does Splunk SE work? can you please help me. Thank you in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2020 06:41 AM

Yes, do not edit the dashboards directly; clone what you need and edit the clone. Otherwise when you upgrade the app,you will not be able to see what changed.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2020 06:43 AM

ES is a platform: you can think of it as a toolbox. It is not an appliance. It is what you make it to be.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2019 08:19 AM

Once you see a use case you like in Security Essentials, go to ES and look in the correlation searches for one of the same or similar name. Verify the search does the same thing as the one in SE and, if so, activate the correlation search.

If there is not a matching correlation search, you can create a new one using the SPL given in SE.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jas0049
New Member
‎07-06-2019 11:52 PM

Is there any way... we can turn on use cases from SSE and create notable for the same.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2019 07:01 AM

If it was a matter of simply "turning on" the use case in SSE then that is what I would have told you to do.
The Splunk Security Essentials app falls into the same category as Splunk Dashboard Examples and other apps that show how to accomplish a task, but doesn't actually do that task. It's up to you to implement the use case following the example shown in the app.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top