Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to turn on use cases using Splunk Security Essentials?

jas0049
New Member
‎07-06-2019 06:50 AM

I have identified the log sources and corresponding use cases and book marked.
e.g. Basic Brute Force Detection for this use case data is available. In my environment we have ES as well. now what to do next??? ... how I can turn on the use cases or how notable event will work for the use cases?

Labels (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2019 11:02 AM

I just clone it, and during that process change the name (we have a custom prefix that we use), change the app to SplunkEnterpriseSecurity. That way all of my live content is in ES where it should be and when I fix it so that it actually works in my environment (they all require fixing), I have not modified the original.

0 Karma
Reply

mrccasi
Explorer
‎05-18-2020 12:48 AM

Hi @woodcock, i am using Splunk SE to learn splunk security. But I am a bit confused on how to use it. Should I make a dashboard and copy the SPL to that dashboard? How does Splunk SE work? can you please help me. Thank you in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2020 06:41 AM

Yes, do not edit the dashboards directly; clone what you need and edit the clone. Otherwise when you upgrade the app,you will not be able to see what changed.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-18-2020 06:43 AM

ES is a platform: you can think of it as a toolbox. It is not an appliance. It is what you make it to be.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2019 08:19 AM

Once you see a use case you like in Security Essentials, go to ES and look in the correlation searches for one of the same or similar name. Verify the search does the same thing as the one in SE and, if so, activate the correlation search.

If there is not a matching correlation search, you can create a new one using the SPL given in SE.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jas0049
New Member
‎07-06-2019 11:52 PM

Is there any way... we can turn on use cases from SSE and create notable for the same.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2019 07:01 AM

If it was a matter of simply "turning on" the use case in SSE then that is what I would have told you to do.
The Splunk Security Essentials app falls into the same category as Splunk Dashboard Examples and other apps that show how to accomplish a task, but doesn't actually do that task. It's up to you to implement the use case following the example shown in the app.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...