Is it possible to import Splunk Enterprise Security and ESCU use cases into Splunk Security Essentials?
I want to be able to leverage the Cyber Kill Chain and Mitre ATT&CK views to measure effectiveness for our SIEM use cases. This is currently disparate and spread across three different Splunk Apps.
They’re already there! When we built SSE awe wanted it to help you coordinate all of your security content, so it automatically includes all of the ES and ESCU (and even a lot of UBA) content! In 3.0 (not yet released), you will even be able to factor in custom content as well (e.g., suppose you cover a MITRE ATT&CK Technique through a custom search, or maybe even a product outside of Splunk, you can view all of that together.
Look for the different icons that indicate which product the content came from, or click customize filters and then add “originating app” to add an ability to filter to a particular product.
They’re already there! When we built SSE awe wanted it to help you coordinate all of your security content, so it automatically includes all of the ES and ESCU (and even a lot of UBA) content! In 3.0 (not yet released), you will even be able to factor in custom content as well (e.g., suppose you cover a MITRE ATT&CK Technique through a custom search, or maybe even a product outside of Splunk, you can view all of that together.
Look for the different icons that indicate which product the content came from, or click customize filters and then add “originating app” to add an ability to filter to a particular product.
Thanks David. There is a-lot to digest in the new version of SSE and perhaps a blog post on this specific topic would go a long way.
Hi @simon.lavigne,
Splunk ES dashboard and searches have a lot running in the background so copying them into another app might not do the trick for you. My advise is to go the other way around and get any dashboard you might need from security essentials into your ES making it your single SIEM interface.
For copying searches from SSE simply go into the app's savesearches and grab what you need or simply move your most used dashboards into ES.
Cheers,
David
SSE doesn't store content in savedsearches.conf
Oh wow, this app has changed a lot, just downloaded it, yeah you're right nothing in there. It does give the solution in the documentation though :
Each use case has examples with sample data and real searches. We've also included extensive documentation and you can save searches directly from the app to create a Notable Event or Risk Indicator in ES, an External Alarm in UBA, or send an email for review.
But that's a one by one, not bulk copy.
I'm not sure about any "import" options or someone have created it.
But if you want to do it yourself
1. Modern Enterprise Security creates use-cases in savedsearches.conf
. So if you find all the savedsearches.conf
files and aggregate them into a single savedsearches.conf
file, then that's it. You can import it anywhere.
2. Alternatively, you can run a btool and identify which savedsearches are part which app. This way you can identify any specific use-cases you want to migrate
/opt/splunk/bin/splunk cmd btool savedsearches list --debug > /tmp/my.savedsearches.btool.txt
Just identify the stanza's and copy into a new savedsearches.conf and copy to your new system
Please note, in somecases you may need to copy the "lookups" directory too, depending on if you have enrichments as part of lookups
I downvoted this post because wrong and unnecessarily complex to boot.
it is utmost pathetic to vote without reading the answer in detail and while trying to help other person. Also in large enterprise enterprise security, it is highly recommended to split savedsearches.conf
Anyways, i'm not voting your post down, in with spirit and see if you change your mind hopefully.
I downvoted this post because wring and unnecessarily complex to boot.
SSE doesn't store content in savedsearches.conf