Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In Splunk Enterprise Security, how do I run a savedsearch of ESCU using SPL?

ibmresilient
Path Finder
‎12-20-2018 10:50 AM

Splunk Enterprise Content Updates has this Analytic Story: Account Monitoring and Controls. It contains a savedsearch (?) named "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule".

This can be verified by running 

| rest /servicesNS/-/-/saved/searches  | table title,     cron_schedule next_scheduled_time eai:acl.owner  actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

However if running this from a search window:

| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"

gives me an error: 

Error in 'savedsearch' command: Unable to find saved search named 'ESCU - Identify New User Accounts - Rule'.

Did I do something wrong here please?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎12-20-2018 12:38 PM

saved searches tend to be disabled by default so that you can enable only those that are relevant to your use cases and your data sources that are in splunk. It would be overwhelming and not recommended to enable EVERY search in ESCU. Instead, review the searches in the app and choose which ones make the most sense for your environment and security needs.

0 Karma
Reply
Solved! Jump to solution

ibmresilient
Path Finder
‎12-20-2018 12:41 PM

I see. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...