Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In Splunk Enterprise Security, how do I run a savedsearch of ESCU using SPL?

ibmresilient
Path Finder
‎12-20-2018 10:50 AM

Splunk Enterprise Content Updates has this Analytic Story: Account Monitoring and Controls. It contains a savedsearch (?) named "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule".

This can be verified by running 

| rest /servicesNS/-/-/saved/searches  | table title,     cron_schedule next_scheduled_time eai:acl.owner  actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

However if running this from a search window:

| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"

gives me an error: 

Error in 'savedsearch' command: Unable to find saved search named 'ESCU - Identify New User Accounts - Rule'.

Did I do something wrong here please?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎12-20-2018 12:38 PM

saved searches tend to be disabled by default so that you can enable only those that are relevant to your use cases and your data sources that are in splunk. It would be overwhelming and not recommended to enable EVERY search in ESCU. Instead, review the searches in the app and choose which ones make the most sense for your environment and security needs.

0 Karma
Reply
Solved! Jump to solution

ibmresilient
Path Finder
‎12-20-2018 12:41 PM

I see. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top