Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In Splunk Enterprise Security, how do I run a savedsearch of ESCU using SPL?

ibmresilient
Path Finder
‎12-20-2018 10:50 AM

Splunk Enterprise Content Updates has this Analytic Story: Account Monitoring and Controls. It contains a savedsearch (?) named "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule".

This can be verified by running 

| rest /servicesNS/-/-/saved/searches  | table title,     cron_schedule next_scheduled_time eai:acl.owner  actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

However if running this from a search window:

| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"

gives me an error: 

Error in 'savedsearch' command: Unable to find saved search named 'ESCU - Identify New User Accounts - Rule'.

Did I do something wrong here please?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ibmresilient
Path Finder
‎12-20-2018 11:25 AM

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎12-20-2018 12:38 PM

saved searches tend to be disabled by default so that you can enable only those that are relevant to your use cases and your data sources that are in splunk. It would be overwhelming and not recommended to enable EVERY search in ESCU. Instead, review the searches in the app and choose which ones make the most sense for your environment and security needs.

0 Karma
Reply
Solved! Jump to solution

ibmresilient
Path Finder
‎12-20-2018 12:41 PM

I see. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top