Splunk Enterprise Security

In Splunk Enterprise Security, how do I run a savedsearch of ESCU using SPL?

ibmresilient
Path Finder

Splunk Enterprise Content Updates has this Analytic Story: Account Monitoring and Controls. It contains a savedsearch (?) named "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule".

This can be verified by running

| rest /servicesNS/-/-/saved/searches  | table title,     cron_schedule next_scheduled_time eai:acl.owner  actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

However if running this from a search window:

| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"

gives me an error:

Error in 'savedsearch' command: Unable to find saved search named 'ESCU - Identify New User Accounts - Rule'. 

Did I do something wrong here please?

Thanks!

0 Karma
1 Solution

ibmresilient
Path Finder

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

View solution in original post

0 Karma

ibmresilient
Path Finder

Ok, I am answering my question again.

The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"

And it does not allow user to run each savedsearch individually?

All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

saved searches tend to be disabled by default so that you can enable only those that are relevant to your use cases and your data sources that are in splunk. It would be overwhelming and not recommended to enable EVERY search in ESCU. Instead, review the searches in the app and choose which ones make the most sense for your environment and security needs.

0 Karma

ibmresilient
Path Finder

I see. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...