Splunk Enterprise Content Updates has this Analytic Story: Account Monitoring and Controls. It contains a savedsearch (?) named "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule".
This can be verified by running
| rest /servicesNS/-/-/saved/searches | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *
However if running this from a search window:
| savedsearch "ESCU - Detect Excessive Account Lockouts From Endpoint - Rule"
gives me an error:
Error in 'savedsearch' command: Unable to find saved search named 'ESCU - Identify New User Accounts - Rule'.
Did I do something wrong here please?
Ok, I am answering my question again.
The savedsearch is disabled. So ESCU only allows user to run
| runstory story="Account Monitoring and Controls"
And it does not allow user to run each savedsearch individually?
All the saved searches can be enabled one by one from the all objects page of ESCU. My new questions:
1. Why are all of them disabled by default?
2. Is there an easy way to enable all of them?
saved searches tend to be disabled by default so that you can enable only those that are relevant to your use cases and your data sources that are in splunk. It would be overwhelming and not recommended to enable EVERY search in ESCU. Instead, review the searches in the app and choose which ones make the most sense for your environment and security needs.