Splunk® Security Essentials

Use Splunk Security Essentials

This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.

Customize Splunk Security Essentials with the Custom Content dashboard

Add custom content to use Splunk Security Essentials as a use case library to track what you have already built. Custom content gives you the option to map a search that you created to the Splunk Security Essentials content. If the search doesn't find any matches, you can create new custom content and track it from the Custom Content dashboard.

You can add custom content to Splunk Security Essentials by following these steps:

  1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
  2. Click Add Custom Content.
  3. Enter the required information for your custom content.
  4. Click Add.

To provide good user experience, make sure that you provide your company information. Although you can't use HTML or Markdown in the description, if you enter \n it automatically converts to a line break.

After you add custom content, the configuration is added into the custom_content_lookup KV store collection. You can pull the JSON file from the kvstore collection.

You must adjust this file slightly. Add the channel, which is configured in your essentials_updates.conf file, and the ID to this configuration when you migrate it to the final hosted file. You might also change the ID to indicate that it isn't custom content, but something from your organization. Also make sure to update the link in the dashboard attribute.

Create custom content from saved searches

You can add custom content from saved searches to Splunk Security Essentials by following these steps:

  1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
  2. Click Add Custom Content.
  3. Click Create From Local Saved Search.
  4. Click the saved search you want to use to create your custom content. After you select your search, many fields autopopulate. If a field didn't autopopulate, enter the required information.
  5. Click Add.
Last modified on 28 June, 2022
Track your content with the Manage Bookmarks dashboard   Find content with the MITRE ATT&CK-Driven Content Recommendation dashboard

This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.5.0, 3.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters