Steps to configure
The Splunk App for Enterprise Security is designed to support a broad range of environments. Once the Splunk App for Enterprise Security has been installed and you are bringing your data into Splunk, you need to configure it for the specifics of your deployment.
Note: If Splunk App for Enterprise Security has not been installed, see "Install Enterprise Security" for information about downloading and installing the app.
In Splunk, select the Enterprise Security app to see the Enterprise Security home page.
Note: To open Configuration from any location in Splunk for Enterprise Security, click the configure icon in the menu bar.
There are several types of information you may want to configure in the Splunk App for Enterprise Security:
- Thresholds for dashboard alerts. Splunk for Enterprise Security includes out-of-the-box thresholds that need to be adjusted for the volume and distribution of the data in your Splunk for Enterprise Security deployment. These thresholds also need to be adjusted over time as you bring new data sources in or as the volume of data coming into Enterprise Security changes.
- Settings for correlation searches and notable events, which can be set with Correlation Searches.
- External information about your environment that needs to be imported into the Splunk App for Enterprise Security, such as: information about the systems and devices (called assets) in your infrastructure; which protocols are allowed on each port; and prohibited ports or services. See "Identity Manager" in this manual and "Assets Manager" in the User Manual for more information.
- Settings that let you determine how you want to use Splunk for Enterprise Security. For example, you can change the choices for Incident Review status, set which dashboards should be reviewed and how often, create different types of users, and set up multiple indexes for different security and retention policies.
Read through this section to understand what needs to be configured in the Splunk App for Enterprise Security.
Configuration overview
When the Splunk App for Enterprise Security is first installed, it takes some time for the dashboards to populate. Once the dashboards are populated, set up certain configurations - most importantly, the asset list - in order to see some specialized dashboard content. Other configurations are best set up after Splunk for Enterprise Security has been running for a while and there is enough data to baseline the deployment.
Once Splunk for Enterprise Security is installed and are importing data, the following items need to be configured for Splunk for Enterprise Security to work correctly:
- Configure the Splunk default user roles to work correctly with the Splunk App for Enterprise Security
- Create and import the asset list and other lists of external information
After running the Splunk App for Enterprise Security for a while, the following can be done:
- Optimize performance for large deployments
- Set dashboard thresholds
The following two tables show how configurations are used in Splunk for Enterprise Security.
- Table 1: Shows a list of dashboards and the configurations used by each dashboard.
- Table 2: Shows a list of configurations and where they are used in the Splunk App for Enterprise Security
Table 1. List of dashboards and the configurations they require
| Dashboard | Associated configuration | Required? | When to configure |
|---|---|---|---|
| Configure notable events and high-level dashboards | |||
| Security Posture dashboard | Tune dashboard alert thresholds | Recommended | After 2 weeks |
| (Optional) Set up asset latitude and longitude (via asset list) | (Optional) Required by geo map |
At install (if geo map is enabled) | |
| Incident Review dashboard | Create asset list, including priority | Required | At install |
| Create category list | Recommended | At install | |
| Edit correlation search thresholds | Recommended | After 2 weeks | |
| Edit correlation search severity | Advanced | As needed | |
| Disable correlation searches | Advanced | As needed | |
| Edit correlation search governance | Advanced | As needed | |
| Edit notable event status options | Advanced | As needed | |
| Predictive Analytics | |||
| Configure domain dashboards and supporting dashboards | |||
| Domain dashboards and some supporting dashboards | Create asset business units and asset categories (created via asset list and category list) | Required for dashboard filters | At install |
| Malware Center | Tune dashboard alert thresholds | Recommended | After 2 weeks |
| Port and Protocol Tracker | Create Application Protocols list | Required by dashboard | |
| View Auditing dashboard | Create expected views list | Required by dashboard | |
Table 2. List of configurations and where they are used
| Configuration | Where used |
|---|---|
| Thresholds for dashboard alerts | |
| Notable Events by Enterprise Security Domain | Security Posture dashboard |
| Key Malware Statistics | Malware Center dashboard |
| Correlation searches and notable events | |
| Configure status of notable events | Edit Status link on Incident Review and Security Posture dashboards |
| Configure correlation search thresholds | Trigger notable event creation -- not used directly in dashboards. |
| Configure correlation search severity | Notable event Urgency (along with asset priority) |
| Configure correlation search governance | Governance filter on Incident Review dashboard |
| Enable and disable correlation searches | Disable creation of notable events associated with that search |
| Modify correlation searches | Not used directly in dashboards. |
| Change time window for notable event drilldown | Used for event drilldown on all dashboards. |
| Create notable event filters | Not used directly in dashboards. |
| Create a correlation search | Not used directly in dashboards. |
| Lookup lists for external information | |
| Asset list | |
| asset business units | Dashboard filters |
| asset categories | Dashboard filters (used with category list) |
| latitude and longitude | Notable Events by Geography panel in Security Posture dashboard |
| priority | Notable event Urgency (with search severity) |
| Other fields in asset list | Used to augment events, aggregate hosts, and to facilitate event searches |
| Category list | Dashboard filters (used with asset list) |
| Expected Views list | View Auditing dashboard |
| Governance list | Notable event governance |
| Application Protocols blacklist | Port and Protocol Tracker dashboard |
| Prohibited Processes blacklist | Prohibited Processes Detection search |
| Prohibited Services blacklist | Prohibited Service Detection search |
| Identities list | |
| identities business units | Dashboard filters |
| identities categories | Dashboard filters (used with category list) |
| priority | Notable event Urgency (with search severity) |
| Other fields in identities list | Used to augment events, aggregate hosts, and to facilitate event searches |
| Category list | Dashboard filters (used with identity list) |
| Expected Views list | View Auditing dashboard |
| Other configurations | |
| Configure user roles | Not used directly in dashboards |
| Configure multiple indexes | Not used directly in dashboards |
| Configure data protection | Not used directly in dashboards |
Assign roles and capabilities
The Splunk App for Enterprise Security utilizes the Access Control system of Splunk Enterprise. Splunk Enterprise authentication allows you to add users, assign users to roles, and assign those roles custom capabilities as needed for your organization.
Splunk Enterprise supports three methods of user authentication:
- Splunk Enterprise's built-in user authentication system.
- User authentication using LDAP and Active Directory. See "Set up user authentication with LDAP" for more information.
- Scripted authentication API: Use scripted authentication to tie Splunk's authentication into an external authentication system, such as RADIUS or PAM. See "Set up user authentication with external systems" for more information.
Important: The Splunk Enterprise built-in authentication takes precedence over any configured external authentication.
The Splunk App for Enterprise Security adds three required roles, pre-configured with capabilities. These roles were created to assist in assigning users specific access to functions in the Enterprise Security app. Based upon the information presented below, the admin must assign groups of users to roles that best fit the tasks they will perform and manage within the Enterprise Security app.
| Role | Inherits from role | Added capabilities | Accepts user assignment |
|---|---|---|---|
| ess_user | user | real time search | Yes.
Replaces the user role for ES users. |
| ess_analyst | user, ess_user, power | ess_user plus: edit notable events and perform all transitions | Yes.
Replaces the power role for ES users. |
| ess_admin | user, ess_user, power, ess_analyst | ess_analyst plus: edit correlation searches and edit review statuses | No
Use admin role. |
| admin | user, ess_user, power, ess_analyst, ess_admin | All | Yes. |
Important: The ess_admin role is assigned all ES specific capabilities, but does not inherit Splunk Enterprise admin capabilities. You must use the admin role to administer an Enterprise Security installation. To change the capabilities of the ess_user or ess_analyst roles, see Custom capabilities in this topic.
Configure user roles
There are three categories of users:
- Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
- Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
- Solution Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.
Each user type requires different levels of access to perform their assigned functions. The table below shows the user category matched to an Enterprise Security role.
| Role | Security Director | Security Analyst | Solution Administrator |
|---|---|---|---|
| ess_user capabilities | 
|
||
| ess_analyst capabilities |
|
||
| admin capabilities |
|
Role inheritance
All role inheritance is pre-configured in the Enterprise Security app. If the capabilities of any role are changed, other roles will also change due to inheritance. The best method to assess the pre-configured roles, capabilities, and inheritance in the Enterprise Security app is to review the authorize.conf file in splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/.
For more information about roles, see "Add and edit roles" and the topic on Securing Splunk in the Splunk Enterprise documentation.
Custom capabilities
The Enterprise Security app implements new features on Splunk Enterprise. To control access to those features, additional capabilities have been created and assigned to the Enterprise Security specific roles.
The table below displays all ES specific capabilities. To customize a role and add access to Enterprise Security features, add the capabilities needed, and modify the app metadata files to add the role name.
| ES Feature | Capabilities required | Additional metadata changes |
|---|---|---|
| Credential Manager | admin_all_objects | No |
| Navigation | edit_es_navigation | #In apps: ES:
|
| Lookups | edit_lookups | #In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:
|
| Per-panel filters | edit_per_panel_filters | #In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:
|
| Threat Lists | edit_modinput_threatlist | No |
| Correlation searches | edit_correlationsearches
schedule_search |
#In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:
|
| New notable event | edit_tcp
edit_notable_events |
No |
| Own notable event | can_own_notable_events | No |
| Edit notable events | edit_notable_events
transition_reviewstatus-X to Y |
No |
| Review statuses | edit_reviewstatuses | #In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:
|
| Suppressions | edit_suppressions | #In app: SA-ThreatIntelligence:
|
| Log review settings | edit_log_review_settings | No |
Set up concurrent searches
By default, Splunk only allows three (3) searches to be run concurrently for 'user' and 'power' roles. When Enterprise Security is installed, it increases these values to ten (10) by default, since dashboards generally execute more than three searches. You may want to change the number of concurrent searches.
To change the number of concurrent searches:
- Click Apps > Manage Apps.
- Click Setup next to Enterprise Security.
- Change the number of concurrent searches for either the
adminor thepoweruser. - Click Save.
To manually change the default search quota by editing the authorize.conf file:
- Edit the file at
$SPLUNK_HOME/etc/system/local/authorize.confand setsrchJobsQuotafor each role.
See the following example:
[role_user] srchJobsQuota = 15 [role_power] srchJobsQuota = 15
Advanced index management
By default the main index is always searched. To prevent the Splunk App for Enterprise Security from searching the main index, you can disable the index from the Settings menu.
To do this:
1. Go to Settings > Indexes.
2. Click Disable next to main in the Index name list.
3. Restart Splunk.
Configure multiple indexes
Splunk allows you to create multiple indexes for your data to control user access or accommodate varying retention policies. However, by default, the Enterprise Security admin user is set up to only look at the main index. If you want to use multiple indexes with Enterprise Security, you must make sure that the admin user is configured to look at all of the indexes you want to use with Enterprise Security.
If you fail to change the permissions, the summary indexes and lookups will not have the correct data, which in turn means that dashboards and notable events will not contain the correct data. Once you make the change, new notable events and dashboard summaries will use the correct data from now on. However, notable events and dashboard summaries created prior to the change will not be updated.
Warning: When adding indexes to the default search indexes do not include any summary indexes, as this can cause a search and summary index loop.
Adding a notable index (or any summary index) to the "Indexes searched by default" may cause correlation searches to enter a feedback loop that causes excessive resource usage. Some of Enterprise Security's correlation searches may trigger on their own findings, since correlation searches included information about what originally triggered them in the notable index. The default Enterprise Security behavior does not include 'notable' as a default search index, but this problem may be caused when the configuration has been changed and a notable index (or a summary index) is one of the indexes to be searched by default. The solution is to remove the notable index (or summary index) from the list of indexes to be searched by default.
See "Set up multiple indexes" and "Add users and assign roles" in the Splunk documentation for more information.
Import lists of external information
User-populated lists, most importantly the asset list, provide information about your network and policies that cannot be calculated by Enterprise Security, such as the priority of your hosts or which processes are forbidden. These lists combine the information in your events with external information from CSV files to create additional fields that give more insight into your deployment. Some Enterprise Security dashboards, including the geographic map on the Security Posture dashboard, do not work correctly if this information is not available.
For example, the asset list stores information about the devices on your network, such as priority and location. The Splunk lookup functionality associates the information on the asset list with the source and destination of each event. Then, this association is used to determine the relative urgency and the location of the event.
Use Assets and Identities on the Enterprise Security Home page manage your assets.
Note: Enterprise Security also includes internal lookups that it uses to generate information needed by the correlation searches and other functionality.
Table 3. External lists and where they are used
| List | Description | Where used |
|---|---|---|
| Asset list | Description of the devices on the network | |
| asset business units | Dashboard filters | |
| asset categories | Dashboard filters (used with category list) | |
| latitude and longitude | Notable Events by Geography panel in Security Posture dashboard | |
| priority | Notable event Urgency (with search severity) | |
| Other fields in asset list | Used to augment events, aggregate hosts, and to facilitate event searches | |
| Identity list | Description of the identities using the network | |
| identity business units | Dashboard filters | |
| identity categories | Dashboard filters (used with category list) | |
| priority | Notable event Urgency (with search severity) | |
| Other fields in identity list | Used to augment events, aggregate hosts, | |
| Category list | List of asset categories | Dashboard filters (used with asset list) |
| Expected Views list | List of Enterprise Security dashboards that should be accessed regularly | View Auditing dashboard |
| Application Protocols blacklist | Port/protocol combinations allowed by your organization | Port and Protocol Tracker dashboard |
| Prohibited Processes blacklist | Processes prohibited by your organization | Prohibited Processes Detection search |
| Prohibited Services blacklist | Services prohibited by your organization | Prohibited Service Detection search |
Create user-populated lists
These lists are imported as Splunk lookup tables, which are files in CSV format. The lookup files must be placed on each search head. Splunk automatically loads these lists at search time; you do not need to restart Splunk.
You can supply lookup information from external sources in one of three ways:
- Populate the lookups manually: You can export the data manually and convert it to CSV format for example using Excel. This file can then be copied to the appropriate location on the Search Head using the appropriate tools for your server platform.
- Automatically populate the lookup via a script: It is possible to configure a scripted input to automatically populate a list. Automatic updates can be done using a combination of scripted inputs and custom search commands (written in Python). The implementation details depend on the technology that contains the original information and is therefore beyond the scope of this document. Please contact Splunk Professional Services for additional guidance.
- Paste the content into the Lists and Lookups editor where applicable: Some lookup files have been linked at Configure > Lists and Lookups for updating convenience. New content can be pasted in or typed. This interface does not validate content formatting.
Note: Excel files created on any platform produce CSV files with Windows line endings. The CSV files used as lookups must be created with UNIX-style line endings ("\n"). Splunk will not correctly read lookup files saved using Macintosh ("\r") or Windows line endings ("\r\n"). The dos2unix command can be used to correct this.
Update these lists periodically in order to ensure that Enterprise Security has reasonably up-to-date information. Generally, Splunk recommends that the list be updated at least every quarter.
The following table shows the lookup files and their locations:
| Name | Location under $SPLUNK_HOME/etc/apps/
|
Lookup definition |
|---|---|---|
| Asset list | SA-IdentityManagement/lookups/assets.csv
|
simple_asset_lookup |
| Category list | SA-IdentityManagement/lookups/asset_categories.csv
|
asset_category_lookup |
| Governance list | SA-ThreatIntelligence/lookups/governance.csv
|
governance_lookup |
| Application Protocols whitelist | SA-NetworkProtection/lookups/application_protocols.csv
|
application_protocol_lookup |
| Prohibited Processes blacklist | SA-Threatintelligence/lookups/prohibited_processes.csv
|
prohibited_processes_lookup |
| Prohibited Services blacklist | SA-Threatintelligence/lookups/prohibited_services.csv
|
prohibited_services_lookup |
| Expected Views list | SA-AuditAndDataProtection/lookups/expected_views.csv
|
expected_views_lookup |
| User Account watchlist | SA-AccessProtection/lookups/user_accounts.csv
|
user_account_lookup |
| Identities List | SA-IdentityManagement/lookups/identities.csv
|
simple_identity_lookup |
| Urgencies List | SA-ThreatIntelligence/urgency.csv
|
urgency_lookup |
The table only shows those lookup files that can managed through the Splunk for Enterprise Security UI. There are more lookup files that can be used with the Splunk App for Enterprise Security and its add-ons. This table is a subset of that much larger set of files.
Remove "other" from charts
When you drill down on "other" in a chart, no results will be shown. The workaround is to use the `useother` macro to configure whether or not "other" is displayed in the chart.
1. Edit the the `useother` macro in the $SPLUNK_HOME/etc/apps/SA-Utils/default/macros.conf file.
[useother] definition = true
The default for the macro is true, which displays "other" in charts. No results will be shown when "other" is clicked.
2. To remove "other" from chart displays, change the definition in the macro to false.
[useother] definition = false
3. Save the file.
| Install add-ons | General settings |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Download manual
Feedback submitted, thanks!