Configuration overview

Splunk App for Enterprise Security provides dashboards of contextual, security-relevant data. You configure these elements after you have configured the add-ons to collect data, extract specific knowledge from the data sources, and index the results in Splunk Enterprise.

After installing Splunk App for Enterprise Security and getting your data into the app, configure it for the specifics of your deployment.

In the app, select the Enterprise Security app to see the Enterprise Security home page. To open Configuration, click the configure icon in the menu bar.

There are several types of information that you can configure in Splunk App for Enterprise Security.

You can configure external information about your environment that needs to be imported into Splunk App for Enterprise Security. For example, you can configure information about the systems and devices (known as assets) in your infrastructure; you can define port protocols, and define prohibited ports or services. See "Identity Manager" in this manual and "Assets Manager" in the User Manual for more information.

You can configure any settings that determine how you want to use Splunk App for Enterprise Security. For example, you can change the choices for Incident Review status; you can identify specific dashboards for review, and define the review frequency for each; you can create different types of users and set up multiple indexes for different security and retention policies.

Prerequisites

Architect, install, and configure the Splunk Enterprise environment.
Use CIM-compatible add-ons to identify, configure, and ingest data sources.
Install Splunk App for Enterprise Security.

Steps to configure the app

1. Normalize the data indexed in Splunk Enterprise to the CIM.

2. Define, then configure Splunk App for Enterprise Security user roles.

3. Collect, process, and import the asset and identities information.

4. Collect, process, and import threat lists, or other sources of security information.

5. Review and enable correlation searches for the security domains that contain data.

6. Customize the Enterprise Security navigation settings.

Import lists of external information

User-populated lists, most importantly the asset list, provide information about your network and policies that the app cannot calculate, such as the priority of your hosts or which processes are forbidden. Some Enterprise Security dashboards, including the geographic map on the Security Posture dashboard, do not work correctly if this information is not available.

For example, the asset list stores information about the devices on your network, such as priority and location. Splunk app lookup functionality associates the information on the asset list with the source and destination of each event. By using this association, the app is able to determine the relative urgency and the location of the event.

Use Assets and Identities on the Enterprise Security Home page to manage your assets.

Enterprise Security includes internal lookups that it uses to generate information the correlation searches need and other functionality.

The following table describes the external lists and their location.

List	Description	Location
Asset list		description of the devices on the network
	asset business units	dashboard filters
	asset categories	dashboard filters (used with category list)
	latitude and longitude	notable events by Geography panel in Security posture dashboard
	priority	notable event urgency (with search severity)
	other fields in asset list	used to augment events, aggregate hosts, and to facilitate event searches
Identity list		description of the identities using the network
	identity business units	dashboard filters
	identity categories	dashboard filters (used with category list)
	priority	notable event urgency (with search severity)
	other fields in identity list	used to augment events, aggregate hosts
Category list	List of asset categories	dashboard filters (used with asset list)
expected views list	list of Enterprise Security dashboards that should be accessed regularly	view Auditing dashboard
application protocols blacklist	port/protocol combinations allowed by your organization	port and protocol tracker dashboard
prohibited processes blacklist	processes prohibited by your organization	prohibited processes detection search
prohibited services blacklist	services prohibited by your organization	prohibited service detection search

Create user-populated lists

Splunk App for Enterprise Security imports user-populated lists as Splunk lookup tables, which are files in CSV format. The app automatically loads these lists at search time, so you do not need to restart the app.

You supply lookup information from external sources in one of three ways:

Populate the lookups manually. You can export the data manually, then convert it to CSV format using Excel. You can then copy this file to the appropriate location on the search head using suitable tools for your server platform.

Automatically populate the lookup via a script. You can configure a scripted input to automatically populate a list. By using a combination of scripted inputs and custom Python search commands, you can also create automatic updates.

Paste the content into the Lists and Lookups editor. You can link some lookup files at Configure > Lists and Lookups for updating convenience. Paste or type in new content. This interface does not validate content formatting.

Any Excel files you create on any platform produce CSV files with Windows line endings. The CSV files you use as lookups must use UNIX-style line endings ("\n"). Splunk Enterprise does not correctly read lookup files saved using Macintosh ("\r") or Windows line endings ("\r\n"). Use the dos2unix command to correct this.

Update these lists periodically in order to ensure that Enterprise Security has reasonably up-to-date information. Best practice suggests updating these lists quarterly.

The following table describes the lookup files and their locations. Only lookup files managed through Splunk app for Enterprise Security UI are shown in the table. There are more lookup files that you can use with Splunk App for Enterprise Security and its add-ons. This table is a subset of that much larger set of files.

Name	Location under `$SPLUNK_HOME/etc/apps/`	Lookup definition
Asset list	`SA-IdentityManagement/lookups/assets.csv`	simple_asset_lookup
Category list	`SA-IdentityManagement/lookups/asset_categories.csv`	asset_category_lookup
Governance list	`SA-ThreatIntelligence/lookups/governance.csv`	governance_lookup
Application Protocols whitelist	`SA-NetworkProtection/lookups/application_protocols.csv`	application_protocol_lookup
Prohibited processes blacklist	`SA-Threatintelligence/lookups/prohibited_processes.csv`	prohibited_processes_lookup
Prohibited services blacklist	`SA-Threatintelligence/lookups/prohibited_services.csv`	prohibited_services_lookup
Expected views list	`SA-AuditAndDataProtection/lookups/expected_views.csv`	expected_views_lookup
User account watchlist	`SA-AccessProtection/lookups/user_accounts.csv`	user_account_lookup
Identities list	`SA-IdentityManagement/lookups/identities.csv`	simple_identity_lookup
Urgencies list	`SA-ThreatIntelligence/urgency.csv`	urgency_lookup

Remove other from charts

When you drill down on "other" in a chart, the chart shows no results. The following is a workaround that uses the `useother` macro to configure whether or not the app displays "other" in the chart. The default for the macro is true, which displays "other" in charts.

1. Edit the `useother` macro in the $SPLUNK_HOME/etc/apps/SA-Utils/default/macros.conf file.

   [useother]
   definition = true

2. Change the definition in the macro to false in order to remove "other" from chart displays.

   [useother]
   definition = false

3. Save the file.

Install and upgrade Splunk Enterprise Security

Related Answers

Configuration overview

Prerequisites

Steps to configure the app

Import lists of external information

Create user-populated lists

Remove other from charts

Comments

Configuration overview