Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configuration overview

Splunk App for Enterprise Security provides dashboards of contextual, security-relevant data. You configure these elements after you have configured the add-ons to collect data, extract specific knowledge from the data sources, and index the results in Splunk Enterprise.

After installing Splunk App for Enterprise Security and getting your data into the app, configure it for the specifics of your deployment.

In the app, select the Enterprise Security app to see the Enterprise Security home page. To open Configuration, click the configure icon in the menu bar.

ES31 Configure All.png

There are several types of information that you can configure in Splunk App for Enterprise Security.

  • You can configure external information about your environment that needs to be imported into Splunk App for Enterprise Security. For example, you can configure information about the systems and devices (known as assets) in your infrastructure; you can define port protocols, and define prohibited ports or services. See "Identity Manager" in this manual and "Assets Manager" in the User Manual for more information.
  • You can configure any settings that determine how you want to use Splunk App for Enterprise Security. For example, you can change the choices for Incident Review status; you can identify specific dashboards for review, and define the review frequency for each; you can create different types of users and set up multiple indexes for different security and retention policies.


  • Architect, install, and configure the Splunk Enterprise environment.
  • Use CIM-compatible add-ons to identify, configure, and ingest data sources.
  • Install Splunk App for Enterprise Security.

Steps to configure the app

1. Normalize the data indexed in Splunk Enterprise to the CIM.

2. Define, then configure Splunk App for Enterprise Security user roles.

3. Collect, process, and import the asset and identities information.

4. Collect, process, and import threat lists, or other sources of security information.

5. Review and enable correlation searches for the security domains that contain data.

6. Customize the Enterprise Security navigation settings.

Import lists of external information

User-populated lists, most importantly the asset list, provide information about your network and policies that the app cannot calculate, such as the priority of your hosts or which processes are forbidden. Some Enterprise Security dashboards, including the geographic map on the Security Posture dashboard, do not work correctly if this information is not available.

For example, the asset list stores information about the devices on your network, such as priority and location. Splunk app lookup functionality associates the information on the asset list with the source and destination of each event. By using this association, the app is able to determine the relative urgency and the location of the event.

Use Assets and Identities on the Enterprise Security Home page to manage your assets.

Enterprise Security includes internal lookups that it uses to generate information the correlation searches need and other functionality.

The following table describes the external lists and their location.

List Description Location
Asset list description of the devices on the network
asset business units dashboard filters
asset categories dashboard filters (used with category list)
latitude and longitude notable events by Geography panel in Security posture dashboard
priority notable event urgency (with search severity)
other fields in asset list used to augment events, aggregate hosts, and to facilitate event searches
Identity list description of the identities using the network
identity business units dashboard filters
identity categories dashboard filters (used with category list)
priority notable event urgency (with search severity)
other fields in identity list used to augment events, aggregate hosts
Category list List of asset categories dashboard filters (used with asset list)
expected views list list of Enterprise Security dashboards that should be accessed regularly view Auditing dashboard
application protocols blacklist port/protocol combinations allowed by your organization port and protocol tracker dashboard
prohibited processes blacklist processes prohibited by your organization prohibited processes detection search
prohibited services blacklist services prohibited by your organization prohibited service detection search

Create user-populated lists

Splunk App for Enterprise Security imports user-populated lists as Splunk lookup tables, which are files in CSV format. The app automatically loads these lists at search time, so you do not need to restart the app.

You supply lookup information from external sources in one of three ways:

  • Populate the lookups manually. You can export the data manually, then convert it to CSV format using Excel. You can then copy this file to the appropriate location on the search head using suitable tools for your server platform.
  • Automatically populate the lookup via a script. You can configure a scripted input to automatically populate a list. By using a combination of scripted inputs and custom Python search commands, you can also create automatic updates.
  • Paste the content into the Lists and Lookups editor. You can link some lookup files at Configure > Lists and Lookups for updating convenience. Paste or type in new content. This interface does not validate content formatting.

Any Excel files you create on any platform produce CSV files with Windows line endings. The CSV files you use as lookups must use UNIX-style line endings ("\n"). Splunk Enterprise does not correctly read lookup files saved using Macintosh ("\r") or Windows line endings ("\r\n"). Use the dos2unix command to correct this.

Update these lists periodically in order to ensure that Enterprise Security has reasonably up-to-date information. Best practice suggests updating these lists quarterly.

The following table describes the lookup files and their locations. Only lookup files managed through Splunk app for Enterprise Security UI are shown in the table. There are more lookup files that you can use with Splunk App for Enterprise Security and its add-ons. This table is a subset of that much larger set of files.

Name Location under $SPLUNK_HOME/etc/apps/ Lookup definition
Asset list SA-IdentityManagement/lookups/assets.csv simple_asset_lookup
Category list SA-IdentityManagement/lookups/asset_categories.csv asset_category_lookup
Governance list SA-ThreatIntelligence/lookups/governance.csv governance_lookup
Application Protocols whitelist SA-NetworkProtection/lookups/application_protocols.csv application_protocol_lookup
Prohibited processes blacklist SA-Threatintelligence/lookups/prohibited_processes.csv prohibited_processes_lookup
Prohibited services blacklist SA-Threatintelligence/lookups/prohibited_services.csv prohibited_services_lookup
Expected views list SA-AuditAndDataProtection/lookups/expected_views.csv expected_views_lookup
User account watchlist SA-AccessProtection/lookups/user_accounts.csv user_account_lookup
Identities list SA-IdentityManagement/lookups/identities.csv simple_identity_lookup
Urgencies list SA-ThreatIntelligence/urgency.csv urgency_lookup

Remove other from charts

When you drill down on "other" in a chart, the chart shows no results. The following is a workaround that uses the `useother` macro to configure whether or not the app displays "other" in the chart. The default for the macro is true, which displays "other" in charts.

1. Edit the `useother` macro in the $SPLUNK_HOME/etc/apps/SA-Utils/default/macros.conf file.

   definition = true

2. Change the definition in the macro to false in order to remove "other" from chart displays.

   definition = false

3. Save the file.

Last modified on 06 October, 2015
Install the Splunk App for Enterprise Security
General settings

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters