Configuration overview
Splunk Enterprise Security provides dashboards of contextual, security-relevant data. You will configure these elements after you have configured the add-ons to collect data, extract specific knowledge from the data sources, and index the results.
After installing Enterprise Security and getting your data into the app, configure it for the specifics of your deployment.
In the app, select the Enterprise Security app to see the Enterprise Security home page. To open Configuration, click the configure icon in the menu bar.
- You can configure external information about your environment that needs to be imported into Enterprise Security. For example, you can configure information about the systems and devices (known as assets) in your infrastructure; you can define port protocols, and define prohibited ports or services. See "Identity Manager" in this manual and "Assets Manager" in the User Manual for more information.
- You can configure any settings that determine how you want to use Enterprise Security. For example, you can change the choices for Incident Review status; you can identify specific dashboards for review, and define the review frequency for each; you can create different types of users and set up multiple indexes for different security and retention policies.
Prerequisites
- Architect, install, and configure the Splunk Enterprise environment.
- Use CIM-compatible add-ons to identify, configure, and ingest data sources.
- Install Splunk Enterprise Security.
Steps to configure the the app
1. Normalize the data indexed in Splunk Enterprise to the CIM.
2. Define, then configure the Enterprise Security user roles.
3. Collect, process, and import the asset and identities information.
4. Collect, process, and import threat lists, or other sources of security information.
5. Review and enable correlation searches for the security domains that contain data.
6. Customize the Enterprise Security navigation settings.
Import lists of external information
User-populated lists, most importantly the asset list, provide information about your network and policies that the app cannot calculate, such as the priority of your hosts or which processes are forbidden. Some Enterprise Security dashboards, including the geographic map on the Security Posture dashboard, do not work correctly if this information is not available.
For example, the asset list stores information about the devices on your network, such as priority and location. Splunk app lookup functionality associates the information on the asset list with the source and destination of each event. By using this association, the app is able to determine the relative urgency and the location of the event.
Use Assets and Identities on the Enterprise Security Home page to manage your assets.
Enterprise Security includes internal lookups that it uses to generate information the correlation searches need and other functionality.
The following table describes the external lists and their location.
List | Description | Location |
---|---|---|
Asset list | description of the devices on the network | |
asset business units | dashboard filters | |
asset categories | dashboard filters (used with category list) | |
latitude and longitude | notable events by Geography panel in Security posture dashboard | |
priority | notable event urgency (with search severity) | |
other fields in asset list | used to augment events, aggregate hosts, and to facilitate event searches | |
Identity list | description of the identities using the network | |
identity business units | dashboard filters | |
identity categories | dashboard filters (used with category list) | |
priority | notable event urgency (with search severity) | |
other fields in identity list | used to augment events, aggregate hosts | |
Category list | List of asset categories | dashboard filters (used with asset list) |
expected views list | list of Enterprise Security dashboards that should be accessed regularly | view Auditing dashboard |
application protocols blacklist | port/protocol combinations allowed by your organization | port and protocol tracker dashboard |
prohibited processes blacklist | processes prohibited by your organization | prohibited processes detection search |
prohibited services blacklist | services prohibited by your organization | prohibited service detection search |
Create user-populated lists
Splunk Enterprise Security imports user-populated lists as Splunk lookup tables, which are files in CSV format. It automatically loads these lists at search time, so you do not need to restart.
You supply lookup information from external sources in one of three ways:
- Populate the lookups manually. You can export the data manually, then convert it to CSV format using Excel. You can then copy this file to the appropriate location on the search head using suitable tools for your server platform.
- Automatically populate the lookup via a script. You can configure a scripted input to automatically populate a list. By using a combination of scripted inputs and custom Python search commands, you can also create automatic updates.
- Paste the content into the Lists and Lookups editor. You can link some lookup files at Configure > Lists and Lookups for updating convenience. Paste or type in new content. This interface does not validate content formatting.
Any Excel files you create on any platform produce CSV files with Windows line endings. The CSV files you use as lookups must use UNIX-style line endings ("\n
"). Splunk Enterprise does not correctly read lookup files saved using Macintosh ("\r
") or Windows line endings ("\r\n
"). Use the dos2unix
command to correct this.
Update these lists periodically in order to ensure that Enterprise Security has reasonably up-to-date information. Best practice suggests updating these lists quarterly.
The following table describes the lookup files and their locations. Only lookup files managed through Enterprise Security are shown in the table. There are more lookup files that you can use with ES and its add-ons. This table is a subset of that much larger set of files.
Name | Location under $SPLUNK_HOME/etc/apps/
|
Lookup definition |
---|---|---|
Asset list | SA-IdentityManagement/lookups/assets.csv
|
simple_asset_lookup |
Category list | SA-IdentityManagement/lookups/asset_categories.csv
|
asset_category_lookup |
Governance list | SA-ThreatIntelligence/lookups/governance.csv
|
governance_lookup |
Application Protocols whitelist | SA-NetworkProtection/lookups/application_protocols.csv
|
application_protocol_lookup |
Prohibited processes blacklist | SA-Threatintelligence/lookups/prohibited_processes.csv
|
prohibited_processes_lookup |
Prohibited services blacklist | SA-Threatintelligence/lookups/prohibited_services.csv
|
prohibited_services_lookup |
Expected views list | SA-AuditAndDataProtection/lookups/expected_views.csv
|
expected_views_lookup |
User account watchlist | SA-AccessProtection/lookups/user_accounts.csv
|
user_account_lookup |
Identities list | SA-IdentityManagement/lookups/identities.csv
|
simple_identity_lookup |
Urgencies list | SA-ThreatIntelligence/urgency.csv
|
urgency_lookup |
Remove other from charts
When you drill down on "other" in a chart, the chart shows no results. The following is a workaround that uses the `useother`
macro to configure whether or not the app displays "other" in the chart. The default for the macro is true
, which displays "other" in charts.
1. Edit the `useother`
macro in the $SPLUNK_HOME/etc/apps/SA-Utils/default/macros.conf
file.
[useother] definition = true
2. Change the definition in the macro to false
in order to remove "other" from chart displays.
[useother] definition = false
3. Save the file.
This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0
Feedback submitted, thanks!