Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Configuration Settings

If you are a Splunk administrator, you can make various configuration changes to your Splunk Enterprise Security installation.

General Settings

To view and edit threshold values and other commonly changed values for your Enterprise Security installation, browse to Configure > General > General Settings.

Setting Description
Auto Pause Set the time in seconds before a drilldown search will pause.
Domain Analysis Enable or disable WHOIS tracking for Web domains
HTTP Category Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP Category Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP User Agent Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard.
HTTP User Agent Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard.
IRT Disk Sync Delay Set the number of seconds for Splunk ES to wait for a disk flush to finish.
Incident Review Analyst Capacity Set the maximum number of notable events that can be assigned to an analyst.
Indexed Realtime Enable or disable Indexed Realtime.
Large Email Threshold An email that exceeds this size in bytes is considered large.
Licensing Event Count Filter Define the list of indexes to exclude from the "Events Per Day" summarization.
New Domain Analysis Sparkline Span Set the time span for sparklines displayed in the New Domain Analysis dashboard.
Search Disk Quota (admin) Set the maximum amount of disk space in MB that an admin user can use to store search job results.
Search Jobs Quota (admin) Set the maximum number of concurrent searches allowed for admin users.
Search Jobs Quota (power) Set the maximum number of concurrent searches for power users.
Short Lived Account Length An account creation and deletion record that exceeds this threshold is anomalous.
TSTATS Allow Old Summaries Enable or disable searching of data model accelerations containing fields that do not match the current data model configuration.
TSTATS Local Determine whether or not the TSTATS macro will be distributed.
TSTATS Summaries Only Determine whether or not the TSTATS or summariesonly macro will only search accelerated events.
Use Other Enable or disable the term OTHER on charts that exceed default series limits.
Website Watchlist Search A list of watchlisted websites used by the "Watchlisted Events" correlation search.

Credential Management

The Credential Management page displays stored credentials for objects, such as threat lists or lookups, that run as scripted or modular inputs. An input configuration that references a credential will attempt to find the credential values here.

Select Configure > General > Credential Management to view and edit the stored credentials for Enterprise Security data inputs.

Es app config cred mgmt 3.0.png

Add a new credential for an input

1. Click New Credential to add a new user credential.

2. Use the edit panel to add the username and password for the new credential. The Realm field is optional, and can be used to differentiate between multiple credentials that have the same username.

Es create credential.png

3. Select the Application for the credential.

4. Click Save. The new credential appears in the Credential Management list.

Note: It may take several minutes for the new Splunk users added to Enterprise Security to be reflected in Enterprise Security dashboards.

Edit an existing input credential

1. Click Edit next to the credential name.

2. Use the editor to change the username, password, or application for the credential. You cannot change the realm after it has been applied to a credential. You must create a new credential to change the realm.

Es credential mgmt edit 3.0.png

3. Click Save.

Delete an existing input credential

Use the REST API to delete an existing credential from the Credential Management page. See "DELETE storage passwords" in the Splunk Enterprise REST API Reference Manual.

Permissions

Browse to Configure > General > Permissions to view and edit custom capabilities assigned to Enterprise Security non-admin roles. For more information about ES capabilities, see "Adding capabilities to a role" in the Installation and Upgrade Manual.

Navigation

The Navigation editor is used to arrange and expose the domains and dashboards displayed in the Enterprise Security menu bar. Browse to Configure > General > Navigation to open the Navigation Editor. You must have Enterprise Security administrator privileges to modify menu bar settings. ES Navigation.png

Edit the default menus

In the Navigation editor, you can either select items and add them to an existing menu, or create a new menu item.

1. You can disable individual items, or an entire menu, using the Navigation editor. Removing domains or dashboards from the menu bar disables only the navigation and display of that item.

  • To disable a domain or dashboard, click the "X" on the main menu panel.
  • To disable a single menu item, select the item (a check mark shows that the item is selected) and then click the "X" next to the item.

2. To rearrange display of the menus, click and drag them into a new order.

3. When you complete your changes, click Save.

Any unused, disabled, or removed objects are shown in the Unused Reports list to the left of the Navigation editor.

Add new dashboards to a menu

  1. From the Navigation editor, select a dashboard or report from the list of Unused Reports on the left.
  2. Drag the report into the menu area and place it under a menu title. The existing menu items will shift to make room for the new item.
  3. Click Save.

For the list of dashboards that may be added to the menu bar using the Navigation editor, see the "Dashboard requirements matrix" topic in this manual.

Add a link to the ES menu

Add a link to the ES navigation menu. For example, add a link to a specifically-filtered view of Incident Review or to an external system.

Create a link in the menu to an external system or webpage.

  1. From the Splunk platform menu, select Settings > User Interface.
  2. Click Navigation menus.
  3. Select the Nav name default next to SplunkEnterpriseSecuritySuite.
  4. Create or modify a collection.
    For example, to create a drop-down menu option titled Resources with a link to this topic titled Configuration Settings, add a new collection like the following example.
    <collection label="Resources">
    <a href='http://docs.splunk.com/Documentation/ES/latest/User/ManageSearches' target="_blank">Configuration Settings</a>
    </collection>
  5. Save the changes.
  6. Use the app picker to return to Splunk Enterprise Security.
  7. Verify that the menu navigation is updated and works as expected.

Replace the current menu link to Incident Review with a filtered view of Incident Review.

  1. Filter Incident Review to your desired filters.
  2. From the web browser address bar, copy the part of the URL that starts with /app/SplunkEnterpriseSecuritySuite/
  3. Replace the <view name="incident_review" /> section with a collection and links that reference the filter link that you copied.
    This example creates a menu option called Incident Review with drop-down options that show Incident Review filtered to show only in progress notable events and Incident Review filtered to show only critical notable events.
    <collection label=“Incident Review">
    <a href='/app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=2'>IR – In Progress</a>
    <a href='/app/SplunkEnterpriseSecuritySuite/incident_review?form.selected_urgency=critical'>IR - Critical</a>
    </collection>
  4. Save the changes.
  5. Use the app picker to return to Splunk Enterprise Security.
  6. Verify that the menu navigation is updated and works as expected.
Last modified on 28 March, 2017
PREVIOUS
Predictive Analytics dashboard
  NEXT
Content Management

This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters