Creating new content in Splunk Enterprise Security
Create new content on Content Management.
Create a correlation search
See Create a correlation search in Splunk Enterprise Security Tutorials.
Create a key indicator search
Create a key indicator search to create a key indicator that you can add to a dashboard or glass table as a security metric.
- From the Enterprise Security menu bar, select Configure > Content Management.
- Click Create New Content and select Key Indicator Search.
- Type a key indicator name.
In order for the key indicator to show up in the list of security metrics on glass table, type a category or security domain at the beginning of the key indicator name followed by a hyphen. For example, APT - Example Key Indicator or Access - Sample Key Indicator. - Type a search, and other details.
The key indicators that come with Enterprise Security use data models to accelerate the return of results. - (Optional) Select Schedule to use data model acceleration for your custom key indicator.
- Type the name of the field that corresponds to the value of the key indicator in the Value field.
- Type the name of the field that corresponds to the change in the key indicator in the Delta field.
- (Optional) Type a Threshold for the key indicator. The threshold controls whether the key indicator changes color. You can also set the threshold in dashboards and on glass tables.
- Type a Value Suffix to indicate units or another word to follow the key indicator.
- Select the Invert check box to invert the colors of the key indicator. Select this check box to indicate that a high value is good and a low value is bad.
- Click Save.
Create a new saved search or scheduled report
Create a saved search, also called a scheduled report, in Splunk Enterprise Security.
- From the Enterprise Security menu bar, select Configure > Content Management.
- Click Create New Content and select Saved Search.
- Create a saved search, also called a scheduled report, following the instructions in the Splunk platform documentation.
- For Splunk Enterprise, see Create a new report in the Splunk Enterprise Reporting Manual.
- For Splunk Cloud, see Create a new report in the Splunk Cloud Reporting Manual.
- Modify the permissions of the report to share it with Enterprise Security so that you can view and manage the search in Enterprise Security, following the instructions in the Splunk platform documentation.
- For Splunk Enterprise, see Set report permissions in the Splunk Enterprise Reporting Manual.
- For Splunk Cloud, see Set report permissions in the Splunk Cloud Reporting Manual.
Create a search-driven lookup
See Create a search-driven lookup.
Create a swim lane search
Create a swim lane search to create a swim lane that you can add to the Asset Investigator or Identity Investigator dashboard. Swim lanes on the investigator dashboards help you profile activity by a specific asset or identity over time.
- From the Enterprise Security menu bar, select Configure > Content Management.
- Click Create New Content and select Swim Lane Search.
- Type a Search Name.
- Select a Destination App.
- Type a Title for the swim lane that appears on the dashboard.
- Type a Search that populates the swim lane.
- Type a Drilldown Search that runs when a user clicks a swim lane item. By default, the swim lane item drilldown shows the raw events.
- Select a color.
- Select an Entity Type of Asset or Identity.
- Type Constraint Fields. Type a field to specify constraints on the search. Your search must contain
where $constraints$
to use these constraint fields in the search. Only specific constraints are valid for each type of swim lane search.
For example, an Asset Investigator swim lane search using the Malware data model and the Malware_Attacks data model dataset could specify theMalware_Attacks.user
field as a constraint. - Click Save.
For example, create a swim lane to identify all authentication events involving a specific asset.
- Type a Search Name of Authentication by Asset - Example
- Select a Destination App of DA-ESS-AccessProtection.
- Type a Title for the swim lane that appears on the dashboard. All Authentication.
- Type a Search that populates the swim lane.
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$
- Type a Drilldown Search.
| `datamodel("Authentication","Authentication")` | search $constraints$
- Select the color Purple.
- Select an entity type of Asset because you want to investigate all authentication events by asset and be able to add this swim lane to the Asset Investigator dashboard. With this specified, all constraints specified as constraint fields perform a reverse lookup against the other fields that identify an asset.
- Type constraint fields of Authentication.src and Authentication.dest to identify authentications originating from or targeting a specific asset.
Assuming an asset lookup entry with an IP address of 1.2.3.4
, dns
of server.example.com
, and nt_host
of server1
, the search for this swim lane searches for all authentication events where the source or destination of the authentication event is 1.2.3.4, server.example.com, or server1.
... Authentication.src=1.2.3.4 OR Authentication.src=server.example.com OR Authentication.src=server1 OR Authentication.dest=1.2.3.4 OR Authentication.dest=server.example.com OR Authentication.dest=server1
Create a new view or dashboard
Create a new view or dashboard using Simple XML from Content Management.
Prerequisite
Creating new views and dashboards from Content Management requires familiarity with Simple XML. For an overview of building and editing dashboards, including working with Simple XML, see the Splunk platform documentation.
- For Splunk Enterprise, see Dashboard overview in Splunk Enterprise Dashboards and Visualizations.
- For Splunk Enterprise, see Dashboard overview in Splunk Enterprise Dashboards and Visualizations.
Task
- From the Enterprise Security menu bar, select Configure > Content Management.
- Click Create New Content and select View.
- Create a new dashboard with Simple XML.
- Modify the permissions to share the new view with Enterprise Security so that you can view and manage it in Enterprise Security.
- From the Splunk bar, select Settings > User interface > Views.
- Locate the View name that you created.
- Click Permissions and modify the permissions to share the view with Enterprise Security.
- Click Save.
You can also create a new dashboard with the interactive dashboard editor. Select Search > Dashboards to open the Dashboards page. You can find information about the Dashboard Editor in the Splunk platform documentation.
- For Splunk Enterprise, see Open the Dashboard Editor in Splunk Enterprise Dashboards and Visualizations.
- For Splunk Cloud, see Open the Dashboard Editor in Splunk Cloud Dashboards and Visualizations.
Use the Navigation editor to change which dashboards are visible on the menu in your deployment. For more information, see Navigation in this manual.
Key indicators | Create a glass table |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only
Feedback submitted, thanks!