Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configuration Settings

As a Splunk Enterprise administrator, you can make configuration changes to your Splunk Enterprise Security installation.

General Settings

Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page.

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
Setting Description
Asset Sources A search macro that enumerates the lookup tables that contain asset information used for asset correlation.
Auto Pause Type the time in seconds before a drilldown search will pause.
Default Watchlist Search Define the watchlisted events for the 'Watchlisted Events' correlation search
Domain Analysis Enable or disable WHOIS tracking for Web domains.
Domain From URL Extraction Regex A regular expression used to extract domain (url_domain) from a URL.
Enable Identity Generation Autoupdate If true, permit the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. True by default.
HTTP Category Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP Category Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP User Agent Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard.
HTTP User Agent Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard.
IRT Disk Sync Delay Set the number of seconds for Enterprise Security to wait for a disk flush to finish. Relevant to Indexed real time searches.
Identity Generation Defines the transformations used to normalize identity information. See How Splunk Enterprise Security processes and merges asset and identity data
Identity Generation Timeout Number of seconds the Identity Manager waits before warning of slow search completion in identity_manager.log.
Identity Sources Enumerates the source lookup tables that contain identity information.
Incident Review Analyst Capacity Estimated maximum capacity of notable events assigned to an analyst. Relative measure of analyst workload.
Indexed Realtime Enable or disable indexed real-time mode for searches.
Large Email Threshold An email that exceeds this size in bytes is considered large.
Licensing Event Count Filter Define the list of indexes to exclude from the "Events Per Day" summarization.
New Domain Analysis Sparkline Span Set the time span for sparklines displayed in the New Domain Analysis dashboard.
Notable Modalert Pipeline SPL for the notable adaptive response action.
Predicate pushdown Dynamically replaces |datamodel drilldown searches with a new search that approximates the same constraints to speed up the return of events in search results. If a drilldown search references an evaluated field (example: src="unknown",) the replacement drilldown search will always return No results found.
The setting is global and changes the Incident Review notable event drilldown for contributing events and all simple XML dashboards that use a specific search syntax for drilldown searches.
Disabled by default. Change this setting only if the search head performance of drilldown searches is unacceptable.
If you use Splunk platform version 6.5.x or later, search optimization of this type happens automatically. You do not need to select this setting to get the optimization benefits.
Search Disk Quota (admin) Set the maximum amount of disk space in MB that an admin user can use to store search job results.
Search Jobs Quota (admin) Set the maximum number of concurrent searches allowed for admin users.
Search Jobs Quota (power) Set the maximum number of concurrent searches for power users.
Short Lived Account Length An account creation and deletion record that exceeds this threshold is anomalous.
TSTATS Allow Old Summaries Enable or disable searching of data model accelerations containing fields that do not match the current data model configuration.
TSTATS Local Determine whether or not the TSTATS macro will be distributed.
TSTATS Summaries Only Determine whether or not the TSTATS or summariesonly macro will only search accelerated events.
Use Other Enable or disable the term OTHER on charts that exceed default series limits.
Website Watchlist Search A list of watchlisted websites used by the "Watchlisted Events" correlation search.

Credential Management

The Credential Management page displays stored credentials for objects, such as threat lists or lookups, that run as scripted or modular inputs. An input configuration that references a credential will attempt to find the credential values here.

Add a new credential for an input

  1. On the Enterprise Security menu bar, select Configure > General and open Credential Management.
  2. Click New Credential to add a new user credential.
  3. Use the edit panel to add the username and password for the new credential.
    Es create credential.png
  4. (Optional) Use the Realm field to differentiate between multiple credentials that have the same username.
  5. Select the Application for the credential.
  6. Click Save.

Edit an existing input credential

  1. On the Enterprise Security menu bar, select Configure > General and open Credential Management.
  2. In the Action column of a credential, select Edit.
  3. Use the editor to change the username, password, or application for the credential. You cannot change the realm after it has been applied to a credential. You must create a new credential to change the realm.
    Es credential mgmt edit 3.0.png
  4. Click Save.

Delete an existing input credential

  1. On the Enterprise Security menu bar, select Configure > General and open Credential Management.
  2. In the Action column of a credential, select Delete.

Permissions

Use the Permissions page to view and assign Enterprise Security capabilities to non-admin roles.

  1. On the Enterprise Security menu bar, select Configure > General > Permissions.
  2. Select the checkbox for the role and permissions for that role.
  3. Click Save.

For more information about ES capabilities, see Adding capabilities to a role in the Installation and Upgrade Manual.

Customize the menu bar in Splunk Enterprise Security

Customize the menu bar in Splunk Enterprise Security with the navigation editor. Add new dashboards, reports, views, links to filtered dashboards, or links to the web to your menu bar. You must have Enterprise Security administrator privileges to make changes to the menu bar navigation.

Upgrading Enterprise Security overwrites customizations you make to the menu bar.

You can add views to the menu bar as part of a collection that groups several views together or as an individual item on the menu bar. For example, Incident Review is an individual dashboard in the menu bar, and Audit is a collection of the audit dashboards.

Set a default view for Splunk Enterprise Security

To see a specific view or link when you or another user opens Splunk Enterprise Security, set a default view.

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Locate the view or link that you want to be the default view.
  3. Click the checkmark icon that appears when you mouse over the view to Set this as the default view.
    Checkmark that appears to the left of the view name to set a view as a default view.
  4. Click Save to save your changes
  5. Click OK to refresh the page and view your changes.

Edit the existing menu bar navigation

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Click and drag views or collections of views to change the location of the views or collections of views in the menu.
  3. Click the X next to a view or collection to remove it from the menu.
  4. Click the pencil icon to edit the name of a collection.
  5. Click the line icon to add a divider and visually separate items in a collection.
  6. Click Save to save your changes
  7. Click OK to refresh the page and view your changes.

Add a single view to the menu bar

You can add a new view to the menu bar without adding it to a collection.

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Click Add a New View.
  3. Leave View Options set to the default of View.
  4. Click Select a View from Unused Views.
  5. Select a dashboard or view from the list.
  6. Click Save. The dashboard appears on the navigation editor.
  7. If you are finished adding items to the menu, click Save to save your changes
  8. Click OK to refresh the page and view your changes.

Add a collection to the menu bar

Use a collection to organize several views or links together in the menu bar.

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Click Add a New Collection.
  3. Type a Name. For example, Audit.
  4. Click Save. The collection appears on the navigation editor.

You must add a view or link to the collection before it appears in the menu navigation.

Add a view to an existing collection

Add views to an existing collection.

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Locate the collection that you want to add views to.
  3. Click the Add View icon.
  4. Leave View Options set to the default of View.
  5. Click Select a View from Unused Views.
  6. Select a view from the list.
  7. Click Save. The view appears on the navigation editor.
  8. If you are finished adding items to the menu, click Save to save your changes
  9. Click OK to refresh the page and view your changes.

Add a link to the menu bar

You can add a link to the menu bar of Splunk Enterprise Security. For example, add a link to a specifically-filtered view of Incident Review or to an external ticketing system.

Create a link in the menu to an external system or webpage

  1. On the Enterprise Security menu bar, select Configure > General > Navigation.
  2. Click Add a New View to add it to the menu, or locate an existing collection and click the Add View icon to add the link to an existing collection of views.
  3. Select Link from View Options.
  4. Type a Name to appear on the Splunk Enterprise Security menu. For example, Splunk Answers.
  5. Type a link. For example, https://answers.splunk.com/
  6. Click Save.
  7. If you are finished adding items to the menu, click Save to save your changes
  8. Click OK to refresh the page and view your changes.

Add a link to a filtered view of Incident Review

A common link to add to the menu bar is a filtered view of Incident Review.

  1. Filter Incident Review with your desired filters. When you filter the dashboard, the URL updates with query string parameters matching your filters.
  2. In the web browser address bar, copy the part of the URL that starts with /app/SplunkEnterpriseSecuritySuite/ and paste it in a plain text file for reference.
    For example, if you filtered the dashboard to show only critical notable events, the part of the URL that you copy looks like /app/SplunkEnterpriseSecuritySuite/incident_review?form.selected_urgency=critical.
  3. On the Enterprise Security menu bar, select Configure > General > Navigation.
  4. Click Add a New View to add it to the menu, or locate an existing collection and click the Add View icon to add the link to an existing collection of views.
  5. Select Link from View Options.
  6. Type a Name to appear on the Splunk Enterprise Security menu. For example, IR - Critical.
  7. In the Link field, paste the URL section. For example, /app/SplunkEnterpriseSecuritySuite/incident_review?form.selected_urgency=critical
  8. Click Save.
  9. If you are finished adding items to the menu, click Save to save your changes.
  10. Click OK to refresh the page and view your changes.

If you add a link with multiple parameters you must modify the query string parameters by encoding the & separating the parameters as &. For example, type the link for a filtered view of Incident Review that shows new and unassigned notable events as /app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=1&form.owner_form=unassigned.

You can also construct a URL manually using the parameters in the following table. Use an asterisk to show all results for a specific parameter.

Parameter Description Possible values Example
form.selected_urgency Display notable events with the urgency specified by this parameter. critical, high, medium, low, informational form.selected_urgency=critical
form.status_form Display notable events with the status specified by this parameter. An integer corresponds to each status value. 0 for unassigned, 1 for new, 2 for in progress, 3 for pending, 4 for resolved, 5 for closed form.status_form=0
form.owner_form Display notable events owned by the user specified by this parameter. usernames form.owner_form=admin
form.rule_name Display notable events created by the correlation search specified by this parameter. HTML-encode spaces in the correlation search name and use the name that appears in the notable event rather than the name that appears on Content Management. Endpoint - Host With Multiple Infections - Rule form.rule_name=Endpoint%20-%20Host%20With%20Multiple%20Infections%20-%20Rule
form.tag Displays notable events with the tag specified by this paramter. malware, any custom tag value form.tag=malware
form.srch Displays notable events that match the SPL specified in this parameter. HTML-encode special characters such as = for key-value pairs. dest=127.0.0.1 form.srch=dest%3D127.0.0.1
form.security_domain_form Displays notable events in the security domain specified by this parameter. access, endpoint, network, threat, identity, audit form.security_domain_form=endpoint
earliest= and latest= Displays notable events in the time range specified by these parameters. Specify a relative time range. HTML-encode special characters such as @. -24h@h, now earliest=-24h%40h&latest=now
form.new_urgency_count_form Displays notable events that do not have the urgency specified by this parameter. critical, high, medium, low, informational form.new_urgency_count_form=informational
PREVIOUS
Send correlation search results to Splunk UBA to be processed as anomalies
  NEXT
Content Management

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters