Administering Splunk Enterprise Security
Splunk Enterprise Security administrators are responsible for configuring, maintaining, auditing, and customizing an instance of Splunk Enterprise Security. If you are not administering Splunk Enterprise Security, see Use Splunk Enterprise Security for an introduction to using this app as a security analyst.
Use the links below to learn more about administrative tasks in Splunk Enterprise Security.
Manage and support analyst workflows
To enable and customize the workflows for analysts in your organization, see:
Enrich data for Enterprise Security
Enrich Splunk Enterprise Security with data about the assets and identities in your environment and with additional data about known threats.
- See Add asset and identity data to Splunk Enterprise Security for a full list of tasks related to adding and managing asset and identity data in Splunk Enterprise Security.
- See Add threat intelligence to Splunk Enterprise Security for information on all tasks related to managing threat intelligence sources in Splunk Enterprise Security.
Manage and customize configurations
To perform ongoing configuration in Splunk Enterprise Security, see:
You can find additional configuration information in the Install and Upgrade Manual.
Create, manage, and export content
To create new content or manage and customize existing content, see:
To share custom content with other ES instances, see Export content from Splunk Enterprise Security as an app.
Troubleshoot dashboards
- For tips and best practices useful for troubleshooting dashboards in Enterprise Security, see Troubleshoot dashboards in Splunk Enterprise Security.
- For information about data model datasets that populate Enterprise Security dashboards, see Dashboard requirements matrix for Splunk Enterprise Security.
- For an overview of all dashboards in Splunk Enterprise Security, see Introduction to the dashboards available in Splunk Enterprise Security in Use Splunk Enterprise Security.
Configure users and roles
Configure user roles and capabilities to provide granular, role-based access control for your organization. See Configure users and roles.
Managing Incident Review in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!