Manage general settings for Splunk Enterprise Security
As a Splunk Enterprise Security administrator, you can make configuration changes to your Splunk Enterprise Security installation such as changing threshold values, macro definitions, search filters, and other settings.
Follow these steps to configure general settings for Splunk Enterprise Security:
- In the Splunk Enterprise Security app, select the Configure tab.
- Select General settings.
- Use the following table to make configuration changes to your Splunk Enterprise Security app instance.
Setting Purpose Analyst capacity Provides the relative measure of an analyst's workload by specifying the maximum number of findings assigned to an analyst. Auto pause Specifies the time in seconds before a drill-down search stops to customize search performance. A value of 0 means that the drill-down search never stops automatically. AWS index Configures AWS index for Cloud Security dashboards. Command pipeline for finding modular alerts Specifies the SPL command pipeline for the finding modular alerts. Command pipeline for risk modular alerts Specifies the SPL command pipeline for the risk modular alerts. Configure Microsoft 365 index Configures Microsoft 365 indexes for Cloud Security dashboards. Default series limits exceeds threshold Turns on or turns off displaying the term "Other" on charts that exceed the default series limits. Default watchlist search Defines a search string for the tag=watchlist
of threat intelligence events in the 'Watchlisted Event Observed' detection.Detection versions Turns on or turns off versioning for detections. Disk quota for search results (admin) Configures the maximum disk space (in MB) allocated to an administrator user to store search results. Disk sync delay Configures the number of seconds for Splunk Enterprise Security to wait before a disk flush is completed. A synchronizing delay is built into indexed real-time searches as a precaution so that none of the data is missed. Distributed configuration management Provides links to download Splunk helper applications for distributed deployments. Domain analysis Turns on or turns off WHOIS tracking for web domains. When this search macro is turned on, the search macro expands to outputcheckpoint modinput=whois by default, if it is referenced in another search. When this search macro is turned off, the default is noop. Enhanced workflows Turns on table filters, table columns, and shared views on the Mission Control page of Splunk Enterprise Security. Event sequencing engine Turns on the main event sequencing engine. Generic error search Defines events that indicate an error has occurred. Jobs quota for search results (admin) Configures the maximum number of concurrent searches that an admin user can run. Jobs quota for search results (power) Configures the maximum number of concurrent searches that a power user can run. Large email threshold Defines the size threshold so that when an email that exceeds this limit (in bytes) is considered large. Licensing event count filter Defines the list of indexes to exclude from the summarization: Events per day. Minimum length of threat intelligence Configures the minimum string length required for threat intelligence with wildcard characters. Maximum documents saved in KVStore Defines the maximum number of documents that can be saved in a single batch to a KVStore collection. Maximum threat artifacts Defines the maximum number of threat artifacts returned for unfiltered searches on the Threat Artifacts dashboard. The default value is 10000. This setting is managed in the `threat_artifacts_max`
macro editor.Override email alert action Overrides the email alert action settings to allow users to send findings using email through adaptive response actions. Realtime indexing Turns on or turns off real time indexing. Turning on your real-time searches to run after the events are indexed can greatly improve indexing performance. You can use real time indexing when up-to-the-second accuracy is not needed. Risk severity range map Adjusts the numeric value for the risk scores to tune the severity level based on the specific requirements of your environment. Regex for domain extraction from URL Extracts the domain (url_domain) from the URL. Short lived account length Identifies the records of account creation and deletion as anomalous. An account creation and deletion record that falls within this threshold is anomalous. Sparkline span (Category analysis) Configures the bucket time span for sparklines displayed in the dashboard: HTTP category analysis. Sparkline span (New domain analysis) Configures the bucket time span for sparklines displayed in the dashboard: New domain analysis. Sparkline span (User agent analysis) Configures the bucket time span for sparklines displayed in the dashboard: HTTP user agent analysis. Sparkline start time (Category analysis) Configures the start time for sparklines displayed on the dashboard: HTTP category analysis. Sparkline start time (User agent analysis) Configures the start time for sparklines displayed in the dashboard: HTTP user agent analysis. Top 1 million site source Displays the source for the top 1 million sites. Tstats macro distribution Determines if the tstats
macros must be distributed.Tstats or summaries macro Determines whether the tstats
orsummariesonly
macro searches only accelerated events.Website watchlist search Lists watchlisted websites used by the detection: Watchlisted events.
See also
For more information on general settings in Splunk Enterprise Security, see the product documentation:
Turn off the enhanced workflow on the Mission Control page
Configure and administer Splunk Enterprise Security | Manage credentials in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!