Turn on detections in Splunk Enterprise Security
Turn on the detections that you want to activate in Splunk Enterprise Security so that they can create findings and run adaptive response actions. All detections in Splunk Enterprise Security are turned off by default when you install the app so that you can choose the detections that are most relevant to your use cases.
As a detection engineer or security analyst, you can run finding-based detections to generate findings when the sum of risk scores for all events associated with an entity reaches a certain threshold. Finding-based detections mine the risk index and aggregate the risk associated with entities such as assets and identities.
Turn on detections
Follow these steps to turn on detections to start creating findings and running adaptive response actions:
- Select Security content and then select Detections.
- Sort the security content on a type of Detection.
- Locate the name of the detection you want to turn on.
- In the Status column, select Turn on to activate the detections that you want to run.
Once turned on, the detections run based on the schedule set in the detection editor. Turn off detections that you deem unnecessary to avoid unnecessary data noise.
See also
For more information on running detections in Splunk Enterprise Security, see the product documentation:
Specify the time to run detections in Splunk Enterprise Security | Configure adaptive response actions for detections in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!