Splunk® Enterprise Security

Administer Splunk Enterprise Security

Turn on detections in Splunk Enterprise Security

Turn on the detections that you want to activate in Splunk Enterprise Security so that they can create findings and run adaptive response actions. All detections in Splunk Enterprise Security are turned off by default when you install the app so that you can choose the detections that are most relevant to your use cases.

As a detection engineer or security analyst, you can run finding-based detections to generate findings when the sum of risk scores for all events associated with an entity reaches a certain threshold. Finding-based detections mine the risk index and aggregate the risk associated with entities such as assets and identities.

Turn on detections

Follow these steps to turn on detections to start creating findings and running adaptive response actions:

  1. Select Security content and then select Detections.
  2. Sort the security content on a type of Detection.
  3. Locate the name of the detection you want to turn on.
  4. In the Status column, select Turn on to activate the detections that you want to run.

Once turned on, the detections run based on the schedule set in the detection editor. Turn off detections that you deem unnecessary to avoid unnecessary data noise.

See also

For more information on running detections in Splunk Enterprise Security, see the product documentation:

Last modified on 28 October, 2024
Specify the time to run detections in Splunk Enterprise Security   Configure adaptive response actions for detections in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters