Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Turn on the detection

After you have verified the results of a detection, you can turn on the detection using the correlation search editor in the Content Management page in Splunk Enterprise Security.

Follow these steps to turn on the detection:

  • Use the correlation search editor to edit the search name, the app context settings, the description, and the Splunk SPL query. CorrelationSearch.png
  • Use the Time range section in the correlation search editor to schedule the detection. For more information, see Schedule correlation searches in Splunk Enterprise Security.
    600px All ESCU detection searches include the following configurations:
    Timestamp Event time
    earliest -70m@m
    latest -10m@m
    Cron schedule 0 * * * *
    Scheduling Continuous
    Schedule window Auto
    Schedule priority Default
  • Configure the adaptive response actions that are triggered when the detection generates an alert. For example, sending email notifications, creating notables, or creating risk alerts.
  • Risk alert action
  • *Notable alert actions
  • Annotations Relevant context to enrich your risk notables within Splunk Enterprise Security such as a specific cybersecurity framework (MITRE ATT&CK, CIS 20, or NIST Controls). You may also add your organization specific annotations in the Unmanaged Annotations section to enrich your risk notables.
Last modified on 15 October, 2024
Enable detections from Analytic Stories   Use ESCU tuning and filter macros to optimize detections

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters