Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

ESCU components

The ESCU app provides content in different configuration files that create a seamless working experience and helps to run the daily security operations in an organization.

The following configuration files are included in the default directory of the app:

  • savedsearches.conf: The standard Splunk Platform configuration file that contains the search stanzas for detection analytics and various other metadata about a particular search. You can find detailed information on the ESCU savedsearches.conf configuration file on the security_content wiki page. For more information, see the Github link.
  • analyticstories.conf: The standard Splunk Platform configuration file that contains stanza definitions and various other metadata about the analytic stories in the app. You can find detailed information on the ESCU savedsearches.conf configuration file on the security_content wiki page. For more information, see the Github link.
  • macros.conf: The standard Splunk Platform configuration file that contains definitions of all the macros, which are used by the ESCU analytics. For more information, see the Github link
  • transforms.conf: The standard Splunk Platform configuration file that contains lookup-related transform definitions, which are used by the ESCU analytics. For more information, see the Github link.
  • collections.conf: The standard Splunk Platform configuration file that contains definitions for KV Store collections, which are used by the ESCU analytics. For more information, see the Github link.

Additionally, the following files are also included in the default directory of the app:

  • Lookups: Directory that contains the latest lookups files (.csv), which are used by various detection analytics. For more information, see the Github link.
  • Dashboards: Dashboard specific XML configurations for the various dashboards that are shipped in the ESCU app located in the following directory: default/data/ui/view

The following configuration files are deprecated:

  • analytic_stories.conf
  • use_case_library.conf
  • commands.conf
Last modified on 15 October, 2024
Security content in the Use Case Library in Splunk Enterprise Security   ESCU user interface

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.22.0, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters