Customize Splunk Security Essentials with the Custom Content dashboard

Add custom content to use Splunk Security Essentials as a use case library to track what you have already built. Custom content gives you the option to map a search that you created to the Splunk Security Essentials content. If the search doesn't find any matches, you can create new custom content and track it from the Custom Content dashboard.

You can add custom content to Splunk Security Essentials by following these steps:

1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
2. Click Add Custom Content.
3. Enter the required information for your custom content.
4. Click Add.

To provide good user experience, make sure that you provide your company information. Although you can't use HTML or Markdown in the description, if you enter \n it automatically converts to a line break.

After you add custom content, the configuration is added into the custom_content_lookup KV store collection. You can pull the JSON file from the kvstore collection.

You must adjust this file slightly. Add the channel, which is configured in your essentials_updates.conf file, and the ID to this configuration when you migrate it to the final hosted file. You might also change the ID to indicate that it isn't custom content, but something from your organization. Also make sure to update the link in the dashboard attribute.

Create custom content from saved searches

You can add custom content from saved searches to Splunk Security Essentials by following these steps:

1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
2. Click Add Custom Content.
3. Click Create From Local Saved Search.
4. Click the saved search you want to use to create your custom content. After you select your search, many fields autopopulate. If a field didn't autopopulate, enter the required information.
5. Click Add.