Splunk® Security Essentials

Use Splunk Security Essentials

This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.

Customize Splunk Security Essentials with the Custom Content dashboard

Add custom content to use Splunk Security Essentials as a use case library to track what you have already built. Custom content gives you the option to map a search that you created to the Splunk Security Essentials content. If the search doesn't find any matches, you can create new custom content and track it from the Custom Content dashboard.

You can add custom content to Splunk Security Essentials by following these steps:

  1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
  2. Select Add Custom Content.
  3. Enter the required information for your custom content.
  4. Select Add.

To provide good user experience, make sure that you provide your company information. Although you can't use HTML or Markdown in the description, if you enter \n it automatically converts to a line break.

After you add custom content, the configuration is added into the custom_content_lookup KV store collection. You can pull the JSON file from the kvstore collection.

You must adjust this file slightly. Add the channel, which is configured in your essentials_updates.conf file, and the ID to this configuration when you migrate it to the final hosted file. You might also change the ID to indicate that it isn't custom content, but something from your organization. Also make sure to update the link in the dashboard attribute.

Create custom content from saved searches

You can add custom content from saved searches to Splunk Security Essentials by following these steps:

  1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
  2. Select Add Custom Content.
  3. Select Create From Local Saved Search.
  4. Select the saved search you want to use to create your custom content. After you select your search, many fields autopopulate. If a field didn't autopopulate, enter the required information.
  5. Select Add.

Create custom content from third-party applications

Create custom content from third-party applications in Splunk Security Essentials to better manage your security content all in one place by following these steps:

  1. In Splunk Security Essentials, navigate to Security Content > Custom Content.
  2. Select Add Custom Content.
  3. Enter a name for your custom content in the Name field. Names have a maximum of 150 characters.
  4. Select Solved Outside of Splunk.
  5. Enter the application or add-on name of the source of your third-party content in Originating App field.
  6. Select the Bookmarked Status of the content. For example, "Successfully Implemented."
  7. Select the stage of the Journey that this custom content appears in.
  8. Select the Use Case for this custom content. For example, "Insider Threat."
  9. Select if this custom content is Featured or not. It is recommended that only 15 percent of content is featured.
  10. Select the Alert Volume for this custom content from high to low.
  11. Select the Severity of this custom content from high to low.
  12. Select the Category for this custom content. For example, "Account Compromise."
  13. Select the Data Source Category for this custom content.
  14. Enter a description for this custom content in the Description field.
  15. (Optional) Add metadata, descriptive, or search fields.
  16. Select Add.

If your content was added successfully, a success message appears and your content will be listed on both the Custom Content page and on the Security Content page. You can filter any third-party custom content you added by Originating App on the Security Content page.

Last modified on 26 September, 2022
Track your content with the Manage Bookmarks dashboard   Find content to use in your ransomware defense with the Ransomware Content Browser

This documentation applies to the following versions of Splunk® Security Essentials: 3.6.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters