Splunk® Security Essentials

Develop Custom Content in Splunk Security Essentials

Author simple and full-feature content on Splunk Security Essentials

The process of adding content to Splunk Security Essentials (SSE) differs, depending on whether you're an end user, partner, or SSE author.

End users can follow a workflow to add content using the GUI itself. For details on that workflow, see Use the Configuration menu to Customize Splunk Security Essentials in the Use Splunk Security Essentials manual.

Partners can follow the partner-integration process. For details on that workflow, see Integrate third-party content in Splunk Security Essentials.

SSE authors can perform the following steps to add custom content, depending on that custom content being simple or full-feature.

Author simple SSE content

Simple SSE content is custom content that doesn't completely utilize a search builder or have demo data. Some examples of simple content are content for Splunk Enterprise Security, Splunk Enterprise Security Content Update, Splunk User Behavior Analytics, and Splunk Phantom.

Deploying simple content is similar to the process for partner integration, but there are some differences. For more information on the partner integration process, see Integrate third-party content in Splunk Security Essentials. To assess potential deployment differences, see Use the schemas in Splunk Security Essentials.

Add full-feature content

Complete the following two steps to author full-feature SSE custom content.

Configure the ShowcaseInfo.json file

The ShowcaseInfo.json file contains high-level information for SSE content and is the primary interface. Two configurations govern its relationship with the search builder:

  • The dashboard tells the interface what dashboard to send users to when they select a link. The dashboard includes the search builder in its related URL.
  • The examples object is a list of search builder objects that exist for individual pieces of content. Most often, you at least have discrete objects for demo data, live data, and accelerated data, but you might need other objects as well.

The search builder contains JSON files, such as showcase_simple_search.json, list searches, line-by-line SPL documentation, and other helpful information.

Define names and IDs

After configuring the JSON file, you must define the following four names and IDs:

  • The ID in the ShowcaseInfo.json file is a summary object, which defines the keys for each showcase.
  • The name in ShowcaseInfo.json that displays to the user. You can find the name using the ShowcaseInfo.json['summaries']['my_showcase_id']['name'] lookup.
  • The search label is the name displayed on the search page.
  • The search name is the internal ID for a search.

In the showcase examples object, the search name (ShowcaseInfo.json['summaries']['my_showcase_id']['examples'][0]['name'] appears. That name must exactly match the object name in the search builder JSON file and the search name (showcase_*.json['my_search_name']['label']. If those values don't match, no JavaScript runs when a user navigates to the dashboard, and no errors appear to alert you to the problem.

Examples

The following examples show a configured ShowcaseInfo.json file and a search with properly defined names and IDs.

Configured ShowcaseInfo.json file


{
   "summaries": {
       "basic_brute_force": {
            "name": "Basic Brute Force Detection", 
            "dashboard": "showcase_simple_search?ml_toolkit.dataset=Basic Brute Force - Demo", 
            "examples": [
                {
                    "label": "Demo Data", 
                    "name": "Basic Brute Force - Demo"
                }, 
                {
                    "label": "Live Data", 
                    "name": "Basic Brute Force - Live"
                }, 
                {
                    "label": "Accelerated Data", 
                    "name": "Basic Brute Force - Accelerated"
                }
            ], 
       }
   } 
}

Search with defined names and IDs


{
    "Basic Brute Force - Demo": {
        "label": "Basic Brute Force - Demo",
        "value": "... demo search ..."
    },
    "Basic Brute Force - Live": {
        "label": "Basic Brute Force - Live",
        "value": "... live search ..."
    },
    "Basic Brute Force - Accelerated": {
        "label": "Basic Brute Force - Accelerated",
        "value": "... accelerated search ..."
    },
}

Last modified on 20 January, 2023
Enrich custom content using the ShowcaseInfo.json file   Splunk Security Essentials file directory

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters