Edit permissions to provide write access to Splunk Security Essentials
All users of Splunk Security Essentials have read access to the various features, but if you want to allow a user to change or edit specific configurations you must grant write access to certain lookups. To grant write access to a lookup, you must be an administrative user and follow these steps:
- Navigate to your Splunk Platform instance.
- Select Settings > All configurations
- Select Splunk Security Essentials from the App drop-down menu.
- Search for the name of the lookup that you want to edit the permissions for and select Permissions.
- Find the role that you want to change the access for and select Write access.
- Select Save.
Lookups in Splunk Security Essentials
The following are important lookups in Splunk Security Essentials that you might want to edit the permissions for to allow a user to change configurations for data inventory, custom content, bookmarks, and so on.
Data Inventory lookups
| Lookup name
|
External type
|
Description
|
data_inventory_products_lookup
|
kvstore
|
This kvstore collection contains a list of all the products configured for data availability. There is an entry for each product with associated metadata, the location of the data, and the data source categories this product is mapped to. The mapped data source categories are stored in the eventtypeIds field. For more information on data availability, see Track data ingest latency with the Data Availability dashboard in Use Splunk Security Essentials.
|
data_inventory_eventtypes_lookup
|
kvstore
|
This kvstore collection stores the status for each data source category. The mapped data source categories are stored in the eventtypeIds field.
|
Posture Dashboard lookups
| Lookup name
|
External type
|
Description
|
data_source_check_outputs_lookup
|
kvstore
|
This lookup is deprecated.
|
data_source_check_lookup
|
kvstore
|
This lookup is used by the Posture Dashboards and shows the most recent result from the Posture Dashboards. For more information on the Posture Dashboards, see Create security Posture Dashboards in Use Splunk Security Essentials.
|
Bookmarks
| Lookup name
|
External type
|
Description
|
bookmark_lookup
|
kvstore
|
This lookup is a kvstore collection that stores the bookmark status and bookmark notes. The Content Search Introspection feature provides information to this lookup. For more information, see Track your content with the Manage Bookmarks dashboard in USe Splunk Security Essentials.
|
bookmark_names
|
kvstore
|
This collection allows you to add your own custom bookmark names on top of the standard ones. You can also rename the existing labels.
|
Content Updates
| Lookup name
|
External type
|
Description
|
external_content_lookup
|
kvstore
|
Splunk Security Essentials has a collection of external content sources that can be updated. This includes automatically adding the latest data from the Splunk Enterprise Security Content Update (ESCU) app and adding the latest available MITRE ATT&CK information. Partners also have the option to add or create content channels.
|
sse_json_doc_storage_lookup
|
kvstore
|
Splunk Security Essentials has a collection of external content sources that can be updated. MITRE ATT&CK information is currently stored here, but it could be used for any other sources. When your browser grabs the latest MITRE ATT&CK JSON from the MITRE GitHub, it adds it to this kvstore collection.
|
Custom Content
| Lookup name
|
External type
|
Description
|
custom_content_lookup
|
kvstore
|
Custom content is stored in the custom_content_lookup. Most information is stored in the JSON field, and as the custom content page loads, all of that content is loaded into the ShowcaseInfo lookup. For more information on custom content, see Customize Splunk Security Essentials with the Custom Content dashboard.
|
deleted_custom_content_lookup
|
kvstore
|
In the Custom Content dashboard, you can delete content but then recover it through the recycling bin. This lookup is that recycling bin.
|
Content Mapping
| Lookup name
|
External type
|
Description
|
local_search_mappings_lookup
|
kvstore
|
If you choose to use content mapping, Splunk Security Essentials retains a connection of local saved searches to MITRE ATT&CK details. This lookup stores the association of a saved search name, search_title, to the internal showcaseId. For more information, see Track active content in Splunk Security Essentials using Content Mapping in Use Splunk Security Essentials.
|
Splunk Enterprise Security enrichment
| Lookup name
|
External type
|
Description
|
sse_content_exported_lookup
|
kvstore
|
This lookup contains the names of local saved searches and enrichment fields in Splunk Security Essentials that are connected to notable events in Splunk Enterprise Security. This lookup is automatically maintained by Splunk Security Essentials and updated whenever there is an entry in the local_search_mappings_lookup.
|
Backup and Restore
| Lookup name
|
File name
|
Description
|
sse_bookmark_backup
|
sse_bookmark_backup.csv
|
All configuration backups are stored in this CSV file.
|
Analytics Advisor
| Lookup name
|
File name
|
Description
|
mitre_threat_groups
|
mitre_threat_groups.csv
|
This lookup contains a list view of the current MITRE ATT&CK Framework threat groups. It is automatically maintained by Splunk Security Essentials and updated whenever MITRE ATT&CK is updated.
|
mitre_enterprise_list
|
mitre_enterprise_list.csv
|
This lookup contains the list version of the entire MITRE ATT&CK enterprise matrix and is used for enrichment in Splunk Security Essentials. It can also be used for ad-hoc lookups to enrich events with MITRE ATT&CK data. It is automatically maintained by Splunk Security Essentials and updated whenever MITRE ATT&CK is updated.
|
mitre_environment_count
|
mitre_environment_count.csv
|
This lookup contains the count of content associated with each MITRE ATT&CK technique. It is automatically maintained by Splunk Security Essentials and updated when you load the MITRE ATT&CK Overview dashboard.
|
Download manual
Feedback submitted, thanks!