Troubleshoot Splunk Security Essentials
Use the following sections to troubleshoot potential issues with Splunk Security Essentials.
You are seeing outdated content in Splunk Security Essentials
You are seeing outdated content on the dashboards in Splunk Security Essentials, even after you upgraded to a new version.
Cause
The cache was not refreshed.
Solution
Force an update of Splunk Security Essentials.
- From Splunk Security Essentials, select Configuration.
- Select Update Content then Force Update.
After the new content finishes downloading, the Configuration button turns green. - Select Configuration to refresh the page.
The Analytics Advisor dashboard isn't showing any content in the active category in the MITRE ATT&CK Matrix view
Content in the Analytics Advisor dashboard does not appear in the Active category in the MITRE ATT&CK Matrix view.
Cause
No content matches the criteria for it to be marked as active.
Solution
Check that the content you want to appear as Active matches the following criteria.
Setting to review | How to fix | More information |
---|---|---|
Check that the content is marked as Enabled. | If the content isn't marked as Enabled, set the bookmark status to Successfully Implemented. | See Track your content with the Manage Bookmarks dashboard. |
Check that the content is linked to a data source that is marked as Good. You can find this information on the Security Content page. | If the content isn't linked to a data source marked as Good, use the data inventory dashboard to mark the data source as Good. If you want to use a general-purpose data source that is always marked as Good, use the Any logs in Splunk option in the Vendor category. |
See Configure the products you have in your environment with the Data Inventory dashboard. |
Understand the data sources used in Splunk Security Essentials with the Data Onboarding Guides |
This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1
Feedback submitted, thanks!