Splunk® Security Essentials

Install and Configure Splunk Security Essentials

Edit permissions to provide write access to Splunk Security Essentials

All users of Splunk Security Essentials have read access to the various features, but if you want to allow a user to change or edit specific configurations you must grant write access to certain lookups. To grant write access to a lookup, you must be an administrative user and follow these steps:

  1. Navigate to your Splunk Platform instance.
  2. Select Settings > All configurations
  3. Select Splunk Security Essentials from the App drop-down menu.
  4. Search for the name of the lookup that you want to edit the permissions for and select Permissions.
  5. Find the role that you want to change the access for and select Write access.
  6. Select Save.

Lookups in Splunk Security Essentials

The following are important lookups in Splunk Security Essentials that you might want to edit the permissions for to allow a user to change configurations for data inventory, custom content, bookmarks, and so on.

Data Inventory lookups

Lookup name External type Description
data_inventory_products_lookup kvstore This kvstore collection contains a list of all the products configured for data availability. There is an entry for each product with associated metadata, the location of the data, and the data source categories this product is mapped to. The mapped data source categories are stored in the eventtypeIds field. For more information on data availability, see Track data ingest latency with the Data Availability dashboard in Use Splunk Security Essentials.
data_inventory_eventtypes_lookup kvstore This kvstore collection stores the status for each data source category. The mapped data source categories are stored in the eventtypeIds field.

Posture Dashboard lookups

Lookup name External type Description
data_source_check_outputs_lookup kvstore This lookup is deprecated.
data_source_check_lookup kvstore This lookup is used by the Posture Dashboards and shows the most recent result from the Posture Dashboards. For more information on the Posture Dashboards, see Create security Posture Dashboards in Use Splunk Security Essentials.

Bookmarks

Lookup name External type Description
bookmark_lookup kvstore This lookup is a kvstore collection that stores the bookmark status and bookmark notes. The Content Search Introspection feature provides information to this lookup. For more information, see Track your content with the Manage Bookmarks dashboard in USe Splunk Security Essentials.
bookmark_names kvstore This collection allows you to add your own custom bookmark names on top of the standard ones. You can also rename the existing labels.

Content Updates

Lookup name External type Description
external_content_lookup kvstore Splunk Security Essentials has a collection of external content sources that can be updated. This includes automatically adding the latest data from the Splunk Enterprise Security Content Update (ESCU) app and adding the latest available MITRE ATT&CK information. Partners also have the option to add or create content channels.
sse_json_doc_storage_lookup kvstore Splunk Security Essentials has a collection of external content sources that can be updated. MITRE ATT&CK information is currently stored here, but it could be used for any other sources. When your browser grabs the latest MITRE ATT&CK JSON from the MITRE GitHub, it adds it to this kvstore collection.

Custom Content

Lookup name External type Description
custom_content_lookup kvstore Custom content is stored in the custom_content_lookup. Most information is stored in the JSON field, and as the custom content page loads, all of that content is loaded into the ShowcaseInfo lookup. For more information on custom content, see Customize Splunk Security Essentials with the Custom Content dashboard.
deleted_custom_content_lookup kvstore In the Custom Content dashboard, you can delete content but then recover it through the recycling bin. This lookup is that recycling bin.

Content Mapping

Lookup name External type Description
local_search_mappings_lookup kvstore If you choose to use content mapping, Splunk Security Essentials retains a connection of local saved searches to MITRE ATT&CK details. This lookup stores the association of a saved search name, search_title, to the internal showcaseId. For more information, see Track active content in Splunk Security Essentials using Content Mapping in Use Splunk Security Essentials.

Splunk Enterprise Security enrichment

Lookup name External type Description
sse_content_exported_lookup kvstore This lookup contains the names of local saved searches and enrichment fields in Splunk Security Essentials that are connected to notable events in Splunk Enterprise Security. This lookup is automatically maintained by Splunk Security Essentials and updated whenever there is an entry in the local_search_mappings_lookup.

Backup and Restore

Lookup name File name Description
sse_bookmark_backup sse_bookmark_backup.csv All configuration backups are stored in this CSV file.

Analytics Advisor

Lookup name File name Description
mitre_threat_groups mitre_threat_groups.csv This lookup contains a list view of the current MITRE ATT&CK Framework threat groups. It is automatically maintained by Splunk Security Essentials and updated whenever MITRE ATT&CK is updated.
mitre_enterprise_list mitre_enterprise_list.csv This lookup contains the list version of the entire MITRE ATT&CK enterprise matrix and is used for enrichment in Splunk Security Essentials. It can also be used for ad-hoc lookups to enrich events with MITRE ATT&CK data. It is automatically maintained by Splunk Security Essentials and updated whenever MITRE ATT&CK is updated.
mitre_environment_count mitre_environment_count.csv This lookup contains the count of content associated with each MITRE ATT&CK technique. It is automatically maintained by Splunk Security Essentials and updated when you load the MITRE ATT&CK Overview dashboard.
Last modified on 28 November, 2023
Configure Splunk Security Essentials  

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters