Splunk® Security Essentials

Use Splunk Security Essentials

Track active content in Splunk Security Essentials using Content Mapping

Tracking the content you already have active helps you know what areas you might need to monitor. Content Mapping pulls a list of your activated local scheduled searches that have an action associated with them and then automatically activates any activated Splunk Enterprise Security, Enterprise Security Content Update (ESCU), or Splunk Security Essentials (SSE) content. Configure Content Mapping to track what content you currently have active in Splunk Security Essentials. To use Content Mapping, follow these steps:

  1. From Splunk Security Essentials, navigate to Data > Content Mapping.
  2. Click Look for Enabled Content to get a list of all of your local saved searches.

Filter on the Status to filter content based on whether it is Mapped, Likely Match, Potential Match, Low Match, or No Match. Search for content in the search box. Review the list of likely and potential matches, and make a decision based on the following options:

Option Description
Accept Recommendation If Splunk Security Essentials finds a close match, click Accept Recommendation to map that local saved search to the recommended default Splunk content.
Search This option opens a search dialog that looks through all of the content in Splunk Security Essentials and lets you select your desired content.
Create New If you don't see any content in Splunk Security Essentials that represents this detection, you can create your own custom content.
Not a Detection This option lets you mark content as not a security detection.
Clear This option lets you clear any mappings you may have made on the content.
Edit This option appears when Splunk Security Essentials automatically creates a new custom content card for you with default options. Use Edit to edit the default options and click Update when you have made any necessary changes.

If a scheduled search is activated and is also a correlation search, Splunk Security Essentials automatically creates a new custom content card for you with default options. These cards then appear on the Security Content page and the MITRE ATT&CK Framework dashboard.

Troubleshoot Content Mapping

Here are some common issues that you can encounter when you use content mapping. Read the following sections to learn how to resolve those issues.

Troubleshoot lookups and permissions

Content mapping might fail if the lookups and permissions aren't generated or working correctly. Follow these steps to troubleshoot lookups and permissions with content mapping:

  1. Run a search and verify that it generates results. Verify that the lookup is generated by running the following search:
    | inputlookup sse_content_exported_lookup
  2. Test if the automatic lookup configuration in props.conf is working using the following search:
    index=notable OR index=risk | stats count as num_total count(eval(isnotnull(mitre_technique))) as num_with_mitre_technique
  3. Test Splunk Enterprise Security permissions using the same search in Splunk Enterprise Security:
    index=notable OR index=risk | stats count as num_total count(eval(isnotnull(mitre_technique))) as num_with_mitre_technique
    If this doesn't work, run the Splunk Enterprise Security Integration in the Splunk Security Essentials Setup. If that fails, manually configure Splunk Enterprise Security, or upgrade to Splunk Enterprise Security 5.3+.
  4. Open incident review to check if the custom fields were added to the log_review.conf file. If this doesn't work, run the Splunk Enterprise Security Integration in the Splunk Security Essentials setup. If that fails, manually configure the fields in Splunk Enterprise Security in the Configure Incident Review Settings, and add the fields you see in the lookup.

Troubleshoot annotations

If you use Splunk Enterprise Security, you might want to add the security framework metadata for correlation searches to the annotations framework. Simply doing content mapping doesn't add the annotations directly unless you navigate to the correlation search editor in Splunk Enterprise Security and manually fill out the fields you want to appear in your search. See Use security framework annotations in correlation searches in the Administer Splunk Enterprise Security manual for more information.
However, if you schedule the search through Splunk Security Essentials, the annotation information is automatically populated in Splunk Enterprise Security. To schedule a search in Splunk Security Essentials, follow these steps:

  1. Click Content > Security Content.
  2. Click on the detection you want to use.
  3. Click Detect New Values.
  4. Click Save Scheduled Search.
  5. A dialog box appears where you can schedule an alert. Enter the number of outliers that must occur for you to be alerted and click Next.
  6. Review the settings and make any desired changes.
  7. Click Save.
  8. A dialog box appears letting you know that the Splunk Enterprise Security Correlation Search is activated. Click to keep editing the Notable Event to customize the display fields.

The correlation search editor page in Splunk Enterprise Security appears with the annotations populated.

Last modified on 03 July, 2023
Configure the products you have in your environment with the Data Inventory dashboard   Track data ingest latency with the Data Availability dashboard

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters