Splunk® Security Essentials

Use Splunk Security Essentials

Troubleshoot Splunk Security Essentials

Use the following sections to troubleshoot potential issues with Splunk Security Essentials.

You are seeing outdated content in Splunk Security Essentials

You are seeing outdated content on the dashboards in Splunk Security Essentials, even after you upgraded to a new version.

Cause

The cache was not refreshed.

Solution

Force an update of Splunk Security Essentials.

  1. From Splunk Security Essentials, select Configuration.
  2. Select Update Content then Force Update.
    After the new content finishes downloading, the Configuration button turns green.
  3. Select Configuration to refresh the page.

The Analytics Advisor dashboard isn't showing any content in the active category in the MITRE ATT&CK Matrix view

Content in the Analytics Advisor dashboard does not appear in the Active category in the MITRE ATT&CK Matrix view.

Cause

No content matches the criteria for it to be marked as active.

Solution

Check that the content you want to appear as Active matches the following criteria.

Setting to review How to fix More information
Check that the content is marked as Enabled. If the content isn't marked as Enabled, set the bookmark status to Successfully Implemented. See Track your content with the Manage Bookmarks dashboard.
Check that the content is linked to a data source that is marked as Good. You can find this information on the Security Content page. If the content isn't linked to a data source marked as Good, use the data inventory dashboard to mark the data source as Good.

If you want to use a general-purpose data source that is always marked as Good, use the Any logs in Splunk option in the Vendor category.
See Configure the products you have in your environment with the Data Inventory dashboard.
Last modified on 02 October, 2023
Understand the data sources used in Splunk Security Essentials with the Data Onboarding Guides  

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters