User Guides

To help you get started, we’ve begun a list of user guides that will walk you through getting the maximal value from Splunk Security Essentials.

Find Content

You can do lots with Splunk for security – these guides will help you quickly find the right content.

  1. Security Detection Basics: When you’re getting started with Security Detections, you don’t need to be overwhelmed with everything that Splunk can do. This guide helps you view the key content that drives the most value, and also suggests pages and docs that provide the context to help accelerate success.
  2. Advanced Detection Content: For those who have their SIEM basics under control, this guide shows you far more security content, and also recommends additional capabilities such as leveraging MITRE ATT&CK to help you view the right information.
  3. Prescriptive Content Recommendations: This app contains data and search introspection that we can leverage to provide very prescriptive recommendations. It requires a bit more setup, but provides concrete recommendations.
  4. Risk-Based Alerting Content: If you are getting started with Risk-based Alerting, you can use this guide to help you focus your energies by deploying the best RBA content. Unfamiliar with RBA? Check out the link in the pre-requisites section.


Whether we’re talking about Splunk or Security, there is always more to learn. This is particularly daunting if you’re just getting started! These guides help you learn quicker by pointing you at the most useful and most accessible information.

  1. Learn Splunk: In order to master Splunk, you must master Splunk’s Search Processing Language (SPL). This guide points you to some of searches that have the most useful documentation that helps new-comers learn SPL best.
  2. Learn Security: If you’re new to security itself, it can be difficult to even understand the content recommendations made. This guide points you to content that has the best written explanations and documentation, targeted specifically at folks just getting started.
  3. Security Journey: For those trying to figure out how to build their security monitoring practice on Splunk, it can be useful to consult a guide for that. There are many available resources for building a SOC, or SIEM, or Monitoring Practice, and this guide will point you to a few.
  4. Data Onboarding Guides: Getting data in can be tricky, and there are lots of ways to do it. This app contains documentation created in late 2017 for several of the products most popular with Splunk users that show not just how to ingest the data, but how to configure the products to generate the right kind of data.

Help Deploy

Building a SIEM can be lots of work! It’s not the goal of this app to deploy content, but it does have a few capabilities designed to help make SIEM easier.

  1. Operationalize MITRE ATT&CK: If you are orienting your security environment, you’re in luck (particularly if you use Splunk Enterprise Security). This app contains a wealth of MITRE ATT&CK integrations, and this guide will help walk you through them.
  2. Monitor Data Ingest: There are many methods build for admins to help monitor data availability, but often fewer for users. This guide will help you with the configuration required and then point you to a dashboard built just for security users.
  3. Automatically Generate Dashboards: This guide will show you how to ask Splunk Security to look at what data you have in your environment, and then create a set of dashboards that look at your live data, all following Splunk’s best practices for dashboard creation.
  4. Deploy Content to your Environment: As you look at the content native to Splunk Security Essentials, you can directly enable them by saving them directly from the app. If you use Enterprise Security, you will also get full integrations with Risk Entries and/or Notable Events.
  5. Analyze CIM Compliance: Splunk’s Common Information Model (CIM) prescribes a common set of fields, and sometimes specific values, allowing products to easily speak the same language and allowing your users to more quickly adopt content written to expect CIM. This guide will help you track the CIM compliance of your security products.


Users have a variety of reporting and measurement needs that they have to manually perform today. These guides will show you how this app can help make that reporting easier.

  1. Justify New Data Sources via MITRE ATT&CK: If you want to get a new data source in, MITRE ATT&CK can often provide a neutral industry-recognized way to show what that data would do for you. This guide will walk you through the configuration of this app, and then the dashboard that enables that functionality.
  2. Document Your Deployed Content: Building out reports for management or auditors on what content is deployed can be time consuming, particularly for those who don’t build a lot of reports like that. Splunk Security Essentials can generate CSV, PDF, and XLSX reports showing you what content you have in your environment, that can help you complete these tasks faster.