Document Your Deployed Content

Table of Contents

Introduction

Building out reports for management or auditors on what content is deployed can be time consuming, particularly for those who don’t build a lot of reports like that. Splunk Security Essentials can generate CSV, PDF, and XLSX reports showing you what content you have in your environment, that can help you complete these tasks faster.

Pre-requisites

Correlation Search Introspection and Mapping

Tracking what content you have active is key to so much Splunk Security Essentials functionality (enriching the MITRE ATT&CK Matrix, guiding you to the right content, integrations with Splunk Enterprise Security, Risk-based Alerting, the Data Availability Dashboard). This can be accomplished through bookmarking (set status Implemented), but it’s often easier to configure via Correlation Search Introspection on the Bookmarked Content dashboard.

  1. Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy.

  2. To make the process of recording your active content easier if you’ve installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content.

  3. This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content.

  4. For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content.

  5. Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content.

  6. For content that doesn’t exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content.

  7. You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.).

  8. If you don’t have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked.

Feature

Manage Bookmarks - Export

From the Manage Bookmarks dashboard, you will get a list of all the content that you have active in your environment (even custom content!) along with content that you wish to deploy. From this page, you can click the Export button and get an output in XLSX, CSV, or most importantly you can get a print-to-PDF export that can include all of the documentation, line-by-line search documentation, and even a demo screenshot!

  1. The Manage Bookmark dashboard lets you track content in your environment, including content that you’ve just bookmarked, or content that you’ve marked as successfully implemented.

  2. To export a list of this content, click the Export button in the upper right hand corner.

  3. There are multiple export options. Most are very straightforward.

  4. The most detailed export is the Print-to-PDF, where by default we want to include as much detail as we can. You can opt to disable this detail if you don’t need it. (The app will remember what you selected.)

  5. Print-to-PDF works by generating a printable page, and letting you save as PDF via your browser. This works best in Chrome.