Deploy Content to your Environment

Table of Contents

Introduction

As you look at the content native to Splunk Security Essentials, you can directly enable them by saving them directly from the app. If you use Enterprise Security, you will also get full integrations with Risk Entries and/or Notable Events.

Feature

Security Contents Page

The Security Contents Page is the main landing page for Splunk Security Essentials, providing a complete list of content and the ability to drill-down into any individual item. It’s the kicking off point for viewing all content in the app, and has a wealth of filters to help you hone in on exactly what you want.

  1. We’ve provided an introduction for this page and a detailed description of the Search Journey Stages listed below. To get the full details just click “Show all lines”.

  2. Use the filters below to find capabilities most relevant to you. For example, if you’re just starting out with Splunk for security and want to know what to begin with, you might opt to view all featured Stage 1 searches.

  3. Focus on specific business concern: You can opt to select Stage 6 (all the Splunk Content)…

  4. Drill down: Focus on a single issue, like Insider Threat.

  5. Filter on specific data sources you already have in Splunk. For example, see some immediate detections you can deploy by filtering on the specific data source, such as, “Email Logs.”

  6. In order to find and focus on exactly the examples you want adjust filters by hitting the menu icon. Don’t worry - All the settings you configure will be retained every time you open the page in this browser.

  7. Splunk Security Essentials is not about the filters… it’s about the different examples to help with your specific use cases. Scroll down below to see what examples match the filters you’ve configured and how to start getting value with Splunk.

  8. Each of the examples will give you a brief description, tell you the log sources, and also tell you any MITRE or Kill Chain phases.

  9. Click into an example to get more detail. With the examples that only need Splunk Enterprise, you’ll also be able to view the full search string, along with detailed documentation. That’s it for this tour! Start exploring the examples and see how to get the most from your data with Splunk.

Example Content - Basic Brute Force Detection

There are 120+ detection searches native to Splunk Security Essentials. From any of those, you can click Save Scheduled Search to enable the search. Have Splunk Enterprise Security? Don’t worry – we’ll directly integrate with ES. Click here for an example item.

  1. When looking at Security Content, we’ve tried to provide as much context as possible, so you can understand the impact of an example, how it works, adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward.

  2. In the boxes at the top, you can find high-level details, including the ever-important ‘Data Source’ links. You can follow the ‘Data Source’ links for several popular technologies, not just a list of technologies that provide those data sources. Also, there’s detailed installation documentation that will help you get up and running!

  3. Beneath the boxes there’s other contextual data, including how to implement and respond, as well as, other examples and related Splunk capabilities.

  4. The default shows the types of results you will see from a search. If you want to get more technical, use the “Line-by-Line SPL Documentation” to see or help implement the search string.

  5. In SPL mode, you’ll be able to see the pre-requisite checks that make sure you have the right data on boarded, get the “Open in Search” buttons, and be able to click “Schedule Saved Search” to save this search right from the app.

  6. One last item for the overview, in the upper right-hand corner is a list of what searches are available for each example. Often, there’s just a demo and a live version, but some examples might have three or four different versions.