Administering Splunk Enterprise Security
Splunk Enterprise Security administrators are responsible for configuring, maintaining, auditing, and customizing an instance of Splunk Enterprise Security. If you are not administering Splunk Enterprise Security, see Use Splunk Enterprise Security for an introduction to using this app as a security analyst.
Use the links below to learn more about administrative tasks in Splunk Enterprise Security.
Manage and support analyst workflows
To turn on and customize the workflows for analysts in your organization, see:
Enrich data for Enterprise Security
Enrich Splunk Enterprise Security with data about the assets and identities in your environment and with additional data about known threats.
- See Add asset and identity data to Splunk Enterprise Security for a full list of tasks related to adding and managing asset and identity data in Splunk Enterprise Security.
- See Add threat intelligence to Splunk Enterprise Security for information on all tasks related to managing threat intelligence sources in Splunk Enterprise Security.
Manage and customize configurations
To perform ongoing configuration in Splunk Enterprise Security, see:
You can find additional configuration information in the Install and Upgrade Manual.Create, manage, and export content
To create new content or manage and customize existing content, see:
- Create correlation searches in Splunk Enterprise Security
- Create and manage key indicator searches in Splunk Enterprise Security
- Create and manage saved searches in Splunk Enterprise Security
- Create and manage search-driven lookups in Splunk Enterprise Security
- Create and manage views in Splunk Enterprise Security
- Create and manage lookups in Splunk Enterprise Security
Troubleshoot dashboards
- For tips and best practices useful for troubleshooting dashboards in Enterprise Security, see Troubleshoot dashboards in Splunk Enterprise Security.
- For information about data model datasets that populate Enterprise Security dashboards, see Dashboard requirements matrix for Splunk Enterprise Security.
- For an overview of all dashboards in Splunk Enterprise Security, see Introduction to the dashboards available in Splunk Enterprise Security in Use Splunk Enterprise Security.
Configure users and roles
Configure user roles and capabilities to provide granular, role-based access control for your organization. See Configure users and roles.
Support for blacklist and denylist attributes
The term Blacklist is replaced by the term denylist in the Splunk Enterprise Security UI. However, for older configurations, Splunk Enterprise Security might include blacklist attributes. If blacklist attributes exist in your .conf files, you might have to update the deprecated blacklist attributes to denylist attributes.
Otherwise, you might see an error message: "Deprecated asset or identity values are found in your .conf files. Update to denylist attributes."