Customize the menu bar in Splunk Enterprise Security

You can add new dashboards, reports, views, links to filtered dashboards, or links to the web to your menu bar in Splunk Enterprise Security. You must have Splunk Enterprise Security administrator privileges to make changes to the menu bar navigation.

You can add views to the menu bar as part of a collection that groups several views together or as an individual item on the Splunk Enterprise Security menu bar. For example, Mission Control is an individual dashboard in the menu bar, and Audit is a collection of the audit dashboards.

Note: If you customized your navigation bar in previous versions of Splunk Enterprise Security, you must reset the navigation bar to see the new navigation bar options for Splunk Enterprise Security version 8.0.0.

Maintain customized menu bar options in Splunk Enterprise Security 8.0

The navigation bar in Splunk Enterprise Security version 8.0 was updated. If you customized the navigation menu bar and want to maintain the customized options, add the following code snippet to the custom navigation Configure tab. Adding this code snippet lets you maintain your customized menu bar options and have access to all Splunk Enterprise Security version 8.0 features. 

<collection label="ES 8.0">
    <collection label="Security Content">
        <a name="risk_factor_editor" href='/app/SplunkEnterpriseSecuritySuite/risk_factor_editor'>Risk factors</a>
        <a name="response_plan" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/response_plan'>Response plans</a>
        <divider />
        <a name="soar_playbooks" href='/app/SplunkEnterpriseSecuritySuite/soar_redirect?next_url=/playbooks' target="_blank">SOAR playbooks</a>
    </collection>
    <collection label="Configurations">
        <a name="ess_configuration" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/'>All configurations</a>
        <divider />
        <a name="general" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/general/general_settings'>General settings</a>
        <a name="findings_investigations" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/findings_investigations/investigation-types'>Findings and investigations</a>
        <a name="datasets" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/data/datasets'>Datasets</a>
        <a name="intelligence" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/intelligence/sources'>Threat intelligence</a>
        <divider />
        <a name="soar" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/soar/soar_pairing'>Splunk SOAR</a>
        <a name="uba" href='/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/splunk_uba/pairing'>Splunk UBA</a>
    </collection>
  </collection>

Check for updated views

Views and collections that are new, updated, or deprecated in the version of the app that you have installed are highlighted with small icons that indicate the relevant changes. The U and D icons are for purely informational purposes and no action is required.

This screen image shows the Updated and Deprecated Icons..

After installing a new version of Splunk Enterprise Security or a new version of an app that provides views and collections for use in Splunk Enterprise Security, visit the Navigation page to check for updates to those views and collections.

Follow these steps to check for updated views in Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings, and then select Navigation. If any content is updated, the message "Some content updates available" appears at the top of the navigation editor.
  3. Look for icons on the views on the editor pane to find content that has been added, updated, or deprecated. These same icons also appear in the Add a new view and Add a new collection menus.

Set a default view for Splunk Enterprise Security

To see a specific view when you or other users open Splunk Enterprise Security, set a default view.

Follow these steps to set up a default view for Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings and then select Navigation.
  3. Locate the view that you want to be the default view.
  4. Select the checkmark icon that appears when you mouse over the view to Set this as the default view.
    Checkmark that appears to the left of the view name to set a view as a default view.
  5. Select Save to save your changes.
  6. Select OK to refresh the page and view your changes.

Edit the existing menu bar navigation

You can edit the existing navigation bar in Splunk Enterprise Security to customize it based on your requirements.

Follow these steps to edit the existing menu bar navigation:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings and then select Navigation.
  3. Select and drag views or collections of views to change the location of the views or collections of views in the menu.
  4. Select the X next to a view or collection to remove it from the menu.
  5. Select the pencil pencil icon to edit the name of a collection.
  6. Select the divider line icon to add a divider and visually separate items in a collection.
  7. Select Save to save your changes.
  8. Select OK to refresh the page and view your changes.

Add a single new view to the menu bar

You can add a new view to the menu bar of Splunk Enterprise Security without adding it to a collection.

Follow these steps to add a new view to Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings and then select Navigation.
  3. In the Navigation page, select Add a new view.
  4. Leave View Options set to the default of View.
  5. Select Select a View from Unused Views.
  6. Select a dashboard or view from the drop-down list.
  7. Select Save. The dashboard appears on the navigation editor.
  8. After you finish adding items to the menu, select Save to save your changes
  9. Select OK to refresh the page and view your changes.

Add a collection to the menu bar

Use a collection to organize several views or links together in the Splunk Enterprise Security menu bar.

Follow these steps to add a collection to the Splunk Enterprise Security menu bar:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings, and then select Navigation.
  3. In the Navigation page, select Add a new collection.
  4. Enter a Name. For example, Audit.
  5. Select Save. The collection appears on the navigation editor.

You must add a view or link to the collection before it appears in the menu navigation.

Add a view to an existing collection

Add views to an existing collection of views.

Follow these steps to add a view to an existing collections of views:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings, and then select Navigation.
  3. Locate the collection that you want to add views to.
  4. Select the view Add View icon.
  5. Leave View Options set to the default of View.
  6. Select Select a View from Unused Views.
  7. Select a view from the list.
  8. Select Save. The view appears on the navigation editor.
  9. After you finish adding items to the menu, select Save to save your changes
  10. Select OK to refresh the page and view your changes.

Add a link to the menu bar

You can add a link to the menu bar of Splunk Enterprise Security. For example, add a link to a specifically-filtered view of the Mission Control page or to an external ticketing system.

Follow these steps to create a link in the menu to an external system or webpage:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings, and then select Navigation.
  3. Select Add a New View to add it to the menu, or locate an existing collection and select the Add View icon to add the link to an existing collection of views.
  4. Select Link from View Options.
  5. Enter a Name to appear on the Splunk Enterprise Security menu. For example, Splunk Answers.
  6. Enter a link. For example, https://answers.splunk.com/
  7. Select Save.
  8. After you finish adding items to the menu, select Save to save your changes
  9. Select OK to refresh the page and view your changes.

Add a link to a filtered view of the Mission Control page

A common link to add to the menu bar is a filtered view of the Mission Control page

Follow these steps to add a link to a filtered view of the Mission Control page:

  1. Filter the Mission Control page with your desired filters. When you filter the dashboard, the URL updates with query string parameters matching your filters.
  2. In the web browser address bar, copy the part of the URL that starts with /app/SplunkEnterpriseSecuritySuite/ and paste it in a plain text file for reference.
    For example, if you filtered the dashboard to show only critical findings, the URL will include https://app/SplunkEnterpriseSecuritySuite/incident_review?form.selected_urgency=critical.

    Note: Be sure to append https:// to the URL for completion.
  3. In the Splunk Enterprise Security app, select Configure.
  4. Select General settings, and then select Navigation.
  5. Select Add a new view to add it to the menu or locate an existing collection and select the Add View icon to add the link to an existing collection of views.
  6. Select Link from View Options.
  7. Enter a Name to appear on the Splunk Enterprise Security menu. For example, IR - Critical.
  8. In the Link field, paste the URL section. For example, /app/SplunkEnterpriseSecuritySuite/incident_review?form.selected_urgency=critical
  9. Select Save.
  10. After you finish adding items to the menu, select Save to save your changes.
  11. Select OK to refresh the page and view your changes.

If you add a link with multiple parameters, you must modify the query string parameters by adding &. For example, enter the link for a filtered view of the Mission Control page that shows new and unassigned findings as /app/SplunkEnterpriseSecuritySuite/incident_review?form.status_form=1&form.owner_form=unassigned.

You can also construct a URL manually using the parameters in the following table. Use an asterisk to show all results for a specific parameter. Not all parameters are required.

Parameter Description Possible values Example
form.selected_urgency Displays findings with the urgency specified by this parameter. critical, high, medium, low, informational form.selected_urgency=critical
form.status_form Displays findings with the status specified by this parameter. An integer corresponds to each status value. 0 for unassigned, 1 for new, 2 for in progress, 3 for pending, 4 for resolved, 5 for closed form.status_form=0
form.owner_form Displays findings owned by the user specified by this parameter. usernames form.owner_form=admin
form.source Displays findings created by the detection specified by this parameter. HTML-encode spaces in the detection name and use the name that appears in the finding rather than the name that appears on the Content management page. Endpoint - Host With Multiple Infections - Rule form.source=Endpoint%20-%20Host%20With%20Multiple%20Infections%20-%20Rule
form.rule_name Displays findings created by the detection specified by this parameter. HTML-encode spaces in the detection name. Use the name that appears on the Content management page. Host With Multiple Infections form.rule_name=Host%20With%20Multiple%20Infections
form.tag Displays findings with the tag specified by this parameter. malware, any custom tag value form.tag=malware
form.srch Displays findings that match the SPL specified in this parameter. HTML-encode special characters such as = for key-value pairs. dest=127.0.0.1 form.srch=dest%3D127.0.0.1
form.security_domain_form Displays findings in the security domain specified by this parameter. access, endpoint, network, threat, identity, audit form.security_domain_form=endpoint
earliest= and latest= Displays findings in the time range specified by these parameters. Specify a relative time range. HTML-encode special characters such as @. -24h@h, now earliest=-24h%40h&latest=now
form.new_urgency_count_form Displays findings that do not have the urgency specified by this parameter. critical, high, medium, low, informational form.new_urgency_count_form=informational
form.selected_urgency Displays findings that have the urgency specified by this parameter. Use multiple instances of this parameter to select multiple urgency settings. critical, high, medium, low, informational form.selected_urgency=critical&form.selected_urgency=high
event_id Displays the finding that matches the specified event_id. 3C84A9D8-87F6-4066-8659-C7DD680F98E6@@notable@@80e0f89da83cad6665dd1de7447cedb4 
event_id=3C84A9D8-87F6-4066-8659-C7DD680F98E6@@notable@@80e0f89da83cad6665dd1de7447cedb4
form.association_type
form.association_id 		Used together, displays the findings associated with a short ID or an investigation. short_id, investigation
EYIYNW, 5a4be2b8cdc9736b2352c7c3		 form.association_type=short_id&form.association_id=EYIYNW

Restore the default navigation

Note: Restoring the default navigation resets any customization you made to the navigation bar in Splunk Enterprise Security.

Follow these steps to restore the default navigation of the Splunk Enterprise Security menu bar:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General settings, and then select Navigation.
  3. Select Restore default configuration.
  4. Select OK to confirm.
  5. Select Save.