Turn on detections in Splunk Enterprise Security

Note: Finding-based detections in Splunk Enterprise Security are currently released as a preview feature. Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms. To provide feedback, visit the Voice of the Customer portal for finding-based detections and select Send Feedback.

Turn on the detections that you want to activate in Splunk Enterprise Security so that they can create findings and run adaptive response actions. All detections in Splunk Enterprise Security are turned off by default when you install the app so that you can choose the detections that are most relevant to your use cases.

As a detection engineer or security analyst, you can run finding-based detections to generate findings when the sum of risk scores for all events associated with an entity reaches a certain threshold. Finding-based detections mine the risk index and aggregate the risk associated with entities such as assets and identities.

Turn on detections

Follow these steps to turn on detections to start creating findings and running adaptive response actions:

  1. Select Security content and then select Detections.
  2. Sort the security content on a type of Detection.
  3. Locate the name of the detection you want to turn on.
  4. In the Status column, select Turn on to activate the detections that you want to run.

Once turned on, the detections run based on the schedule set in the detection editor. Turn off detections that you deem unnecessary to avoid unnecessary data noise.