Extend the capabilities of the InfoSec app for Splunk

Extend the monitoring capabilities of the Splunk InfoSec app by building your own dashboard panels and alerts.

Use the following examples to guide you through two scenarios to extend the monitoring capabilities of the InfoSec app:

  • Add a new dashboard panel to the Custom Use Cases dashboard within the InfoSec app
  • Add a new alert to the InfoSec app

You must create a custom search to add a new dashboard panel or to add a new alert to the InfoSec app.

Build a custom search

Follow these steps to build a custom search:

  1. Navigate to the Splunk Security Essentials (SSE) app within your Splunk Platform environment.
    If you need to download and install the SSE app, you can find the Splunk Security Essentials app (SSE) on Splunkbase.
  2. Select Security Content from the Security Content menu.
  3. Select the Windows Event Log Clearing Events search.
  4. Select Live Data from the View when the search opens.
  5. Scroll down and locate SPL Mode.
  6. Enable SPL Mode.
  7. Select the search and copy it to your clipboard.

    index=* (source="*WinEventLog:Security" AND (EventCode=1102 OR EventCode=1100)) OR ((source="*WinEventLog:System") AND EventCode=104) | stats count by _time EventCode sourcetype host

  8. Navigate back to the InfoSec app to add it as the custom use case or as an alert.

Example 1 : Add a panel to the Custom Use Cases dashboard

Follow these steps to add a panel to the Custom Use Cases dashboard:

  1. Navigate to the InfoSec app within your Splunk Platform environment.
  2. Select Search from the Search menu within the InfoSec app.
  3. Paste the custom search that you copied onto your clipboard. Build a custom search into the search bar.
  4. Set a suitable time range.
    For this example, set the time range to Last 24 hours.
  5. Run the search by clicking the magnifying glass icon.
  6. Select the Dashboard Panel from the Save As menu to add the table to the dashboard panel.
  7. Type the following details in the dialog box that opens:
  8. *Select Existing Dashboard.
  9. From the drop-down menu, list, locate, and select the Custom Use Cases dashboard.
  10. Type in a title for the new dashboard panel. For example, Detected Log File Tampering.
    A new panel is added to the dashboard.

Example 2: Add an alert

Follow these steps to add an alert:

  1. Navigate to the InfoSec app within your Splunk Platform environment.
  2. Select Search from the Search menu within the InfoSec app.
  3. Paste the custom search that you copied onto your clipboard in Build a custom search into the search bar.
  4. Set a suitable time range.
    For this example, set the time range to Last 60 minutes.
  5. Run the search by clicking the magnifying glass icon.
  6. From the Save As menu, select Alert.
  7. Type a title and description for the alert in the dialog box that opens.
  8. Set the permissions to be Shared in App so that other users have access to the new alert.
  9. Set the Alert type as Scheduled. For this example, run the search every hour.
  10. Check that the settings set off an alert when the number of results is greater than 0.
  11. Under Trigger Actions, add the action Add to Triggered Alerts.
  12. Click Save.
    You can verify that the alert is saved by navigating to the Alerts dashboard and selecting Edit Existing Alerts.