The Data Forge • Room 3

Custom Add-ons & Content Updates

ES receives periodic **Content Updates** from Splunkbase (ESCU — Enterprise Security Content Update). These include new correlation searches, updated dashboards, and latest threat detection rules.

Admins can also create **Custom Add-ons** to extend ES: custom correlation searches, custom dashboards, and custom Adaptive Response actions.

Best practice: never modify default ES content directly. Instead, create a custom app (e.g., `SA-MyCompany`) that overrides or adds to the defaults, so content updates don't overwrite your changes.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

What is the recommended approach for customizing ES correlation searches?

AEdit the default searches directly in the ES app

BCreate a separate custom app that overrides default content

CDelete the existing searches and recreate them

DUse the REST API to patch live searches