The PowerConnect Content Pack for Enterprise Security can be installed through Splunkbase and does not require any special configuration.
Go to the PowerConnect SAP Content for Enterprise Security | Splunkbase or find the content pack by searching in the “Find More Apps” page of your Splunk installation
Install the app
On Splunkbase, login to download the app, and upload it to your Splunk installation, or
On the “Find More Apps” page of Splunk installation, click to self-service install in your Splunk system
Once the app is installed, you can configure and customize the correlation searches as needed!
Open the Splunk Enterprise Security app
Navigate to “Configure > Content > Content Management”
Do one of the following to narrow the view to the content pack:
Under the App filter, select “PowerConnect SAP Content for Enterprise Security”
Activate the desired group of correlation searches by clicking “Enable” or “Disable” in the Actions column.
All correlation searches are deactivated by default to allow customers to activate specific searches for their use
CONTENT PACK VERSION 1.0.0 ONLY
A misconfiguration in the release has caused all correlation searches to be treated as orphaned searches. They will not run without being assigned to an owner. For more information on resolving this issue, see KB 174 (Splunk): Orphaned Correlation Searches in ES Content Pack Not Generating Notable Events.