https://community.splunk.com/t5/Getting-Data-In/Splunk-Security-Essentials-integration-with-Forcepoint-app/m-p/580458#M102406 <P>Any time you find a Splunk document to be lacking, submit feedback on that docs page.&nbsp; The Documentation team is great about updating docs in response to user feedback.</P><P>The message in the first screenshot indicates you do not have Splunk Enterprise Security installed.&nbsp; To resolve it, buy and install ES.</P><P>The use cases in SSE are built using somewhat generic SPL, but should always be examined and updated before deploying it in a real environment.&nbsp; For example, many use cases use "index=*", which should never be allowed in a Production system.&nbsp; Also, some examples use products you may not have so you'll need to modify those examples to use data from your products.</P><P>The tags shown in the last screenshot come with the Splunk Common Information Model (CIM) app, IIRC.</P><P>IMO, the Splunk Security Essentials app should not be used as a SOC tool, but as a way to learn what you can do with Splunk to solve SOC use cases.&nbsp; Use SSE to see what is possible using your data and what data you need to solve other use cases, but take those examples and implement them in your own app.</P> Mon, 10 Jan 2022 14:09:19 GMT richgalloway 2022-01-10T14:09:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Security-Essentials-integration-with-Forcepoint-app/m-p/580434#M102399 <P>Hello,</P><P>I've been trying to get data in SSE, but somehow I can't. The setup is the following - Installed Splunk Enterprise, Universal Forwarder, Forecpoint app, Syslog-ng(for receiving the logs, which i monitor with the UF) and Splunk Security Essentials.</P><P>I've tried different things with the demo data but when I'm trying to do anything with the live data i hit the wall.&nbsp; I've tried to follow <A href="https://docs.splunk.com/Documentation/SSE/3.4.0/Install/ConfigureSSE" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SSE/3.4.0/Install/ConfigureSSE</A> these instructions, but they seem unclear and somehow inaccurate(For example in the chapter for getting data in - <STRONG>Configure the products you have in your environment with the Data Inventory dashboard.</STRONG> When I browse in the web interface there is no option to "2.b.Click <STRONG>Manually Configure</STRONG> to manually enter your data.") .</P><P>&nbsp;</P><P>The first thing I've noticed was that this error for the ES Integration was thrown, for which i didn't find any information.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17481i65CDD6E8C4C9FACA/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>When I open any use cases and for example "Basic Scanning", the sourcetype and index for forcepoint (index="forcepoint", sourcetype="next-generation-firewall") are missing by default. Are there any ways to add it automatically for all the use cases?<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="test123.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17486i50BD278765E219DE/image-size/large?v=v2&amp;px=999" role="button" title="test123.png" alt="test123.png" /></span></P><P>&nbsp;</P><P>I've already have logs monitored by the indexer forwarded by the Forcepoint which are displayed in the Splunk Search and Reporting and Forcepoint App.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="test124.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17484iFAD2B568FAEDA0DB/image-size/large?v=v2&amp;px=999" role="button" title="test124.png" alt="test124.png" /></span></P><P>&nbsp;</P><P>Even if i change the index and sourcetype in the enter a search field I still get these results. Can you give me any info on the tags, like what are they and what are they used for?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17488iD98CD5ACFDBFF8A8/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>Any guides or tips will be highly appreciated, thanks!</P> Mon, 10 Jan 2022 10:58:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Security-Essentials-integration-with-Forcepoint-app/m-p/580434#M102399 vaveryanov 2022-01-10T10:58:51Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Security-Essentials-integration-with-Forcepoint-app/m-p/580458#M102406 <P>Any time you find a Splunk document to be lacking, submit feedback on that docs page.&nbsp; The Documentation team is great about updating docs in response to user feedback.</P><P>The message in the first screenshot indicates you do not have Splunk Enterprise Security installed.&nbsp; To resolve it, buy and install ES.</P><P>The use cases in SSE are built using somewhat generic SPL, but should always be examined and updated before deploying it in a real environment.&nbsp; For example, many use cases use "index=*", which should never be allowed in a Production system.&nbsp; Also, some examples use products you may not have so you'll need to modify those examples to use data from your products.</P><P>The tags shown in the last screenshot come with the Splunk Common Information Model (CIM) app, IIRC.</P><P>IMO, the Splunk Security Essentials app should not be used as a SOC tool, but as a way to learn what you can do with Splunk to solve SOC use cases.&nbsp; Use SSE to see what is possible using your data and what data you need to solve other use cases, but take those examples and implement them in your own app.</P> Mon, 10 Jan 2022 14:09:19 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Security-Essentials-integration-with-Forcepoint-app/m-p/580458#M102406 richgalloway 2022-01-10T14:09:19Z