<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745889#M118548</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Utilize heavy forwarders (HF) to filter and route data based on event types, reducing unnecessary data ingestion&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Forwarding/Routeandfilterdatad" target="_blank"&gt;Route and filter data - Splunk Documentation&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://lantern.splunk.com/Splunk_Success_Framework/Platform_Management/Data_collection_architecture" target="_blank"&gt;Data collection architecture - Splunk Lantern&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Sat, 10 May 2025 14:16:49 GMT</pubDate>
    <dc:creator>kiran_panchavat</dc:creator>
    <dc:date>2025-05-10T14:16:49Z</dc:date>
    <item>
      <title>Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745886#M118545</link>
      <description>&lt;P&gt;Dear Splunk Community,&lt;/P&gt;&lt;P&gt;I am currently working on a project focused on identifying the essential data that should be collected from endpoints into Splunk, with the goal of avoiding data duplication and ensuring efficiency in both performance and storage.&lt;/P&gt;&lt;P&gt;Here’s what has been implemented so far:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;The &lt;STRONG&gt;Splunk_TA_windows&lt;/STRONG&gt; add-on has been deployed.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;The &lt;STRONG&gt;inputs.conf&lt;/STRONG&gt; file has been configured to include all available data.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;&lt;STRONG&gt;Sysmon&lt;/STRONG&gt; has been installed on the endpoints.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;The Sysmon &lt;STRONG&gt;inputs.conf&lt;/STRONG&gt; path has been added to be collected using the default configuration from the Splunk_TA_windows add-on.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;In addition, we are currently collecting data from &lt;STRONG&gt;firewalls&lt;/STRONG&gt; and &lt;STRONG&gt;network switches&lt;/STRONG&gt;.&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;I’ve attached screenshots showing the volume of data collected from one endpoint over a 24-hour period. The data volume is quite large, especially in the following categories:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;&lt;STRONG&gt;WinRegistry&lt;/STRONG&gt;&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;&lt;STRONG&gt;Service&lt;/STRONG&gt;&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Upon reviewing the data, I noticed that some information gathered from endpoints may be redundant or unnecessary, especially since we are already collecting valuable data from firewalls and switches. This has led me to consider whether we can reduce the amount of endpoint data being collected without compromising visibility.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;I would appreciate your input on the following:&lt;/STRONG&gt;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;&lt;P&gt;What are Splunk's best practices for collecting data from endpoints?&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;What types of data are considered &lt;EM&gt;essential&lt;/EM&gt; for security monitoring and analysis?&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;Is relying solely on &lt;STRONG&gt;Sysmon&lt;/STRONG&gt; generally sufficient in most security environments?&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;Is there a recommended framework or guideline for collecting the minimum necessary data while maintaining effective monitoring?&lt;/P&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;I appreciate any suggestions, experiences, or insights you can share. Looking forward to learning from your expertise.&lt;/P&gt;</description>
      <pubDate>Sat, 10 May 2025 13:27:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745886#M118545</guid>
      <dc:creator>kn450</dc:creator>
      <dc:date>2025-05-10T13:27:14Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745887#M118546</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;DIV&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Clearly&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;define&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;the&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;security&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;use&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;cases&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;(e.g.,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;threat&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;detection,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;incident&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;response,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;compliance)&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;to&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;determine&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;which&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;data&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;sources&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;are&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;necessary.&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Avoid&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;collecting&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;all&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;available&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;data&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;without&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;a&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;purpose,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;as&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;this&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;increases&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;storage&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;and&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;processing&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;overhead.&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;For&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;example,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;focus&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;on&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;data&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;that&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;supports&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;MITRE&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;ATT&amp;amp;CK&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;tactics&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;like&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Execution,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Persistence,&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;or&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Credential&lt;/SPAN&gt; &lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Access.&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;&lt;A href="https://riversafe.co.uk/resources/tech-blog/mastering-data-onboarding-with-splunk-best-practices-and-approaches/" target="_blank" rel="noopener"&gt;https://riversafe.co.uk/resources/tech-blog/mastering-data-onboarding-with-splunk-best-practices-and-approaches/&lt;/A&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;P&gt;Check this&amp;nbsp;&lt;A href="https://community.splunk.com/t5/Splunk-Dev/Splunk-registry-monitor-splunk-regmon-generating-too-much-data/m-p/371705" target="_blank"&gt;https://community.splunk.com/t5/Splunk-Dev/Splunk-registry-monitor-splunk-regmon-generating-too-much-data/m-p/371705&lt;/A&gt;&amp;nbsp;&lt;/P&gt;&lt;/DIV&gt;</description>
      <pubDate>Sat, 10 May 2025 14:11:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745887#M118546</guid>
      <dc:creator>kiran_panchavat</dc:creator>
      <dc:date>2025-05-10T14:11:31Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745888#M118547</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;DIV&gt;Critical for detecting login attempts, privilege escalation, and account changes (e.g., Event IDs 4624, 4648, 4672, 4720). Filter out noisy events like 4663 (file access audits) unless specifically needed&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-data-from-my-Windows/m-p/440187" target="_blank" rel="noopener"&gt;https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-data-from-my-Windows/m-p/440187&lt;/A&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;A href="https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467532" target="_blank" rel="noopener"&gt;https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467532&lt;/A&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;Refer this event codes:&amp;nbsp;&lt;A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/" target="_blank" rel="noopener"&gt;https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/&lt;/A&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;DIV&gt;Useful for system-level events like service changes or crashes (e.g., Event IDs 7036, 7045). Limit to high-value events to reduce volume.&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&lt;DIV&gt;&lt;DIV class=""&gt;&lt;STRONG&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Avoiding Redundancy&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN class=""&gt;:&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;Firewall logs provide network traffic visibility (e.g., source/destination IPs, ports, protocols). Avoid collecting redundant network data from endpoints (e.g., excessive DNS or connection logs) unless it provides unique context, like process-level details from Sysmon&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;P&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;&lt;A href="https://lantern.splunk.com/Data_Descriptors/Firewall_data" target="_blank" rel="noopener"&gt;https://lantern.splunk.com/Data_Descriptors/Firewall_data&lt;/A&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;DIV&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;WinRegistry and Service&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;: These are high-volume sources. Limit to specific keys (e.g., Run keys, AppInit_DLLs) and events (e.g., new service creation) to avoid collecting redundant or low-value changes.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;A href="https://www.splunk.com/en_us/blog/security/threat-hunting-sysmon-event-codes.html" target="_blank" rel="noopener"&gt;https://www.splunk.com/en_us/blog/security/threat-hunting-sysmon-event-codes.html&lt;/A&gt;&amp;nbsp;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;/DIV&gt;</description>
      <pubDate>Sat, 10 May 2025 13:54:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745888#M118547</guid>
      <dc:creator>kiran_panchavat</dc:creator>
      <dc:date>2025-05-10T13:54:19Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745889#M118548</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Utilize heavy forwarders (HF) to filter and route data based on event types, reducing unnecessary data ingestion&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Forwarding/Routeandfilterdatad" target="_blank"&gt;Route and filter data - Splunk Documentation&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://lantern.splunk.com/Splunk_Success_Framework/Platform_Management/Data_collection_architecture" target="_blank"&gt;Data collection architecture - Splunk Lantern&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 10 May 2025 14:16:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745889#M118548</guid>
      <dc:creator>kiran_panchavat</dc:creator>
      <dc:date>2025-05-10T14:16:49Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745890#M118549</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Configuring Windows event logs for Enterprise Security use &lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Configuring_Windows_event_logs_for_Enterprise_Security_use" target="_blank"&gt;https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Configuring_Windows_event_logs_for_Enterprise_Security_use&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Ensure that data sent from endpoints to Splunk is encrypted using SSL/TLS&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/ConfigureSplunkforwardingtousesignedcertificates" target="_blank" rel="noopener"&gt;Configure Splunk indexing and forwarding to use TLS certificates - Splunk Documentation&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sat, 10 May 2025 14:34:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745890#M118549</guid>
      <dc:creator>kiran_panchavat</dc:creator>
      <dc:date>2025-05-10T14:34:10Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745891#M118550</link>
      <description>&lt;P&gt;There is no single "best practice" here. It all depends on what you want to achieve. If you have specific use cases and detections, you might want to limit your data only to the data directly contributing to those detections and nothing else. And generally the extent of the data gethered will differ depending on your detections.&lt;/P&gt;&lt;P&gt;But if you want to have data for subsequent forensics or threathunting then you might want to have as much data as possible. As long as you know what your data is about (and that's the most important thing with data onboarding - don't onboard unknown data just because "it might come in handy one day"), you want as much data as you can afford with your environment size and license constraints.&lt;/P&gt;</description>
      <pubDate>Sat, 10 May 2025 14:38:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745891#M118550</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2025-05-10T14:38:22Z</dc:date>
    </item>
    <item>
      <title>Re: Request for Best Practices on Collecting Essential Data from Endpoints to Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745892#M118551</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275296"&gt;@kn450&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'll try and keep this brief!&amp;nbsp;&lt;/P&gt;&lt;P&gt;Best practice for endpoint data collection varies by organisation, industry, size, and threat profile (e.g., insider threats, advanced attackers, commodity malware). The right approach is to define your critical security use-cases (such as lateral movement, privilege escalation, or unauthorised access) and then determine what data to collect to support those cases. Relying on tuned Windows event logs provides robust coverage for most behavioral detection; additional Splunk_TA_windows inputs should only be enabled if tied directly to your specific use-cases.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Essential Windows event types commonly used for security monitoring:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;STRONG&gt;Logon/Logoff events:&lt;/STRONG&gt; 4624 (logon), 4634 (logoff), 4625 (failed logon)&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Process creation:&lt;/STRONG&gt; 4688 (Windows Security log), Sysmon Event ID 1 (with command-line)&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Network connections:&lt;/STRONG&gt; Sysmon Event ID 3&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;File creation/modifications:&lt;/STRONG&gt; Sysmon Event ID 11&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Registry changes:&lt;/STRONG&gt; Sysmon Event ID 13 (collect selectively, only if relevant to a use case)&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Security group/user changes:&lt;/STRONG&gt; 4720-4732 (account and group modifications)&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Service creation/modifications:&lt;/STRONG&gt; 7045 (filtered for suspicious activity), Sysmon Event ID 7&lt;/LI&gt;&lt;/UL&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;P&gt;The free &lt;A href="https://splunkbase.splunk.com/app/3435" target="_self"&gt;Splunk Security Essentials&lt;/A&gt; app can help you map your currently collected data to known security use-cases and identify gaps, aligning your ingestion strategy with what provides actionable security value. &lt;STRONG&gt;I would highly recommend installing this and having a look!&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;Avoid enabling all data sources by default. Regularly review event types and volumes, filtering or disabling sources that do not support your prioritised detection requirements, to control storage and license use.&lt;/P&gt;&lt;P&gt;Are you using Splunk Enterprise Security, or are you planning to create your own rules? There is a lot we havent covered here such as making sure data is CIM compliant/mapped, hardware sizing etc. This is the sort of thing which would usually be architected out at the start to ensure you have the right data and resources available.&lt;/P&gt;&lt;P&gt;I'd recommend checking out the following links too:&lt;/P&gt;&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/ES/7.3.3/Install/Planyourdatainputs" target="_self"&gt;Data source planning for Splunk Enterprise Security&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://lantern.splunk.com/Security/Getting_Started/Getting_data_onboarded_to_Splunk_Enterprise_Security" target="_self"&gt;Lantern -&amp;nbsp;Getting data onboarded to Splunk Enterprise Security&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Sat, 10 May 2025 15:02:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Request-for-Best-Practices-on-Collecting-Essential-Data-from/m-p/745892#M118551</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-05-10T15:02:15Z</dc:date>
    </item>
  </channel>
</rss>

