https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-is-the-best-practice-for/m-p/203618#M1102 <P>The best practice for the collection of logs for use with Enterprise Security is to use (or build) an add-on that is compatible with the Splunk Common Information Model. One of the default filters on <A href="https://splunkbase.splunk.com/apps/#/search/windows/cim/4.6,4.5,4.4,4.3,4.2,4.1,4.0,3.0">splunkbase</A> is CIM compatibility. The <A href="https://splunkbase.splunk.com/app/742">Splunk Add-on for Microsoft Windows</A> is CIM compatible, and will provide the eventtype and tagging requirements for the typical Windows Event Log sources. If you've already been ingesting Windows logs using that add-on, then you should have the log sources tagged properly for use with the CIM data models. Confirm that your Windows Event Log data is showing up in a datamodel (Example: review the Authentication data model using Pivot,) and if it's there you can move on to defining use-cases.</P> <P>In a security environment, all data is relevant. So begin by defining the critical use-cases in your environment, and what data is required to fulfill those use-cases. Scope the data sources to CIM datamodels. To see which add-ons populate a given datamodel, use the 2 searches documented in this <A href="http://blogs.splunk.com/2015/05/01/relating-add-ons-to-cim/">blog post</A>. If you are working with correlation searches, review the search to see which datamodels are referenced. </P> <P>With the list of required use-cases, and the knowledge of what data you need to fulfill those use-cases, you can choose to mark data sources that are less important to your current priorities and temporarily exclude them from collection. </P> Wed, 05 Oct 2016 22:08:59 GMT ekost 2016-10-05T22:08:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-is-the-best-practice-for/m-p/203617#M1101 <P>Hi</P> <P>We are collecting all logs from Windows (wineventlogs, windows, perfmon) from all the Domain Controllers. It's a huge amount of logs we are ingesting. What is the best practice to get the logs which has value for Splunk Enterprise Security and what logs are to be excluded? </P> Tue, 20 Sep 2016 14:54:45 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-is-the-best-practice-for/m-p/203617#M1101 kiran331 2016-09-20T14:54:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-is-the-best-practice-for/m-p/203618#M1102 <P>The best practice for the collection of logs for use with Enterprise Security is to use (or build) an add-on that is compatible with the Splunk Common Information Model. One of the default filters on <A href="https://splunkbase.splunk.com/apps/#/search/windows/cim/4.6,4.5,4.4,4.3,4.2,4.1,4.0,3.0">splunkbase</A> is CIM compatibility. The <A href="https://splunkbase.splunk.com/app/742">Splunk Add-on for Microsoft Windows</A> is CIM compatible, and will provide the eventtype and tagging requirements for the typical Windows Event Log sources. If you've already been ingesting Windows logs using that add-on, then you should have the log sources tagged properly for use with the CIM data models. Confirm that your Windows Event Log data is showing up in a datamodel (Example: review the Authentication data model using Pivot,) and if it's there you can move on to defining use-cases.</P> <P>In a security environment, all data is relevant. So begin by defining the critical use-cases in your environment, and what data is required to fulfill those use-cases. Scope the data sources to CIM datamodels. To see which add-ons populate a given datamodel, use the 2 searches documented in this <A href="http://blogs.splunk.com/2015/05/01/relating-add-ons-to-cim/">blog post</A>. If you are working with correlation searches, review the search to see which datamodels are referenced. </P> <P>With the list of required use-cases, and the knowledge of what data you need to fulfill those use-cases, you can choose to mark data sources that are less important to your current priorities and temporarily exclude them from collection. </P> Wed, 05 Oct 2016 22:08:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-What-is-the-best-practice-for/m-p/203618#M1102 ekost 2016-10-05T22:08:59Z