https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Cheat-Sheet/m-p/544711#M9803 <P>Hi Everyone,</P><P>I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.<BR /><BR />Specific topics of interest:<BR />1. <STRONG>Recommended 'base apps' for ES</STRONG>, eg:</P><UL><LI>CIM</LI><LI>ESCU</LI><LI>CIM-Validator</LI><LI>lookup file editor</LI><LI>knowledge object explorer</LI><LI>more??</LI></UL><P>2. Some sort of <STRONG>validator for apps/addons</STRONG> for all required sourcetypes, and info on which peer to install them on.</P><UL><LI>eg. For Azure: SH - App and addon, HF - App and addon</LI></UL><P>3. And finally ways to quickly <STRONG>validate logs</STRONG> eg:</P><UL><LI>use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.<UL><LI>if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.</LI><LI>or use queries like this to validate your logs, based on a table that matches the required fields:<UL><LI>|datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product</LI></UL></LI></UL></LI></UL><P>I would greatly appreciate your feedback and better ways to validate your ES installation.</P><P>Thanks.</P> Mon, 22 Mar 2021 02:51:16 GMT dbroggy 2021-03-22T02:51:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Cheat-Sheet/m-p/544711#M9803 <P>Hi Everyone,</P><P>I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.<BR /><BR />Specific topics of interest:<BR />1. <STRONG>Recommended 'base apps' for ES</STRONG>, eg:</P><UL><LI>CIM</LI><LI>ESCU</LI><LI>CIM-Validator</LI><LI>lookup file editor</LI><LI>knowledge object explorer</LI><LI>more??</LI></UL><P>2. Some sort of <STRONG>validator for apps/addons</STRONG> for all required sourcetypes, and info on which peer to install them on.</P><UL><LI>eg. For Azure: SH - App and addon, HF - App and addon</LI></UL><P>3. And finally ways to quickly <STRONG>validate logs</STRONG> eg:</P><UL><LI>use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.<UL><LI>if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.</LI><LI>or use queries like this to validate your logs, based on a table that matches the required fields:<UL><LI>|datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product</LI></UL></LI></UL></LI></UL><P>I would greatly appreciate your feedback and better ways to validate your ES installation.</P><P>Thanks.</P> Mon, 22 Mar 2021 02:51:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Cheat-Sheet/m-p/544711#M9803 dbroggy 2021-03-22T02:51:16Z