All Apps and Add-ons

How do I get data into the splunk's security essentials app?

Explorer

I have an indexer with the security essentials app installed on it and I'm wondering what kind of data the security essentials app looks at? For example, the Linux auditd app looks at audit logs. So I am wondering how to get the right data into the security essentials app?

Esteemed Legend

Make sure that you are using the very latest version of the app which has breakouts/searches based on sourcetype/data so you can turn your question inside out and ask I have this sourcetype./data, what content can I exploit? There has been a huge amount of work in this are in the latest releases so this is fully built-in now.

0 Karma

Splunk Employee
Splunk Employee

We just launched Splunk Security Essentials 2.0, which actually includes data onboarding guides for some of the top data sources. Many of the examples today that leverage Windows Security logs could be adapted to Linux logs -- if you want to get really deep, let me know, and we can hopefully help out. We'll be doing more enhancements to take advantage of Linux Auth data as well in the near future, so stay tuned.

0 Karma

Communicator

David - I'm having an issue defining the user field from the Windows Security logs. The Splunk TA for Windows is installed and the 'WinEventLog://Security' stanza is enabled. Is there a specific stanza(s) that needs to be enabled in addition to the Security one for the user field to be defined?

0 Karma

Path Finder

those onboarding guides are terrific. is there any way to export them all or will Splunk be providing a web resource for that outside of the app? thanks.

0 Karma

Splunk Employee
Splunk Employee

The official windows TA includes props.conf + transforms.conf that will define the user. Make sure that you have the TA installed on your SH, and it should work.

(For tons of detail, in props.conf there is a source::*:Security stanza that contains a REPORT-user_for_windows_security line. That line will invoke three stanzas in transforms.conf that define the user field. You shouldn't need to know any of that though -- just make sure that TA is on your search head, or your all-in-one instance.)

0 Karma

Communicator

My all-in-one instance is Linux. Should I install it anyway?

0 Karma

Splunk Employee
Splunk Employee

Yep! All the inputs are disabled, so it will just easily allow you to get the proper field extractions.

0 Karma

Communicator

Thanks David - that did the trick!

I had the app installed on the UFs only....once the app was installed on the server (plain out-of-the-box install....every setting disabled in inputs.conf) everything started working as advertised.

0 Karma

SplunkTrust
SplunkTrust

navigate to the app,
click on the "Data Source Check" button -> click "Start Searching" ->check the use cases on left and the "live data" column which represents data that exist in your environment.
kindly read through the full introduction and description of this app. this app provides examples for searches around security data and use cases.
there are close to 50 different use cases and plenty of different data sources this app takes into consideration.
what kind of security relevant data do you have today? do you bring it to splunk?
if not, time to bring it on and show the power of Splunk after exploring the Security Essentials App
good luck