All Apps and Add-ons

How to get data into Splunk Security Essentials?

robin272
Engager

I'm using Splunk Enterprise with a developer license.
I have log files on my computer (access and error logs). I successfully indexed them and I can do searches.
I have Splunk Security Essentials installed and now I want to test the previously indexed data with the given use cases from Security Essentials. I read the docs and all other stuff I found on Google but I don't get it. When I try to use "Automated Introspection" in "Data Inventory", I get no results. When I try to use "Data Source Check", I get no results. I don't know what to do.
My task is to apply the given use cases on the data from the access and error logs and to evaluate if they are usable in our context. Further on I have to create own use cases to get a large spread over many use cases. All of those must be based on Kill Chains and Mitre Att&ck. I have no idea how to solve my problem with the data and how to go on with my task.

Thanks in advance.

0 Karma

dbroggy
Path Finder

old topic, but SSE has changed a lot since 2020.

Simple answer: SSE: Setup > Content Introspection - will auto scan your existing log sources and then provide recommendations for your security use cases. BE PATIENT! Introspection queries ALL of your data so best to use this button on a new system vs one with tons of data. I don't know a way to limit the scanning range.

Plan B: Setup > Data Inventory - manually map your log sources to the long list of data source types.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One does not load data into SSE. SSE uses its own demo data or data already in your indexes.

Select "Security Content" from the "Security Content" menu. Select a use case from those displayed and then click the "Live data" button in the top right corner.

---
If this reply helps you, Karma would be appreciated.
0 Karma

fahmed11
Explorer

I  feel like this is something that should be explained somewhere in the app or on the splunkbase site using a large font and in red. It is very unclear that SSE is just a log logistics and framework helper app and not a security monitoring / alerting app itself.

There are some hints when you start stepping through the process (like all the other suggested apps), but users who are new to Splunk and are trying to set up some security monitoring will spin their wheels for a while before realizing this.

 

Edit: I think that may have come off as an angry critique. I'd just like to point out that I appreciate the all effort that went into the SSE app. The comprehensive approach to security detection mapped to MITRE ATT&CK with sample searches removes months of effort from the work needed to make Splunk useful from a security monitoring perspective.

0 Karma

robin272
Engager

Even here, every use case fails. The source type is "access_combined_wcookie".
I try to use the use case "First Time Accessing an Internal Git Repository". The data check "Must have BitBucket / Git data" says "In tests so far, Atlassian BitBucket git logs are stored in a file called atlassian-bitbucket-access.log. We're looking for that here.". The data check "Must have a user defined in your data" says "You should have a field called "user" defined in your bitbucket logs. If that's not currently extracted, build an extraction for it (or do an inline rex in the SPL below to work around this).".
I have Bitbucket Logs indexed and I have a field called user, but both checks fail.

How can I get the use case to become successful?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Click on the "SPL Mode" box and enable SPL mode for the use case. Verify the SPL displayed makes sense for your data. I usually will copy the SPL into the Search & Reporting app to test it out. Sometimes the lcoal data is not formatted the way SSE expects.

---
If this reply helps you, Karma would be appreciated.

robin272
Engager

Thanks. I thought that SSE is a complete framework that analyzes the indexed data automatically. It's more like a recipe book, with common use cases which one can individually edit for the specific data.
I don't know if I haven't seen them, but are there use cases for sourcetype "access_combined(_wcookie)"? I found this add-on for access logs: https://splunkbase.splunk.com/app/3186/#/overview
But does SSE have own use cases for this sourcetype respectively use cases that you can use on this sourcetype? I didn't find any so far.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not aware of any SSE use cases specific to the access_combined sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma

FrankVl
Ultra Champion

There are some under Data Source Category "Webserver Access Logs". Some, maybe even most, of those rely on using the CIM Web data model.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...