I'm using Splunk Enterprise with a developer license.
I have log files on my computer (access and error logs). I successfully indexed them and I can do searches.
I have Splunk Security Essentials installed and now I want to test the previously indexed data with the given use cases from Security Essentials. I read the docs and all other stuff I found on Google but I don't get it. When I try to use "Automated Introspection" in "Data Inventory", I get no results. When I try to use "Data Source Check", I get no results. I don't know what to do.
My task is to apply the given use cases on the data from the access and error logs and to evaluate if they are usable in our context. Further on I have to create own use cases to get a large spread over many use cases. All of those must be based on Kill Chains and Mitre Att&ck. I have no idea how to solve my problem with the data and how to go on with my task.
Thanks in advance.
old topic, but SSE has changed a lot since 2020.
Simple answer: SSE: Setup > Content Introspection - will auto scan your existing log sources and then provide recommendations for your security use cases. BE PATIENT! Introspection queries ALL of your data so best to use this button on a new system vs one with tons of data. I don't know a way to limit the scanning range.
Plan B: Setup > Data Inventory - manually map your log sources to the long list of data source types.
One does not load data into SSE. SSE uses its own demo data or data already in your indexes.
Select "Security Content" from the "Security Content" menu. Select a use case from those displayed and then click the "Live data" button in the top right corner.
I feel like this is something that should be explained somewhere in the app or on the splunkbase site using a large font and in red. It is very unclear that SSE is just a log logistics and framework helper app and not a security monitoring / alerting app itself.
There are some hints when you start stepping through the process (like all the other suggested apps), but users who are new to Splunk and are trying to set up some security monitoring will spin their wheels for a while before realizing this.
Edit: I think that may have come off as an angry critique. I'd just like to point out that I appreciate the all effort that went into the SSE app. The comprehensive approach to security detection mapped to MITRE ATT&CK with sample searches removes months of effort from the work needed to make Splunk useful from a security monitoring perspective.
Even here, every use case fails. The source type is "access_combined_wcookie".
I try to use the use case "First Time Accessing an Internal Git Repository". The data check "Must have BitBucket / Git data" says "In tests so far, Atlassian BitBucket git logs are stored in a file called atlassian-bitbucket-access.log. We're looking for that here.". The data check "Must have a user defined in your data" says "You should have a field called "user" defined in your bitbucket logs. If that's not currently extracted, build an extraction for it (or do an inline rex in the SPL below to work around this).".
I have Bitbucket Logs indexed and I have a field called user, but both checks fail.
How can I get the use case to become successful?
Click on the "SPL Mode" box and enable SPL mode for the use case. Verify the SPL displayed makes sense for your data. I usually will copy the SPL into the Search & Reporting app to test it out. Sometimes the lcoal data is not formatted the way SSE expects.
Thanks. I thought that SSE is a complete framework that analyzes the indexed data automatically. It's more like a recipe book, with common use cases which one can individually edit for the specific data.
I don't know if I haven't seen them, but are there use cases for sourcetype "access_combined(_wcookie)"? I found this add-on for access logs: https://splunkbase.splunk.com/app/3186/#/overview
But does SSE have own use cases for this sourcetype respectively use cases that you can use on this sourcetype? I didn't find any so far.
I'm not aware of any SSE use cases specific to the access_combined sourcetype.
There are some under Data Source Category "Webserver Access Logs". Some, maybe even most, of those rely on using the CIM Web data model.