All Apps and Add-ons
Highlighted

Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Path Finder

Hello,

Is there a way with OSSEC to monitor when software is being installed?

0 Karma
Highlighted

Re: Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Splunk Employee
Splunk Employee

@nickbijmoer - Are you using the Splunk Add-on for OSSEC? I just want to make sure your post is tagged correctly. Thank you.

0 Karma
Highlighted

Re: Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Path Finder

@aaraneta, Yes I use the splunk add-on for ossec.

0 Karma
Highlighted

Re: Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Splunk Employee
Splunk Employee

If you are looking to integrate w ES, the ossecfileintegritymonitoring source type maps to change analysis and the ossecalert maps to alert data model.

You could adapt some of the existing correlation searches that use change analysis to fit this need or use the guided search to build a correlation search. You will want to think about how often you want to be alerted to these changes and if there is a certain threshold you would want to set.

0 Karma
Highlighted

Re: Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Path Finder

Im trying to integrate it in Splunk enterprise, since we dont have enterprise security here, is it also possible on enterprise edition?

0 Karma
Highlighted

Re: Splunk Add-on for OSSEC: Is there a way with OSSEC to monitor when software is installed?

Splunk Employee
Splunk Employee

Yes. You can use the common information model and and the associated TA on splunkbase https://splunkbase.splunk.com/app/2808/ and build a datamodel search using the change analysis data model or you can just take the ossec data in and then build some searches based on what you see.

0 Karma