All Apps and Add-ons

What are the indexes, epintel, epav, and appmsadmon for, in the Splunk Add-on for Microsoft Windows?

hettervik
Builder

Hi folks,

When at customers I like to use the SPL Services TAs for Windows and Linux instead of using the TAs found on Splunkbase, as the SPL Services applications offer more granularity in the inputs. The TA for Windows is named Splunk_TA_windows, and is mainly categorizing the inputs into the following indexes; oswin, oswinsec, oswinscript, oswinperf, and oswinreg. So far so good. However, there are some additional indexes that are used in the TA, namely epav, epintel, and appmsadmon. Can someone explain to me the purpose of these three indexes?

The SPL Services TA Splunk_TA_windows is found here: https://bitbucket.org/SPLServices/splunk_ta_windows/downloads/

Some more information on the inputs in the TA: https://www.rfaircloth.com/wp-content/uploads/2017/03/PT005-Microsoft-Windows.pdf

0 Karma
1 Solution

hettervik
Builder

Got some clarifications from the author of the TA himself which I'll copy in below.

The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.

  • Search together stay together
  • Account for user communities (access control)
  • Account for retention times

The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.

  • epintel - "Could be "sysmon", could be Carbon Black, could be Bit9. In this case "intelligence" from the endpoint which can be very large and both have strict access control needs and short retention due to costs"
  • epav - "Could be windows bit defender built into OS or sep or Mcafee etc."
  • oswin* - OS events Windows / Windows Application and System Events
  • oswinsec - "Security specific things you probably need to keep for longer periods"
  • oswinscript - "Splunk scripted inputs with short retention needs"
  • oswinperf - "Short retention and generally not restricted access" / Windows Performance Metrics
  • appmsad - Windows Active Directory Events
  • oswinreg - Windows Registry

I think ep stands for "endpoint" and av stands for "anti virus".

EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index

View solution in original post

0 Karma

hettervik
Builder

Got some clarifications from the author of the TA himself which I'll copy in below.

The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.

  • Search together stay together
  • Account for user communities (access control)
  • Account for retention times

The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.

  • epintel - "Could be "sysmon", could be Carbon Black, could be Bit9. In this case "intelligence" from the endpoint which can be very large and both have strict access control needs and short retention due to costs"
  • epav - "Could be windows bit defender built into OS or sep or Mcafee etc."
  • oswin* - OS events Windows / Windows Application and System Events
  • oswinsec - "Security specific things you probably need to keep for longer periods"
  • oswinscript - "Splunk scripted inputs with short retention needs"
  • oswinperf - "Short retention and generally not restricted access" / Windows Performance Metrics
  • appmsad - Windows Active Directory Events
  • oswinreg - Windows Registry

I think ep stands for "endpoint" and av stands for "anti virus".

EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index

0 Karma

splunker12er
Motivator

the doc has the specifications like package name, inputs, etc

alt text

0 Karma

hettervik
Builder

Alright, so epintel is among other thing used to store sysmon logs, but I still don't get the naming convention behind the indexes. Why isn't sysmon stored in any of the normal oswin-indexes?

For example, the input "WinEventLog://Microsoft-Windows-Defender/Operational" stores logs in epav, which makes me think that epav is the index for security logs, but then again, that is what the oswinsec index is for, so what is the purpose of the epav index?

0 Karma

coltwanger
Contributor

I think the "ep" means "endpoint". The way I'm understanding it is that the "ep*" indexes are for services on the endpoint that could be from Windows, but are not necessarily from Windows itself. So you could have multiple threat intelligence components (sysmon, Bit9, etc) on the endpoint feeding your epintel index, but these are not Windows Security logs. I believe the same can stand for "epav" -- these logs could come from a built-in Windows Service like Defender, but you could also populate it with another source like SEP or McAfee (or all three if you hate yourself). Meaning you can have multiple sources outside of Windows reporting to these indexes, and they can be for the same overall task (av or intel). In our environment at least, these types of sources have much shorter retention periods, and I care less about the longevity of the data than I do say the OS Security Events like Login/Logoff/Membership changes, etc. So keeping the high-volume (and expensive) endpoint (ep) indexes separate from the more important events allows you to retain the security auditing events in Splunk for longer than you would normally want the endpoint logs.

Then, searching becomes a little easier as you can just specify "ep*" or "os*" for those types of logs without bringing in all OS logging in one search.

hettervik
Builder

Thanks! That was the same conclusion I got to after reading on the SPL services on Confluence. 🙂

0 Karma

splunker12er
Motivator

Utilized Indexes
• oswin
• oswinsec
• oswinscripts
• epav (SecKitBase)
• epintel (SecKitBase)
• netipam (SecKitBase)

The additional indexes are for the collection of variuos other logs sources - read through the sec 3 ( Index Guidance) for the details.

there are several TA for log collections would use the above mentioned indexes

Splunk_TA_windows
SA-ModularInput-PowerShell
Splunk_TA_windows_SecKit_0_all_inputs
Splunk_TA_windows_SecKit_1_all_inputs
Splunk_TA_windows_SecKit_2_dhcp_inputs
Splunk_TA_windows_SecKit_2_dcadmon_inputs
Splunk_TA_windows_SecKit_2_dcadmonsync_inputs

0 Karma

hettervik
Builder

Thanks. I understand they are for other log sources, but I don't quite understand which log sources. What is the logic behind changing the naming convention from "oswin" to something completely different, and is there an explanation somewhere of the different indexes? More specifically, what kind of logs is the epav, the epintel and the appmsadmon indexes made for as they are not a part of the standard "oswin" naming convention?

0 Karma

splunker12er
Motivator

I couldn't attach image here, I posted a sample from the doc. since the log collection is from different sources its routed to different index - explanation is same since its different type of logs

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...