Hi folks,
When at customers I like to use the SPL Services TAs for Windows and Linux instead of using the TAs found on Splunkbase, as the SPL Services applications offer more granularity in the inputs. The TA for Windows is named Splunk_TA_windows, and is mainly categorizing the inputs into the following indexes; oswin, oswinsec, oswinscript, oswinperf, and oswinreg. So far so good. However, there are some additional indexes that are used in the TA, namely epav, epintel, and appmsadmon. Can someone explain to me the purpose of these three indexes?
The SPL Services TA Splunk_TA_windows is found here: https://bitbucket.org/SPLServices/splunk_ta_windows/downloads/
Some more information on the inputs in the TA: https://www.rfaircloth.com/wp-content/uploads/2017/03/PT005-Microsoft-Windows.pdf
Got some clarifications from the author of the TA himself which I'll copy in below.
The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.
The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.
I think ep stands for "endpoint" and av stands for "anti virus".
EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index
Got some clarifications from the author of the TA himself which I'll copy in below.
The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.
The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.
I think ep stands for "endpoint" and av stands for "anti virus".
EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index
Alright, so epintel is among other thing used to store sysmon logs, but I still don't get the naming convention behind the indexes. Why isn't sysmon stored in any of the normal oswin-indexes?
For example, the input "WinEventLog://Microsoft-Windows-Defender/Operational" stores logs in epav, which makes me think that epav is the index for security logs, but then again, that is what the oswinsec index is for, so what is the purpose of the epav index?
I think the "ep" means "endpoint". The way I'm understanding it is that the "ep*" indexes are for services on the endpoint that could be from Windows, but are not necessarily from Windows itself. So you could have multiple threat intelligence components (sysmon, Bit9, etc) on the endpoint feeding your epintel index, but these are not Windows Security logs. I believe the same can stand for "epav" -- these logs could come from a built-in Windows Service like Defender, but you could also populate it with another source like SEP or McAfee (or all three if you hate yourself). Meaning you can have multiple sources outside of Windows reporting to these indexes, and they can be for the same overall task (av or intel). In our environment at least, these types of sources have much shorter retention periods, and I care less about the longevity of the data than I do say the OS Security Events like Login/Logoff/Membership changes, etc. So keeping the high-volume (and expensive) endpoint (ep) indexes separate from the more important events allows you to retain the security auditing events in Splunk for longer than you would normally want the endpoint logs.
Then, searching becomes a little easier as you can just specify "ep*" or "os*" for those types of logs without bringing in all OS logging in one search.
Thanks! That was the same conclusion I got to after reading on the SPL services on Confluence. 🙂
Utilized Indexes
• oswin
• oswinsec
• oswinscripts
• epav (SecKitBase)
• epintel (SecKitBase)
• netipam (SecKitBase)
The additional indexes are for the collection of variuos other logs sources - read through the sec 3 ( Index Guidance) for the details.
there are several TA for log collections would use the above mentioned indexes
Splunk_TA_windows
SA-ModularInput-PowerShell
Splunk_TA_windows_SecKit_0_all_inputs
Splunk_TA_windows_SecKit_1_all_inputs
Splunk_TA_windows_SecKit_2_dhcp_inputs
Splunk_TA_windows_SecKit_2_dcadmon_inputs
Splunk_TA_windows_SecKit_2_dcadmonsync_inputs
Thanks. I understand they are for other log sources, but I don't quite understand which log sources. What is the logic behind changing the naming convention from "oswin" to something completely different, and is there an explanation somewhere of the different indexes? More specifically, what kind of logs is the epav, the epintel and the appmsadmon indexes made for as they are not a part of the standard "oswin" naming convention?
I couldn't attach image here, I posted a sample from the doc. since the log collection is from different sources its routed to different index - explanation is same since its different type of logs