All Apps and Add-ons

What are the indexes, epintel, epav, and appmsadmon for, in the Splunk Add-on for Microsoft Windows?

Builder

Hi folks,

When at customers I like to use the SPL Services TAs for Windows and Linux instead of using the TAs found on Splunkbase, as the SPL Services applications offer more granularity in the inputs. The TA for Windows is named Splunk_TA_windows, and is mainly categorizing the inputs into the following indexes; oswin, oswinsec, oswinscript, oswinperf, and oswinreg. So far so good. However, there are some additional indexes that are used in the TA, namely epav, epintel, and appmsadmon. Can someone explain to me the purpose of these three indexes?

The SPL Services TA Splunk_TA_windows is found here: https://bitbucket.org/SPLServices/splunk_ta_windows/downloads/

Some more information on the inputs in the TA: https://www.rfaircloth.com/wp-content/uploads/2017/03/PT005-Microsoft-Windows.pdf

0 Karma
1 Solution

Builder

Got some clarifications from the author of the TA himself which I'll copy in below.

The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.

  • Search together stay together
  • Account for user communities (access control)
  • Account for retention times

The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.

  • epintel - "Could be "sysmon", could be Carbon Black, could be Bit9. In this case "intelligence" from the endpoint which can be very large and both have strict access control needs and short retention due to costs"
  • epav - "Could be windows bit defender built into OS or sep or Mcafee etc."
  • oswin* - OS events Windows / Windows Application and System Events
  • oswinsec - "Security specific things you probably need to keep for longer periods"
  • oswinscript - "Splunk scripted inputs with short retention needs"
  • oswinperf - "Short retention and generally not restricted access" / Windows Performance Metrics
  • appmsad - Windows Active Directory Events
  • oswinreg - Windows Registry

I think ep stands for "endpoint" and av stands for "anti virus".

EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index

View solution in original post

0 Karma

Builder

Got some clarifications from the author of the TA himself which I'll copy in below.

The Windows TA from Splunk base is grandfathered. What it's doing is mashing together inputs into indexes in a way that breaks a few rules.

  • Search together stay together
  • Account for user communities (access control)
  • Account for retention times

The indexes laid down in "SecKit" work out a reasonable pattern for each of these considerations that is also acceptable for most customers requirements.

  • epintel - "Could be "sysmon", could be Carbon Black, could be Bit9. In this case "intelligence" from the endpoint which can be very large and both have strict access control needs and short retention due to costs"
  • epav - "Could be windows bit defender built into OS or sep or Mcafee etc."
  • oswin* - OS events Windows / Windows Application and System Events
  • oswinsec - "Security specific things you probably need to keep for longer periods"
  • oswinscript - "Splunk scripted inputs with short retention needs"
  • oswinperf - "Short retention and generally not restricted access" / Windows Performance Metrics
  • appmsad - Windows Active Directory Events
  • oswinreg - Windows Registry

I think ep stands for "endpoint" and av stands for "anti virus".

EDIT: More information is found here: https://splservices.atlassian.net/wiki/spaces/GD/pages/18911978/Splunk+Index

View solution in original post

0 Karma

Motivator

the doc has the specifications like package name, inputs, etc

alt text

0 Karma

Builder

Alright, so epintel is among other thing used to store sysmon logs, but I still don't get the naming convention behind the indexes. Why isn't sysmon stored in any of the normal oswin-indexes?

For example, the input "WinEventLog://Microsoft-Windows-Defender/Operational" stores logs in epav, which makes me think that epav is the index for security logs, but then again, that is what the oswinsec index is for, so what is the purpose of the epav index?

0 Karma

Contributor

I think the "ep" means "endpoint". The way I'm understanding it is that the "ep*" indexes are for services on the endpoint that could be from Windows, but are not necessarily from Windows itself. So you could have multiple threat intelligence components (sysmon, Bit9, etc) on the endpoint feeding your epintel index, but these are not Windows Security logs. I believe the same can stand for "epav" -- these logs could come from a built-in Windows Service like Defender, but you could also populate it with another source like SEP or McAfee (or all three if you hate yourself). Meaning you can have multiple sources outside of Windows reporting to these indexes, and they can be for the same overall task (av or intel). In our environment at least, these types of sources have much shorter retention periods, and I care less about the longevity of the data than I do say the OS Security Events like Login/Logoff/Membership changes, etc. So keeping the high-volume (and expensive) endpoint (ep) indexes separate from the more important events allows you to retain the security auditing events in Splunk for longer than you would normally want the endpoint logs.

Then, searching becomes a little easier as you can just specify "ep*" or "os*" for those types of logs without bringing in all OS logging in one search.

Builder

Thanks! That was the same conclusion I got to after reading on the SPL services on Confluence. 🙂

0 Karma

Motivator

Utilized Indexes
• oswin
• oswinsec
• oswinscripts
• epav (SecKitBase)
• epintel (SecKitBase)
• netipam (SecKitBase)

The additional indexes are for the collection of variuos other logs sources - read through the sec 3 ( Index Guidance) for the details.

there are several TA for log collections would use the above mentioned indexes

Splunk_TA_windows
SA-ModularInput-PowerShell
Splunk_TA_windows_SecKit_0_all_inputs
Splunk_TA_windows_SecKit_1_all_inputs
Splunk_TA_windows_SecKit_2_dhcp_inputs
Splunk_TA_windows_SecKit_2_dcadmon_inputs
Splunk_TA_windows_SecKit_2_dcadmonsync_inputs

0 Karma

Builder

Thanks. I understand they are for other log sources, but I don't quite understand which log sources. What is the logic behind changing the naming convention from "oswin" to something completely different, and is there an explanation somewhere of the different indexes? More specifically, what kind of logs is the epav, the epintel and the appmsadmon indexes made for as they are not a part of the standard "oswin" naming convention?

0 Karma

Motivator

I couldn't attach image here, I posted a sample from the doc. since the log collection is from different sources its routed to different index - explanation is same since its different type of logs

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!