Archive

Are there any specific Splunk-ES application audit logs?

dcrooks_cbp
New Member

I need to create a dashboard of Splunk-ES application audit logs? Where would I find those logs?

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

dcrooks_cbp
New Member

No. I have a set of searches in Splunk Enterprise using the _audit and _internal logs. Now, I want to use the same searches using the Splunk-ES data. Any ideas?
TIA!

David L. Crooks

0 Karma

jkat54
SplunkTrust
SplunkTrust

It’s the same data...

ES uses _audit and _internal amount other indexes to monitor for configuration changes, priviledged access, etc.

Still the link I gave you is the “de facto” way of auditing the “ES” data and what is happening in ESS. You have dashboards that audit notable activity.

Did an analyst close notables related to the data they just exfiltrated? It’s in the notable audit dashboards if so.

Did someone fail to log in as admin on ESS search head? It will be in the access dashboards at the same link.

Perhaps you’d like to audit the threat intelligence activity, that’s there too...

What more auditing do you want? Can’t you just copy the searches you want from these existing audit dashboards?

0 Karma

dcrooks_cbp
New Member

Yes, that is the path I am on -copying the existing searches and wanted to confirm I was using the right filters for the Splunk-ES _audit and _internal data. This is for the ISSO and not the SOC lead.

Thanks!
David L. Crooks

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ok cool, so did we solve the issue or do you want to share the filters you are currently using and let us verify for you?

By filters... do you mean index=blah?

I typically refer to those as fields in the data or searches, not filters

0 Karma

dcrooks_cbp
New Member

Yeah, the common filter is for privileged user. So, it will be either splunk_admin or es_admin for the roles in the filter. Before I was just doing roles=*admin.

I am not sure if it is clear about who is a Splunk-ES user vs Splunk Enterprise user?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Es_admin is supposed to be for the system only.

You import es_analyst instead to add es capabilities to a regular user.

0 Karma

dcrooks_cbp
New Member

Yes, I got that. Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Should I convert my comments to an answer so you can accept as the answer or do you need additional input here?

0 Karma

dcrooks_cbp
New Member

Sure that works.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Pleasure working with you David!

0 Karma