No. I have a set of searches in Splunk Enterprise using the _audit and _internal logs. Now, I want to use the same searches using the Splunk-ES data. Any ideas?
TIA!

David L. Crooks

It’s the same data...

ES uses _audit and _internal amount other indexes to monitor for configuration changes, priviledged access, etc.

Still the link I gave you is the “de facto” way of auditing the “ES” data and what is happening in ESS. You have dashboards that audit notable activity.

Did an analyst close notables related to the data they just exfiltrated? It’s in the notable audit dashboards if so.

Did someone fail to log in as admin on ESS search head? It will be in the access dashboards at the same link.

Perhaps you’d like to audit the threat intelligence activity, that’s there too...

What more auditing do you want? Can’t you just copy the searches you want from these existing audit dashboards?

Yes, that is the path I am on -copying the existing searches and wanted to confirm I was using the right filters for the Splunk-ES _audit and _internal data. This is for the ISSO and not the SOC lead.

Thanks!
David L. Crooks

Ok cool, so did we solve the issue or do you want to share the filters you are currently using and let us verify for you?

By filters... do you mean index=blah?

I typically refer to those as fields in the data or searches, not filters

Yeah, the common filter is for privileged user. So, it will be either splunk_admin or es_admin for the roles in the filter. Before I was just doing roles=*admin.

I am not sure if it is clear about who is a Splunk-ES user vs Splunk Enterprise user?

Es_admin is supposed to be for the system only.

You import es_analyst instead to add es capabilities to a regular user.

Yes, I got that. Thanks!

Should I convert my comments to an answer so you can accept as the answer or do you need additional input here?

Sure that works.

Pleasure working with you David!