It’s the same data...
ES uses _audit and _internal amount other indexes to monitor for configuration changes, priviledged access, etc.
Still the link I gave you is the “de facto” way of auditing the “ES” data and what is happening in ESS. You have dashboards that audit notable activity.
Did an analyst close notables related to the data they just exfiltrated? It’s in the notable audit dashboards if so.
Did someone fail to log in as admin on ESS search head? It will be in the access dashboards at the same link.
Perhaps you’d like to audit the threat intelligence activity, that’s there too...
What more auditing do you want? Can’t you just copy the searches you want from these existing audit dashboards?
Yes, that is the path I am on -copying the existing searches and wanted to confirm I was using the right filters for the Splunk-ES _audit and _internal data. This is for the ISSO and not the SOC lead.
David L. Crooks
Ok cool, so did we solve the issue or do you want to share the filters you are currently using and let us verify for you?
By filters... do you mean index=blah?
I typically refer to those as fields in the data or searches, not filters
Yeah, the common filter is for privileged user. So, it will be either splunk_admin or es_admin for the roles in the filter. Before I was just doing roles=*admin.
I am not sure if it is clear about who is a Splunk-ES user vs Splunk Enterprise user?