Archive

Are there any specific Splunk-ES application audit logs?

New Member

I need to create a dashboard of Splunk-ES application audit logs? Where would I find those logs?

Tags (1)
0 Karma

SplunkTrust
SplunkTrust
0 Karma

New Member

No. I have a set of searches in Splunk Enterprise using the _audit and _internal logs. Now, I want to use the same searches using the Splunk-ES data. Any ideas?
TIA!

David L. Crooks

0 Karma

SplunkTrust
SplunkTrust

It’s the same data...

ES uses _audit and _internal amount other indexes to monitor for configuration changes, priviledged access, etc.

Still the link I gave you is the “de facto” way of auditing the “ES” data and what is happening in ESS. You have dashboards that audit notable activity.

Did an analyst close notables related to the data they just exfiltrated? It’s in the notable audit dashboards if so.

Did someone fail to log in as admin on ESS search head? It will be in the access dashboards at the same link.

Perhaps you’d like to audit the threat intelligence activity, that’s there too...

What more auditing do you want? Can’t you just copy the searches you want from these existing audit dashboards?

0 Karma

New Member

Yes, that is the path I am on -copying the existing searches and wanted to confirm I was using the right filters for the Splunk-ES _audit and _internal data. This is for the ISSO and not the SOC lead.

Thanks!
David L. Crooks

0 Karma

SplunkTrust
SplunkTrust

Ok cool, so did we solve the issue or do you want to share the filters you are currently using and let us verify for you?

By filters... do you mean index=blah?

I typically refer to those as fields in the data or searches, not filters

0 Karma

New Member

Yeah, the common filter is for privileged user. So, it will be either splunk_admin or es_admin for the roles in the filter. Before I was just doing roles=*admin.

I am not sure if it is clear about who is a Splunk-ES user vs Splunk Enterprise user?

0 Karma

SplunkTrust
SplunkTrust

Es_admin is supposed to be for the system only.

You import es_analyst instead to add es capabilities to a regular user.

0 Karma

New Member

Yes, I got that. Thanks!

0 Karma

SplunkTrust
SplunkTrust

Should I convert my comments to an answer so you can accept as the answer or do you need additional input here?

0 Karma

New Member

Sure that works.

0 Karma

SplunkTrust
SplunkTrust

Pleasure working with you David!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!