Dashboards & Visualizations

Obtain & Visualize Windows/*Nix Network/Auth Logs

elaborateGecko
Explorer

Hello, 

Thank you for taking the time to read/consider my question, it's very much appreciated. 

I'm revamping a legacy Splunk deployment for a mid-size company that I work for and have recently deployed IT essentials work to monitor the health of both Windows and *nix hosts in our environment, this app has many wonderful features and visualizations, even though some/most are locked behind the ITSI paywall. 

What I'm wondering (mainly from a security perspective), is if there's equivalent apps that Splunk (or third parties, or even individuals) have developed to visualize network & authentication data that is collected from Windows and Unix endpoints. I know network bandwidth is included within the ITE suite, which is terrific, but doesn't help me identify which processes are linked to remote network connections, or track lateral movement across the network. 

Do people usually just develop apps internally that take care of this? If that's the case than that's totally fine and I completely understand admins not wanting to share that outside of their own organization, but I can't help but feel that I'm not the only one in this boat, and there must be others with this conundrum as well. As far as I know this is something that used to be dealt with rather well by the purpose built apps by Splunk for Windows and *nix systems, but now that these are going to be deprecated this year I'd like a long-term solution to this problem. 

If these types of visualizations are typically reserved for EDR/EPP apps like Crowdstrike, Cylance, S1, Sophos, etc. I also get that, but I'm not actually sure if these apps all have dashboards that would allow you to filter by host, user, process, etc to identify suspicious remote network connections, or authentication attempts across a wide swath of monitored systems. 

Again, I'd like to reiterate my appreciation for you taking the time to consider my question. I'm sure there's a simple solution to this that I just have not thought of or stumbled across in my research, but rather than waste another week or two trying to find what everyone else is doing for this I figured I'd just ask the experts myself. 

Thanks again!

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @elaborateGecko,

for security Use Cases (as the ITSI) there a very featured Premium App called Enterprise Security that has all the Security Use Cases you could need but its a payment App.

If you don't want a Premium App, you could use one (or more) of the security Apps that you can find in apps.splunk.com, e.g.

https://splunkbase.splunk.com/app/3435/

https://splunkbase.splunk.com/app/4240/

https://splunkbase.splunk.com/app/4335/

and many others.

These Apps contain many Security Use Cases and other feature, e.g. to understand if a Use Case is applicable to your data.

In addition, there are many apps, usually created by technology vendors (as FireEye, Crowdstrike, etc...) that permits to display and search in Splunk data from those technologies.

My hint is to take a tour in apps.splunk.conf searching for the Apps to solve your needs.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @elaborateGecko,

for security Use Cases (as the ITSI) there a very featured Premium App called Enterprise Security that has all the Security Use Cases you could need but its a payment App.

If you don't want a Premium App, you could use one (or more) of the security Apps that you can find in apps.splunk.com, e.g.

https://splunkbase.splunk.com/app/3435/

https://splunkbase.splunk.com/app/4240/

https://splunkbase.splunk.com/app/4335/

and many others.

These Apps contain many Security Use Cases and other feature, e.g. to understand if a Use Case is applicable to your data.

In addition, there are many apps, usually created by technology vendors (as FireEye, Crowdstrike, etc...) that permits to display and search in Splunk data from those technologies.

My hint is to take a tour in apps.splunk.conf searching for the Apps to solve your needs.

Ciao.

Giuseppe

elaborateGecko
Explorer

Giuseppe, 

Thank you for your thorough response, my understanding of ES was that it mainly has features such as risk-based alerting, adaptive response, etc. 

If they also have features for built in dashboards for Windows/Unix network connections and authentication, I will certainly look into obtaining that license in the future. 

Thanks for providing some links to free apps as well, I will look into those this afternoon. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @elaborateGecko,

good for you, tell me if I can still help you, otherwise, for the other people of Community, please accept the answer.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...