Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials integration with Forcepoint app.

vaveryanov
Loves-to-Learn Lots
‎01-10-2022 02:58 AM

Hello,

I've been trying to get data in SSE, but somehow I can't. The setup is the following - Installed Splunk Enterprise, Universal Forwarder, Forecpoint app, Syslog-ng(for receiving the logs, which i monitor with the UF) and Splunk Security Essentials.

I've tried different things with the demo data but when I'm trying to do anything with the live data i hit the wall.  I've tried to follow https://docs.splunk.com/Documentation/SSE/3.4.0/Install/ConfigureSSE these instructions, but they seem unclear and somehow inaccurate(For example in the chapter for getting data in - Configure the products you have in your environment with the Data Inventory dashboard. When I browse in the web interface there is no option to "2.b.Click Manually Configure to manually enter your data.") .

 

The first thing I've noticed was that this error for the ES Integration was thrown, for which i didn't find any information.

image.png

When I open any use cases and for example "Basic Scanning", the sourcetype and index for forcepoint (index="forcepoint", sourcetype="next-generation-firewall") are missing by default. Are there any ways to add it automatically for all the use cases?test123.png

 

I've already have logs monitored by the indexer forwarded by the Forcepoint which are displayed in the Splunk Search and Reporting and Forcepoint App.test124.png

 

Even if i change the index and sourcetype in the enter a search field I still get these results. Can you give me any info on the tags, like what are they and what are they used for?

image.png

 

Any guides or tips will be highly appreciated, thanks!

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2022 06:09 AM

Any time you find a Splunk document to be lacking, submit feedback on that docs page.  The Documentation team is great about updating docs in response to user feedback.

The message in the first screenshot indicates you do not have Splunk Enterprise Security installed.  To resolve it, buy and install ES.

The use cases in SSE are built using somewhat generic SPL, but should always be examined and updated before deploying it in a real environment.  For example, many use cases use "index=*", which should never be allowed in a Production system.  Also, some examples use products you may not have so you'll need to modify those examples to use data from your products.

The tags shown in the last screenshot come with the Splunk Common Information Model (CIM) app, IIRC.

IMO, the Splunk Security Essentials app should not be used as a SOC tool, but as a way to learn what you can do with Splunk to solve SOC use cases.  Use SSE to see what is possible using your data and what data you need to solve other use cases, but take those examples and implement them in your own app.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...