Getting Data In

Splunk Security Essentials integration with Forcepoint app.

vaveryanov
Loves-to-Learn Lots

Hello,

I've been trying to get data in SSE, but somehow I can't. The setup is the following - Installed Splunk Enterprise, Universal Forwarder, Forecpoint app, Syslog-ng(for receiving the logs, which i monitor with the UF) and Splunk Security Essentials.

I've tried different things with the demo data but when I'm trying to do anything with the live data i hit the wall.  I've tried to follow https://docs.splunk.com/Documentation/SSE/3.4.0/Install/ConfigureSSE these instructions, but they seem unclear and somehow inaccurate(For example in the chapter for getting data in - Configure the products you have in your environment with the Data Inventory dashboard. When I browse in the web interface there is no option to "2.b.Click Manually Configure to manually enter your data.") .

 

The first thing I've noticed was that this error for the ES Integration was thrown, for which i didn't find any information.

image.png

When I open any use cases and for example "Basic Scanning", the sourcetype and index for forcepoint (index="forcepoint", sourcetype="next-generation-firewall") are missing by default. Are there any ways to add it automatically for all the use cases?test123.png

 

I've already have logs monitored by the indexer forwarded by the Forcepoint which are displayed in the Splunk Search and Reporting and Forcepoint App.test124.png

 

Even if i change the index and sourcetype in the enter a search field I still get these results. Can you give me any info on the tags, like what are they and what are they used for?

image.png

 

Any guides or tips will be highly appreciated, thanks!

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Any time you find a Splunk document to be lacking, submit feedback on that docs page.  The Documentation team is great about updating docs in response to user feedback.

The message in the first screenshot indicates you do not have Splunk Enterprise Security installed.  To resolve it, buy and install ES.

The use cases in SSE are built using somewhat generic SPL, but should always be examined and updated before deploying it in a real environment.  For example, many use cases use "index=*", which should never be allowed in a Production system.  Also, some examples use products you may not have so you'll need to modify those examples to use data from your products.

The tags shown in the last screenshot come with the Splunk Common Information Model (CIM) app, IIRC.

IMO, the Splunk Security Essentials app should not be used as a SOC tool, but as a way to learn what you can do with Splunk to solve SOC use cases.  Use SSE to see what is possible using your data and what data you need to solve other use cases, but take those examples and implement them in your own app.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...