Hi to all. I'm working at a startup company providing security solutions.
I started research on how to integrate with Splunk, Splunk ES.
for now, we choose to use the HEC method for delivering the data into Splunk cloud.
I wanted to ask some questions.
I understand this is the flow of actions -
I'll be happy if someone will be able to elaborate more about each topic and tell me if something is missing.
I supposed, in my previous answer, that the use of HEC is mandatory, but I hint to check if you can use Universal Forwarders that are more efficient and sure.
Anyway, you have to use Add-Ons to parse data.
usually Add-Ons are installed from Splunkbase so you'll haven't any conpliance problem, is instead you will use custom Add-Ons, they will be checked by Splunk.
About integration with ES, the steps are the ones I described in my previous answer:
Hi @GuyCo ,
No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation.
ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons.
The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons.
In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches.