Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Arcsight 2 Splunk Transition

SamHTexas
Builder
‎01-04-2021 09:39 AM

Looking for new resources to transition from ArcSight to Splunk please. The resources found on Micro Focus site are very old. Links & docs are much appreciated. If you have done this before any Do's & Don't are welcomed. Thank u

Labels (1)
Labels
0 Karma
Reply

SamHTexas
Builder
‎01-04-2021 06:08 PM

I appreciate your response & Thank you for your time. I have a couple of questions 

What role does the Splunk Ent. Security app has with such transition?

Would you elaborate on mapping Arcsight rules to Splunk searches a bit & where such instructions are found.

Thanks again

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2021 07:15 AM

Splunk Enterprise Security is Splunk's SIEM product.  It is the replacement for ArcSight.

I'm not aware of any instructions for mapping ArcSight rules to Splunk searches.  It's probably a tedious manual process of looking at each ArcSight rule and then looking at each Splunk search to see which is a good match.  If a match is not found then write an equivalent Splunk search.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2021 10:32 AM

Splunk has an entire Professional Services practice for this so it's not something that is easily summarized in a forum posting.  That's also why documentation is hard to come by.

You'll want the Splunk Enterprise Security app.  It's a premium product (extra cost), but is what Splunk offers as a SIEM.  Replacing ArcSight with core Splunk is likely to lead to disappointing results.

The first step in the transition is to install Splunk and start sending your data to it.  You should be able to send the data to both ArcSight and Splunk simultaneously.

Next, you'll need to map your ArcSight rules to Splunk searches.  Run the searches and compare the results to those reached by ArcSight.  Adjust the searches until you get the desired results.

Use ArcSight and Splunk side-by-side for a while to confirm Splunk is acting as expected.  Once you're confident in it, shut down ArcSight.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...