Splunk Enterprise Security

Can you help me input Cisco AMP events to Splunk Enterprise Security?

PanIrosha
Path Finder

Hi,

I have installed Cisco AMP app on our indexer and i can see AMP events coming in. But, I can't see any malware information in the Splunk Enterprise Security (Security Domains > Endpoint Protection > Malware Center). ESS is installed on the search head and AMP index can be accessible from search head.

is there anything else to be configured in the search head in order to see information in the malware center?

Thank you in advance.

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

First check if the add-on is being imported by ES:
http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps
Then, check if the add-on contains data that is mapped to the CIM data models used to populate that dashboard panel. Check to see which parts of the data model need to have data in them to appear on that dashboard panel:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
And then check the data model to see if it has data:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...

smoir_splunk
Splunk Employee
Splunk Employee

Is the app being imported by Splunk Enterprise Security? http://docs.splunk.com/Documentation/ES/5.2.0/Install/ImportCustomApps

0 Karma

PanIrosha
Path Finder

hi smoir,

i have managed to get the data to splunk enterprise security after go though all the links. thank you very much for your help

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Awesome! I summarized my comments for you as an answer 🙂

0 Karma

PanIrosha
Path Finder

Hi Smoir,

Thank you for replying.

no its not. the app is not using "TA-" naming convention when i uploaded to the search head. its using "amp4e_events_input" as its folder name in $SPLUNKHOME\etc\apps

i will follow this document and import the app as instructed. i will keep you posted.

0 Karma

PanIrosha
Path Finder

Hi Smoir

I have imported the cisco amp app to ES but still i cant see any data.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Does the add-on contain data that is mapped to the CIM data models used to populate that dashboard panel? You can check here:
http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Dashboardrequirements
to see which parts of the data model need to have data in them to appear on that dashboard panel
and also here:
http://docs.splunk.com/Documentation/CIM/4.12.0/User/UsetheCIMtonormalizedataatsearchtime#6._Validat...
to learn more about how to check the data model

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...