Splunk Enterprise Security
Highlighted

Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Explorer

I'm working to migrate ES to a new search head that has network visibility to indexers in multiple Business Units and more indexers. I am seeing my network traffic counts increase as I am now picking up the new architecture but I can't get my 'new' Threat Activity Dashboard to report anything.

I can see that the Threat Intelligence Downloads are operational and (as far as I've been told) both platforms should be equal, other than the additional feeds available to the new system.

I'm just not sure where to start when the only response is "no results found".

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Splunk Employee
Splunk Employee

Does the files in /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups are populated ?
What is the result of the following command in search (from ES): | inputlookup threatintelbycidr
Is it the same ES version ? Which one ? Same OS ?

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Explorer

To answer your questions in order:

1) Yes, opt/splunk/etc/apps/SA-ThreatIntelligence/lookups are poplulating on both servers, old an new. Latest updates are from 6/28/15

2) | inputlookup thretintelbycidr gives a list of ip_intel addresses on both systems

3) Yes, it's the same ES version, 3.3.0. The "new" server is on RHEL (no feed) the "old" is Win2012 Server (working).

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Splunk Employee
Splunk Employee

What is the status of the Threat_Intelligence datamodel (in the Data Model audit) ?
Is it accelerated ? Is it complete ? And the disk size ?

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Explorer

Yes it is accelerated, 100% complete and about .2MB on disk. (same on both systems)

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Splunk Employee
Splunk Employee

Of course, other dashboards (like the traffic one) are populated , correct ?

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Explorer

Yes, Traffic Center IS populating.

There IS a difference here in that both systems are picking up "pan-traffic" from the client's Palo Alto firewalls and on the new system I am working to get their Cisco ASA traffic tagged appropriately using the Splunk Add-on for Cisco ASA. (again, different BU's working with different technology)

I am not yet properly seeing the ASA traffic but I was/am assuming I should still be able to get the matches from the Palo Altos.

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Splunk Employee
Splunk Employee

Did you tried to add in the local threat list an IP that is used in one of your log ? I just want to be sure that some traffic IP are matching the ones from the threat lists ?

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Explorer

I think I am getting closer to the issue. I followed your advice and as I attempt to find the IP addresses in localthreatlist, I'm seeing that "esslookup_lists" does not populate on the new server.

Essentially, the new deployment isn't reporting ANY lists and lookups. Is there a configuration piece that got missed?

0 Karma
Highlighted

Re: Configuring the Splunk App for Enterprise Security on a new Search Head (attached to larger Indexer list), why can't I get the Threat Activity to load?

Splunk Employee
Splunk Employee

Hummmm... how did you migrate ES to the new server ? Did you copy the files or reinstall a fresh copy of ES ? And when (just a few hours ago, or several days ago) ?
Do you have the both ES running in parallel ?

0 Karma