Splunk Enterprise Security
Highlighted

Creating new notable events based on new inputs via Enterprise Security's correlation engine

Does anyone have any advice on how to use Splunk's pre-canned correlation searches within Enterprise Security and have events fire for incident review (notable event) based on new sourcetypes/data inputs? We have for example bit9 and bro logs coming into Splunk and I'd like to have some logic applied to these inputs for any anomalies, etc., so that analysts can look at this stuff while using the Enterprise Security app.

0 Karma
Highlighted

Re: Creating new notable events based on new inputs via Enterprise Security's correlation engine

Communicator

Hey Tyrone,

Logs that have sourcetype's applied, if their to be used with ES, would adhere to Splunk's CIM (Common Information Model).

As part of the CIM, tags will be added to the logs, that direct which part of ES (datamodels really) the logs apply to (eg, Endpoint, Network, etc..)

In theory, you can keep adding new sources of data, as long as your using CIM-compliant app's or TA's, ES should be making use of the data (if it's security relevant data that is..)

You can alway adjust the configs yourself, or even write your own TA or app, so ES processes the data as you prefer.

Or you could simply write your own correlation-searches, to process pre-CIM'ed data the way you want.

Hope it helps..

Cheers.

Highlighted

Re: Creating new notable events based on new inputs via Enterprise Security's correlation engine

Thanks for the assist- really helpful. Any ideas on how to adjust the configs of these respective apps? Does the manipulation occur within ES, the app itself, or does it just depend on what you are trying to do?

Thanks in advance.

0 Karma
Highlighted

Re: Creating new notable events based on new inputs via Enterprise Security's correlation engine

Communicator

No problem. Think of CIMing as preparing the data for ES to process correctly, then you can use either the built-in, or write your own correlation-searches, to apply the security logic you want.

CIMing is done in the app or TA. When you look for apps on Splunkbase (eg for Bro, Bit9, etc) look on the right column, and it'll list if it's CIM-compliant (and usually a CIM version, eg 4.7, etc..)

If it's not CIM compliant it wont work out of the box with ES until it's CIMed. Of course, it'll work with vanilla Splunk, but ES expects CIM'ed data.

Then to change your security logic, you can create your own correlation-searches to look for different security threats, or adjust the supplied ones. Remember, correlation-searches are just searches at heart.

Also you can adjust the workflow also in ES to suit your runbooks.

Some useful links..

http://docs.splunk.com/Documentation/CIM/4.7.0/User/UsetheCIMtonormalizedataatsearchtime

http://docs.splunk.com/Documentation/ES/4.6.0/Tutorials/CorrelationSearch

Cheers.

0 Karma