Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Datasets and ideas for Splunk Enterprise Security

badr_boukari
Explorer
‎11-26-2020 12:28 PM

Hello the team,

I am currently preparing a Splunk Lab for my office, and I need the datasets specially for Splunk Enterprise Security.

I am trying to deploy a Splunk Entreprise Security (ES) environment in our Lab but we have a lack of data (Events, Notable Events, …)

 

Can u propose to me some datasets to aliment ES ? Otherwise, what u can propose as suggestions to deploy Splunk Enterprise Security in our Splunk Lab.

 

Thanks in advance for your help.

Have a nice day.

Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-26-2020 01:04 PM

ahh, the splunk ES datasets are sooo complex. 

but, i would suggest you to register for a Splunk ES Sandbox

https://www.splunk.com/page/sign_up/en_us/getsplunk/es_sandbox

 

and then, try to replicate/create,  as many as possible to you, on your lab. all the very best for your ES Lab Setup(i wish i had one for me too)

 

Best Regards,

Sekar

PS - your karma points will be my 2 cents!

Reply

badr_boukari
Explorer
‎11-30-2020 06:09 AM

Hello, 

Thank you so much for your response. 

The link https://www.splunk.com/page/sign_up/en_us/getsplunk/es_sandbox doesn't work for me! 

i already have a splunk account, when i tryed to log-on, i was redirected to splunk.com 

 

Can you please connect to your account and then, send me the link for ES_Sandbox

Thank you in advance. 

 

Best regards.

Badr, 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-26-2020 12:51 PM

Enterprise Security uses data already indexed by Splunk  That is, the stuff from your firewalls, AD, servers, etc..  There's nothing special about ES data.

ES will create notable events when you enable the appropriate correlation searches and those searches find something of note in your data.

I recommend you clone some of your production data to your lab so you have a "realistic" data set.

---
If this reply helps you, Karma would be appreciated.
Reply

badr_boukari
Explorer
‎11-30-2020 06:16 AM

Hello richgalloway, 

Thank you so much for your response. 

I try to generate ficitf data from Eventgen, and realize ES scenarios. It's difficult to clone some of production data to the lab.

I have now an other problem, ES doesn't create notable events when i enable the appropriate correlation searches.  Where it can come  from? any ideas? 

 

Thanks in advance.

Badr, 

PS:  i give you the upvote! 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...