Splunk Enterprise Security

Enable All Splunk Enterprise Security Features

mgalos
New Member

I am trying to use Splunk ES searches and summaries but i'm not sure where to start or what logs are required.
My main issues are with the Splunk Domains and Splunk intelligence.

I had initially assumed that ingesting the basic win event logs, linux syslog, and cisco ios snmp should be enough data to populate most of the fields making it work out of the box, but it seems that I must be missing something.

I have mostly set up the assets and identities (though our AD objects aren't sorted by business unit, priority, or category making it pretty useless).

Have I missed a step in configuring ES, or is there more granular documentation/walkthrough about what logs and data it needs to work properly? I have looked through the ES install and admin guide and am still left with many questions.

0 Karma

woodcock
Esteemed Legend

mgalos
New Member

I will have to look over this script and give it a try. It looks interesting though.

is it basically searching indexes for compatible sourcetypes, datamodels, contentupdate, and CIM?

0 Karma

woodcock
Esteemed Legend

Yes, it is doing all the cross-referencing for you.

0 Karma

att35
Builder

Hi mgalos,

As per my understanding, tags define what ES searches/dashboards/datamodels can see. Apart from having correct tags, the data should be normalized as per CIM(https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview#Why_the_CIM_exists), which means that field names need to follow a certain format(Usually for commonly used data sources like Windows Events, the TA's accompanying ES should do this for you).

Once the tags are in place and ES can see fields as per CIM, data should start populating. You can get more details on CIM ,data models and their respective Tag/field requirements here. https://docs.splunk.com/Documentation/CIM/4.12.0/User/Howtousethesereferencetables

To search data from a sourcetype against a specific Data Model, use the following search:

| datamodel Authentication search | search sourcetype=WinEventLogs

Try this with your Windows Logs against Alert and Authentication datamodels and see if you get any data.

0 Karma

mgalos
New Member

I am using Splunk TA apps for nix, windows, and added one for cisco.

The syslog for nix Is rfc5424 for most logs and basic winevent logs.

I will definitely take a look through the tags though and see if I can discover any discrepencies.

I assume there is something I'm not enabling or configuring correctly but the documentation isn't very particular about the features.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...