Endpoint Correlation Searches.

Albert_Cyber · ‎10-17-2023

We are in the process of deploying our endpoint logging strategy. Right now, we are using CrowdStrike as our EDR. As far as I can tell if we wanted to use the logs collected by the CrowdStrike agent and forward that into Splunk we have to pay for the FDR license, which at the moment due to budget constraints we cannot.

When I look at the correlation searches that utilize the Endpoint Data model most of those detections are based on data that originates from Endpoint Detection and Response (EDR) agents. Since in our case we cannot utilize that data coming from CrowdStrike, could we use Sysmon instead to collect the data that we need to implement those corrections searches?

This is one of the use cases that I was interested in implementing

https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/

Laszlo_K13 · ‎10-19-2023

Please check this addon:

https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About

Documentation says is CIM compatible:

"The Splunk Add-on for Sysmon allows a Splunk software administrator to create a Splunk software data input and CIM-compliant field extractions for Microsoft Sysmon."

If the addon feeds the Endpoint.Processes datamodel, then the use case you are interested in might work.

Endpoint Correlation Searches.

correlation search

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector