Splunk Enterprise Security

Endpoint Correlation Searches.

Albert_Cyber
Explorer

We are in the process of deploying our endpoint logging strategy. Right now, we are using CrowdStrike as our EDR. As far as I can tell if we wanted to use the logs collected by the CrowdStrike agent and forward that into Splunk we have to pay for the FDR license, which at the moment due to budget constraints we cannot.

When I look at the correlation searches that utilize the Endpoint Data model most of those detections are based on data that originates from Endpoint Detection and Response (EDR) agents. Since in our case we cannot utilize that data coming from CrowdStrike, could we use Sysmon instead to collect the data that we need to implement those corrections searches?

This is one of the use cases that I was interested in implementing

https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/

Labels (1)
0 Karma

Laszlo_K13
New Member

Please check this addon:

https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About

Documentation says is CIM compatible:

"The Splunk Add-on for Sysmon allows a Splunk software administrator to create a Splunk software data input and CIM-compliant field extractions for Microsoft Sysmon."

If the addon feeds the Endpoint.Processes datamodel, then the use case you are interested in might work.

 

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...