Splunk Enterprise Security

Enterprise Security Suite

Contributor

Doc Question regarding ESS

I checked out (e.g. http://www.splunk.com/view/enterprise-security-suite/SP-CAAAE8Z). It says the 50 most common security based search correlations are build-in in the ESS app.

Is there some more specific doc around ESS, where I see what EXACTLY comes already with the app (e.g. what kind of checks are done, reporting, alerts, etc., etc.)

1 Solution

Contributor
Correlation Search                                      Domain

Anomalous Audit Trail Activity Detected                 audit
Anomalous New Listening Port                            endpoint
Anomalous New Processes                                 endpoint
Anomalous New Services                                  endpoint
Anomalous User Account Creation                         endpoint
Brute Force Access Behavior Detected                    access
Cleartext Password At Rest                              access
Completely Inactive Account                             access
Default Account Usage                                   access
Default Accounts At Rest                                access
Excessive Failed Logins                                 access
Expected Host Not Reporting                             audit
High Number of Hosts With Infection                     endpoint
High Number Of Infected Hosts                           endpoint
High Or Critical Priority Host With Malware             endpoint
Host With Excessive Number Of Listening Ports           endpoint
Host With Excessive Number Of Processes                 endpoint
Host With Excessive Number Of Services                  endpoint
Host With Multiple Infections                           endpoint
Inactive Account Usage                                  access
Insecure Or Cleartext Authentication                    access
Internet Proxy Server Activity                          network
Known Web Attacker Activity                             network
LogMeIn Activity                                        network
Old Malware Infection                                   endpoint
Personally Identifiable Information Detection           audit
PirateBay Activity                                      network
Policy Or Configuration Change                          network
Prohibited Process Detection                            endpoint
Prohibited Service Detection                            endpoint
RapidShare Activity                                     network
Recurring Malware Infection                             endpoint
SANS Block List Activity                                network
Should Timesync Host Not Syncing                        endpoint
Spyware Activity                                        network
Substantial Increase in an Event                        network
Substantial Increase in Port Activity (By Destination)  network
Tor Router Activity                                     network
Unapproved Port Activity Detected                       network
Unroutable Host Activity                                network
Vulnerability Scanner Detection (by event)              network
Vulnerability Scanner Detection (by targets)            network
Watchlisted Events                                      threat

Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?

View solution in original post

Splunk Employee
Splunk Employee

Hi,

we've published the documentation now along with version 2.0 -- the current search listing may be found in the User's Manual. http://docs.splunk.com/Documentation/ES/latest/User/Overview

Contributor
Correlation Search                                      Domain

Anomalous Audit Trail Activity Detected                 audit
Anomalous New Listening Port                            endpoint
Anomalous New Processes                                 endpoint
Anomalous New Services                                  endpoint
Anomalous User Account Creation                         endpoint
Brute Force Access Behavior Detected                    access
Cleartext Password At Rest                              access
Completely Inactive Account                             access
Default Account Usage                                   access
Default Accounts At Rest                                access
Excessive Failed Logins                                 access
Expected Host Not Reporting                             audit
High Number of Hosts With Infection                     endpoint
High Number Of Infected Hosts                           endpoint
High Or Critical Priority Host With Malware             endpoint
Host With Excessive Number Of Listening Ports           endpoint
Host With Excessive Number Of Processes                 endpoint
Host With Excessive Number Of Services                  endpoint
Host With Multiple Infections                           endpoint
Inactive Account Usage                                  access
Insecure Or Cleartext Authentication                    access
Internet Proxy Server Activity                          network
Known Web Attacker Activity                             network
LogMeIn Activity                                        network
Old Malware Infection                                   endpoint
Personally Identifiable Information Detection           audit
PirateBay Activity                                      network
Policy Or Configuration Change                          network
Prohibited Process Detection                            endpoint
Prohibited Service Detection                            endpoint
RapidShare Activity                                     network
Recurring Malware Infection                             endpoint
SANS Block List Activity                                network
Should Timesync Host Not Syncing                        endpoint
Spyware Activity                                        network
Substantial Increase in an Event                        network
Substantial Increase in Port Activity (By Destination)  network
Tor Router Activity                                     network
Unapproved Port Activity Detected                       network
Unroutable Host Activity                                network
Vulnerability Scanner Detection (by event)              network
Vulnerability Scanner Detection (by targets)            network
Watchlisted Events                                      threat

Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?

View solution in original post