Splunk Enterprise Security

Enterprise Security app

hazem
Path Finder

We have a cluster with two search heads and two indexers. We need to install the Enterprise Security app on the search heads. The question arises regarding the summary index and indexes created during the Enterprise Security installation, like IOC and notable. Should these indexes be created with the same names on our indexers?

Labels (1)
0 Karma
1 Solution

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

View solution in original post

0 Karma

hazem
Path Finder

many thanks @jawahir007 

0 Karma

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...