Splunk Enterprise Security

Enterprise Security: is it a good practice to "force" certain fields to exist at the macro level?

danielbb
Motivator

The cim_Authentication_indexes is defined, in our case, as (index=wineventlog OR index=<linux> OR index=<rsa> OR ...)

For the index=wineventlog we have nice compliance with the Authentication datamodel except src at 68% and src_user at 5%. So, I wonder if we should change the definition of the macro to be something like - ( (index=wineventlog AND src=*) OR index=<linux> OR index=<rsa> OR ...).

Does it make any sense?

woodcock
Esteemed Legend

No. YOU have to decide what fields are important TO YOU and then ensure that they exist every time that they should. Fix the field extractions. Do not hide the events.

lakshman239
SplunkTrust
SplunkTrust

That would be case in the ideal world. However, not all events have all the fields (as the vendor/product may only offer limited fields in the events) that we need for a given datamodel. what do you suggest in those situations?

woodcock
Esteemed Legend

If you have some kind of a sudo thing and your system does not log the src_user, then you should scream bloody hell at your vendor to fix their logging. I have never seen such a situation, although I have seen many situations where src_user has no context and therefore is meaningless and quite logically does not exist.

0 Karma

danielbb
Motivator

I got it @woodcock - thank you.

0 Karma

starcher
SplunkTrust
SplunkTrust

You should fix the onboarding of the data to address field issues. Doing it at search is just a bandaid of the root issue. And you do not want to get into the business of hand managing updates to the datamodels either.

danielbb
Motivator

It makes sense @starcher, but I'm not sure whether src must exist for all the events, in this particular case.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

for authentication datamodel, 'src' is a key field to know the endpoint/client involved in the authentication process. If you do not have that in the events and if you want to exclude them (as a last resort), adjust your eventtypes.conf and tags.conf to exclude them from not going to Authentication datamodel.

danielbb
Motivator

Great information. Where exactly do these eventtypes.conf and tags.conf exist?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...