Splunk Enterprise Security

Enterprise Security: is it a good practice to "force" certain fields to exist at the macro level?

Motivator

The cim_Authentication_indexes is defined, in our case, as (index=wineventlog OR index=<linux> OR index=<rsa> OR ...)

For the index=wineventlog we have nice compliance with the Authentication datamodel except src at 68% and src_user at 5%. So, I wonder if we should change the definition of the macro to be something like - ( (index=wineventlog AND src=*) OR index=<linux> OR index=<rsa> OR ...).

Does it make any sense?

Esteemed Legend

No. YOU have to decide what fields are important TO YOU and then ensure that they exist every time that they should. Fix the field extractions. Do not hide the events.

SplunkTrust
SplunkTrust

That would be case in the ideal world. However, not all events have all the fields (as the vendor/product may only offer limited fields in the events) that we need for a given datamodel. what do you suggest in those situations?

Esteemed Legend

If you have some kind of a sudo thing and your system does not log the src_user, then you should scream bloody hell at your vendor to fix their logging. I have never seen such a situation, although I have seen many situations where src_user has no context and therefore is meaningless and quite logically does not exist.

0 Karma

Motivator

I got it @woodcock - thank you.

0 Karma

SplunkTrust
SplunkTrust

You should fix the onboarding of the data to address field issues. Doing it at search is just a bandaid of the root issue. And you do not want to get into the business of hand managing updates to the datamodels either.

Motivator

It makes sense @starcher, but I'm not sure whether src must exist for all the events, in this particular case.

0 Karma

SplunkTrust
SplunkTrust

for authentication datamodel, 'src' is a key field to know the endpoint/client involved in the authentication process. If you do not have that in the events and if you want to exclude them (as a last resort), adjust your eventtypes.conf and tags.conf to exclude them from not going to Authentication datamodel.

Motivator

Great information. Where exactly do these eventtypes.conf and tags.conf exist?

0 Karma