Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Enterprise security app

BRFZ
Communicator
2 weeks ago

Hello,

I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app.

Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it.

0 Karma
Reply

lakshman239
Influencer
2 weeks ago

@BRFZ  As @livehybrid and @gargantua explained, those links and materials will help you to understand ES better at your own pace. Having said that, if you have already ingested your data sources on to Splunk ( on-prem or on to splunk cloud), your ES should be able to use those data.

  • ES comes with number of out of box dashboards and these rely on CIM compliance of your data source. Refer to  requirements here, if you plan to use any of these dashboards.
  • Suggest reviewing your use cases and see how you can make sure of the datamodels for improved searches and triage. If you want the search results to be available in the incident review screen for triage, analysis, you would need to create/configure your detections/rules/alerts as correlation searches.
Tags (1)
0 Karma
Reply

livehybrid
Influencer
2 weeks ago

Hi @BRFZ 

If your data is landing in Splunk then the next thing you'll probably want to start looking at is ensuring that it is CIM compliant and then starting to enable/create Rules, based on your requirements.

To do this properly you want to make sure it is planned out well and have clear requirements, rather than enabling lots of Rules sporadically!

Some good resources to check out are:

Splunk Lantern - https://lantern.splunk.com/Security/Getting_Started/Getting_started_with_ES

Splunk Security Essentials - https://splunkbase.splunk.com/app/3435

Splunk ES 101 video - https://www.youtube.com/watch?v=Euas6lCK-LE

Splunk ES Certified Admin training path - https://www.splunk.com/en_us/training/certification-track/splunk-es-certified-admin.html

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

gargantua
Explorer
2 weeks ago

Hi there,

Splunk Enterprise Security (ES) is a sort of extra layer to Splunk Enterprise, and it brings you more integrated possibilities :

  • More possibilities when it come to create Alerts (Called Notable in ES. [this name must have changed in version 8 though])
  • An Alert Managment system (Incident Review) which allows a team to watch alerts and investigate them
  • IOC detection and managment system
  • Tons of useful dashboards

All of that heavely relies on,

Your data :

Everything is well explained in this page : https://docs.splunk.com/Documentation/ES/8.0.2/Install/DataSourcePlanning

Identities (login accounts) and Assets (hosts) :

You must give to Splunk ES a list of :

  • identities of account names of the users of your organization
  • hostnames / IP adresses of the assets of your organization

This process is explained on this page : https://docs.splunk.com/Documentation/ES/8.0.2/Admin/VerifyAssetIdentityData

 

Configuring ES to its full potential can take some time and energy but it worth it.

Best,
Ch.

Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top