I'm working on putting some of my DLP events into the Alerts data model. However, I'm struggling to find out where they actually populate in Splunk Enterprise Security. Is there a spot for these alerts in ES? I was hoping they would populate in the identity or asset investigator.
I'm not sure if Splunk totally changed my topic, but my question direction was changed.
I reviewed the other DLP add-ons that Splunk has created and supported, more in particular the RSA DLP application (https://splunkbase.splunk.com/app/2956/) and they all look to be using the alerts data model for DLP. They state in the description that it's good for use in Splunk applications, including ES.
So I mocked up my DLP machine data to comply with that data model and I'm wondering where should it populate in ES? Is there a swimlane that it should go to?