Splunk Enterprise Security

IIS and ES application & CIM

dimitris_vergos
Path Finder

Hello,

I have set up ES and I am trying to input information from IIS. While the information is being parsed correctly and the fields are being seperated as they should (via the pre-built sourcetype=iis), I see that in the ES is it not being normalized as it should.

I also see that there is no TA for it as well. I have tried adding field-alias on the Search head as seen in http://answers.splunk.com/answers/128538/ta-for-iis-that-follows-the-common-information-model.html

My architecture consists of UF -> HF -> Indexer -> SH (different boxes for all).

So far the fields are not being normalized correctly.

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

View solution in original post

jkat54
SplunkTrust
SplunkTrust

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

hsesterhenn
Path Finder
0 Karma

sorenmaigaard
Path Finder

Hi

We are having this issue as well.
It seems odd that IIS is not supported by Enterprise Security out of the box.

Splunk has created an add-on for IIS:
https://apps.splunk.com/app/1579/

However that it not CIM compliant it seems.

Do we really need to create a new TA to get IIS data into ES? And has no one done this before?

Best
Soren

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

To onboard IIS data for ES you need to create a TA-iis that maps to the web tag. (Put this TA on the ES Search Head)
Here is the starting point overview on how to add new data to ES
http://docs.splunk.com/Documentation/ES/latest/CreateTA/Overview
Here is the detail for WEB data that IIS will be under:
http://docs.splunk.com/Documentation/ES/3.0/CreateTA/DashboardRequirementsMatrix
look for Web section and extract or alias the fields in your IIS data that are needed for the Web section.
For advanced setup you will want to analyze the IIS application and identify security relevant events and map those to the appropriate ES eventtype/tag.
For example, in your IIS logs you may have url=/login.asp and that would be an authentication tag, and need the appropriate fields in the Dashboard Requirements Matrix.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...