Sourcetype naming and indexs help!!

ewonn · ‎03-18-2020

Hi guys,
I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying to learn threat hunting with splunk and found a lot of great queries that can help but I ran into few questions that confused me and hoping to find answers here
Every customer we have has different index names and sourcetypes like for example if i want run a query than has index=auditd and sourcetype=fgt_traffic. And this query will not work for every splunk that i want to search into because I dont know what index has like web logs or what firewall is in what sourcetype. How can I know what index and what sourcetype Names and if they named it a name that doesn’t match what it does how can I know what kind of logs in this sourcetype or index?

My other question is. I know that XmlwineventLog and wineventlog have logs for events that happened but what if i want to see logs for linux what sourcetype would that be?

Thank you all

woodcock · ‎03-18-2020

All of this should be normalized with the Common Information Model app which has a bunch of macros called CIM_*_indexes. These should tell you where your stuff is. You can also use |datamodel and |from datamodel.

to4kawa · ‎03-18-2020

|tstats count where index=* sourcetype=* by index sourcetype

Sourcetype naming and indexs help!!

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Sourcetype naming and indexs help!!

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)