I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying to learn threat hunting with splunk and found a lot of great queries that can help but I ran into few questions that confused me and hoping to find answers here
Every customer we have has different index names and sourcetypes like for example if i want run a query than has index=auditd and sourcetype=fgt_traffic. And this query will not work for every splunk that i want to search into because I dont know what index has like web logs or what firewall is in what sourcetype. How can I know what index and what sourcetype Names and if they named it a name that doesn’t match what it does how can I know what kind of logs in this sourcetype or index?
My other question is. I know that XmlwineventLog and wineventlog have logs for events that happened but what if i want to see logs for linux what sourcetype would that be?
All of this should be normalized with the Common Information Model app which has a bunch of macros called CIM_*_indexes. These should tell you where your stuff is. You can also use |datamodel and |from datamodel.