Splunk Enterprise Security

Splunk Enterprise Security Cheat Sheet

dbroggy
Path Finder

Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

  • CIM
  • ESCU
  • CIM-Validator
  • lookup file editor
  • knowledge object explorer
  • more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

  • eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

  • use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
    • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
    • or use queries like this to validate your logs, based on a table that matches the required fields:
      • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.

Thanks.

Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!