Splunk Enterprise Security

Splunk Enterprise Security Cheat Sheet

Path Finder

Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

  • CIM
  • ESCU
  • CIM-Validator
  • lookup file editor
  • knowledge object explorer
  • more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

  • eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

  • use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
    • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
    • or use queries like this to validate your logs, based on a table that matches the required fields:
      • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.


Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.