Hi Everyone,
I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.
Specific topics of interest:
1. Recommended 'base apps' for ES, eg:
- CIM
- ESCU
- CIM-Validator
- lookup file editor
- knowledge object explorer
- more??
2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.
- eg. For Azure: SH - App and addon, HF - App and addon
3. And finally ways to quickly validate logs eg:
- use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
- if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
- or use queries like this to validate your logs, based on a table that matches the required fields:
- |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product
I would greatly appreciate your feedback and better ways to validate your ES installation.
Thanks.
