Splunk Enterprise Security

Splunk Enterprise Security Cheat Sheet

dbroggy
Path Finder

Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

  • CIM
  • ESCU
  • CIM-Validator
  • lookup file editor
  • knowledge object explorer
  • more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

  • eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

  • use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
    • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
    • or use queries like this to validate your logs, based on a table that matches the required fields:
      • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.

Thanks.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...