Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security Cheat Sheet

dbroggy
Path Finder
‎03-21-2021 07:48 PM

Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

  • CIM
  • ESCU
  • CIM-Validator
  • lookup file editor
  • knowledge object explorer
  • more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

  • eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

  • use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
    • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
    • or use queries like this to validate your logs, based on a table that matches the required fields:
      • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.

Thanks.

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...