Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

• CIM
• ESCU
• CIM-Validator
• lookup file editor
• knowledge object explorer
• more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

• eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

• use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
  • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
  • or use queries like this to validate your logs, based on a table that matches the required fields:
    • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.

Thanks.