Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security Cheat Sheet

dbroggy
Path Finder
‎03-21-2021 07:48 PM

Hi Everyone,

I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet.

Specific topics of interest:
1. Recommended 'base apps' for ES, eg:

  • CIM
  • ESCU
  • CIM-Validator
  • lookup file editor
  • knowledge object explorer
  • more??

2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on.

  • eg. For Azure: SH - App and addon, HF - App and addon

3. And finally ways to quickly validate logs eg:

  • use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist.
    • if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF.
    • or use queries like this to validate your logs, based on a table that matches the required fields:
      • |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product

I would greatly appreciate your feedback and better ways to validate your ES installation.

Thanks.

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...