Splunk Enterprise Security: Some dashboards are po...

Fraankiiie · ‎04-17-2016

The treat activity dashboard won't populate in the Splunk Enterprise Security app, although other dashboards (not all) are populated like the protocol center, useragent, url length.

I created a list with some malicious ip's and urls's (bro logs)
Threat list CSVs are populated in the splunk folder.

When I do | inputlookup threatlist_lookup_by_cidr it returns no results.

It seems to be that the data indexed good and splunk can create the datamodels. because i can do a searches against the data models.

The threat_Activity datamodel keeps standing on building. I assume that's correct?

Someone knows a solution on how to get the treat activity dashboard populated?

doksu · ‎04-17-2016

If the Threat datamodel hasn't completed acceleration, the Threat Activity dashboard is unlikely to show any/complete results because the tstats commands used to populate the panes only searches against summarised data by default.

Fraankiiie · ‎04-18-2016

alright, but the data model keep saying building... There is an asset list, data indexed, i tagged the data according to CIM. So i don't understand why some are 100% and some keep saying building.

Seems to me something is going wrong with calculating and extracting the fields for the event objects for the treat activty data model (derived fields from Asset and Identity correlation), but i can't figure out what.

doksu · ‎04-18-2016

The Threat_Activity datamodel object used by that dashboard is constrained by: index=threat_activity

Could you please search index=threat_activity for all time to see if anything is in that index.

Fraankiiie · ‎04-19-2016

of course! i did the search for all time and it returned no results.

Thanks in advance!

Fraankiiie · ‎04-20-2016

hmm.. the problem is with the TA from bro. Because i indexed some other IDS data and now the data model will build and the dashboard is showing matched ioc's 🙂 only have to figure out where exactly it went wrong with the bro data.

doksu · ‎04-20-2016

If the issue is related to the bro TA, its CIM tagged eventtypes use searches based upon bro sourcetypes and those sourcetypes are assigned dynamically at index-time based upon the name of the file being ingested. So if the bro events aren't ending up the datamodels you're expecting, there's two things to check: the index-time props/transforms for bro are on the indexers/heavy forwarders cooking your bro events and that the expected filenames (conn.log, bro.conn.log, md5.bro.conn.log, etc.) match the actual names of the files being ingested causing the events to be correctly sourcetyped.

Hope this helps, but it's quite difficult to diagnose without intimate knowledge of your environment. If you can't sort it out, I would certainly open a support case.

Fraankiiie · ‎04-21-2016

i think it is related to the bro TA app because i indexed soms mcafee ids data (eventgen) and the threat activity dashboard matches some data with known IOC's. i know the Bro TA support bro 2.2 and 2.3 and we use internal 2.4 so i had to create some aliassas so there must be a wrong configuration somewhere.. i still gonna try to found out where the problem is.

Thanks a lot for your help and input! if i found out what the empty dashboard caused i will post it 🙂

Splunk Enterprise Security: Some dashboards are populated with data, but why not the Threat Activity dashboard?

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

New Dates, New City: Save the Date for .conf25!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud