Splunk Enterprise Security

Splunk Enterprise Security

kkkelvinkk
New Member

Hi,

I have installed a splunk enterprise trial and also requested Splunk Enterprise Security. I noticed that when I try a simple search "fail* password" in both platform, the fields that available are different. In Splunk Enterprise Security, the fields "dest, src, user" are being shown. I would like to ask is these fields are being known to splunk after installing Splunk Enterprise Security ?
Thanks all.

0 Karma
1 Solution

sfefcu
Path Finder

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

View solution in original post

0 Karma

kkkelvinkk
New Member

Thanks. I have installed the CIM, but CIM alone sms did not extract those fields. I also install Splunk Add-on for Unix and Linux and the fields are available now.

0 Karma

sfefcu
Path Finder

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...