Splunk Enterprise Security

What data sources does Splunk for Enterprise Security require?


Specifically, what data sources does the Splunk for Entrrpise Security REQUIRE? What data sources are OPTIONAL? Is there a complete list somewhere? Thanks.

Splunk Employee
Splunk Employee

You could use the Use Case Library to see which data sources and source types map to certain types of use cases, based on what you want to do: 


0 Karma

Path Finder

Not close to a perfect solution but it works for me:

Run this query to get the rules and SPL:

| rest splunk_server=local count=0 /services/saved/searches |table title, search

Filter down just the titles with the word 'Rule' at the end of the title.

Ok so now you have the rule names and the spl for each.

Then I do some messy sed/awk/grep to extract the data models associated with each - this is optional.

Then I read each rule and it's usually not difficult to guess which logs sources would probably work with those rules - eg:

if the rules starts with 'Access', I put os/auth/AD

Endpoint - endpoint (easy)

etc. etc.

There's ONLY about 350 rules so take some time and you'll at least have a decent short list to focus on.


0 Karma

Super Champion

Yeah, this is a great question.. no good answers yet... So commenting it, ..Somebody please reply...thanks

Splunk Employee
Splunk Employee

Hi lesterw,

Sorry to give such a floppy answer, but it depends on what you want ES to do. You'll want to pull in at least one type of data for each of the domains that you want to cover. For instance, typically customers will have *nix and Windows data for the Access Protection domain at first, and then expand to database logins, and then expand to custom apps, badge readers, and who knows what else.

ES has domain coverage of the type I just discussed for account management, several endpoint and network technologies, and broader concepts like auditing and threat. To get more specific, I'd recommend checking out the docs.

0 Karma


As far as I know, there is no definative list. However referencing the Docs, providing there is a technology add-on for it, then it will be supported by the ES App (ref: http://docs.splunk.com/Documentation/ES/latest/Install/GetdataintoES), but this does not mean, these are your only options... This describes how to add your own custom security events.

You should probably contact Splunk directly for more assistance with your requirements. Splunk is flexible in what it can do, so they will be able to advise you appropriately. It also requires a more unique set-up (rather than your standard use-case).