- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What data sources does Splunk for Enterprise Security require?
Specifically, what data sources does the Splunk for Entrrpise Security REQUIRE? What data sources are OPTIONAL? Is there a complete list somewhere? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the Use Case Library to see which data sources and source types map to certain types of use cases, based on what you want to do:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not close to a perfect solution but it works for me:
Run this query to get the rules and SPL:
| rest splunk_server=local count=0 /services/saved/searches |table title, search
Filter down just the titles with the word 'Rule' at the end of the title.
Ok so now you have the rule names and the spl for each.
Then I do some messy sed/awk/grep to extract the data models associated with each - this is optional.
Then I read each rule and it's usually not difficult to guess which logs sources would probably work with those rules - eg:
if the rules starts with 'Access', I put os/auth/AD
Endpoint - endpoint (easy)
etc. etc.
There's ONLY about 350 rules so take some time and you'll at least have a decent short list to focus on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, this is a great question.. no good answers yet... So commenting it, ..Somebody please reply...thanks
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lesterw,
Sorry to give such a floppy answer, but it depends on what you want ES to do. You'll want to pull in at least one type of data for each of the domains that you want to cover. For instance, typically customers will have *nix and Windows data for the Access Protection domain at first, and then expand to database logins, and then expand to custom apps, badge readers, and who knows what else.
ES has domain coverage of the type I just discussed for account management, several endpoint and network technologies, and broader concepts like auditing and threat. To get more specific, I'd recommend checking out the docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know, there is no definative list. However referencing the Docs, providing there is a technology add-on for it, then it will be supported by the ES App (ref: http://docs.splunk.com/Documentation/ES/latest/Install/GetdataintoES), but this does not mean, these are your only options... This describes how to add your own custom security events.
You should probably contact Splunk directly for more assistance with your requirements. Splunk is flexible in what it can do, so they will be able to advise you appropriately. It also requires a more unique set-up (rather than your standard use-case).
