Splunk Enterprise Security
Highlighted

What data sources does Splunk for Enterprise Security require?

Explorer

Specifically, what data sources does the Splunk for Entrrpise Security REQUIRE? What data sources are OPTIONAL? Is there a complete list somewhere? Thanks.

Highlighted

Re: What data sources does Splunk for Enterprise Security require?

Influencer

As far as I know, there is no definative list. However referencing the Docs, providing there is a technology add-on for it, then it will be supported by the ES App (ref: http://docs.splunk.com/Documentation/ES/latest/Install/GetdataintoES), but this does not mean, these are your only options... This describes how to add your own custom security events.

You should probably contact Splunk directly for more assistance with your requirements. Splunk is flexible in what it can do, so they will be able to advise you appropriately. It also requires a more unique set-up (rather than your standard use-case).

Highlighted

Re: What data sources does Splunk for Enterprise Security require?

Splunk Employee
Splunk Employee

Hi lesterw,

Sorry to give such a floppy answer, but it depends on what you want ES to do. You'll want to pull in at least one type of data for each of the domains that you want to cover. For instance, typically customers will have *nix and Windows data for the Access Protection domain at first, and then expand to database logins, and then expand to custom apps, badge readers, and who knows what else.

ES has domain coverage of the type I just discussed for account management, several endpoint and network technologies, and broader concepts like auditing and threat. To get more specific, I'd recommend checking out the docs.

0 Karma
Highlighted

Re: What data sources does Splunk for Enterprise Security require?

Champion

Yeah, this is a great question.. no good answers yet... So commenting it, ..Somebody please reply...thanks