Splunk Enterprise Security

integrate splunk enterprise security with Active Directory 、Linux system log etc. to detect security events best practices

bestSplunker
Contributor

Hi everyone,

I'm a splunk es novice. I would like to ask about best practices for ingesting data into ES .

for example:

1、 I want to intergrate Active Directory to ES to trigger something worth noting in Enterprise Security. I Know I need an Add-on, but there are a lot of add-on for Active Directory on the splunk base. So what is the add-on that splunk officially recommends? Currently I want to integrate splunk es with Active Directory, Linux system logs (secure, message, audit.log), network traffic, oracle database, etc.

2、By default, splunk enterprise allows users to integrate which logs so that it can directly trigger interesting security events in the ES(means I don't need to do too much configuration).

3、for example,splunk Enterprise Security built-in ORACLE data model and TA , the official documentation does not seem to tell me, which log file of ORACLE can I intergrate to splunk ES?

0 Karma

lakshman239
Influencer
  1. You can use https://splunkbase.splunk.com/app/3207/ to get all events from Active Directory [ This can also be configured to send windows event logs - security/application/system if you are not using Splunk Add on for windows - https://splunkbase.splunk.com/app/742/
  2. Not fully true. If you have your data sources analysed and made them CIM compliance - https://splunkbase.splunk.com/app/1621/ (comes with ES) and have enabled some or your required correlations searches [ comes out of box], yes then it can create notables.
  3. Are you talking about https://splunkbase.splunk.com/app/1910/#/details? There is no need to use supplied TA (the ones that come with ES, unless you have a strong reason). You can download and install the TA's which you need.
0 Karma

bestSplunker
Contributor

@lakshman239
about the first question, https://answers.splunk.com/answers/230222/how-to-integrate-splunk-for-enterprise-security-wi.html ,This post has an accepted answer "Splunk App for Windows Infrastructure". Since each person's recommended add-ons are different, which add-on component is splunk's official recommendation preferred that In order to be more suitable for ES

about the sencond question, Is there a tutorial that tells me how to analyze the data step by step to make a CIM-compliant case?

about the third question, Which oracle log file do I need to monitor? I checked configuration files of Splunk_TA_Oracle , I didn't find the built-in inputs.conf,

0 Karma

lakshman239
Influencer

The above link takes you to windows infra app, which is an app that uses the data for dashboard monitoring and still needs other add-ons [ like the one i have mentioned earlier]. Pls see the documentation https://docs.splunk.com/Documentation/MSApp/latest/MSInfra/AbouttheSplunkAppforMSInfrastructure (esp, the how does it work and get windows data and active data inputs sections)

Use https://splunkbase.splunk.com/app/2968/ and associated docs for analysing and validating the data.

Oracle - it depends on what you need.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...