Splunk Enterprise

How to make data event correlation automatic?

Jeewan
Explorer

Hello Guys, 

I have some doubt about data event correlation. i am getting events from different different security vendors like Area1 bitdefender, crowdstrike, cloudflare.  now i wants in my splunk the event correlation should happen automatically. suppose any incident happen in any endpoint it should correlate that event with other data sources as well. not sure how to achieve this 

or i am getting the events from different vendor so in some event the IP is listed as source IP in some event it listed computer IP to normalize it for all the data sources so it will be the same for all data sources. 

any lead will be appricatebale 

Thanks 

Jeewan 

Labels (2)
0 Karma

PaulPanther
Motivator

@Jeewan Regarding the data normalization part of your question you should check out Splunk Common Information Model (CIM)  Overview of the Splunk Common Information Model - Splunk Documentation

With that you should solve the first part your question.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...