Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk and Compliance

itsmevic
Communicator
‎12-09-2019 10:42 AM

Hello fellow Splunkers - I have a quick question. We have a few platforms in our environment that are reporting different counts on which machines have AV installed on them. I'd like to incorporate Splunk in the mix and search all three platforms so that I can run side-by-side analysis on the counts of these platforms. What would be the best way to do this?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2019 12:11 AM

Hi @itsmevic,
in Splunk the 70% of the work is to know what to do and then 30% is to do it in Splunk.

In other words, the first thing is to write a clear requisite in a file to maintain during the life of the application:

  • the list of the server to monitor (perimeter),
  • the list of logs to take and where they are stored (e.g. Kaspersky stores its logs in a special wineventlog, other antivures use files, etc...),
  • the list of interesting fields in logs (e.g. ComputerName, AV_Version, patch_level, etc...),
  • the information to display in dashboards (interesting fields),
  • the confitions to trigger alerts (frequency, time period, thresholds, etc...),
  • the specifics of the compliance needed reports.

When you have a clear idea of above, then the job in Splunk is easy:

  • in my mind you already have an installed Splunk Enterprise or Splunk Cloud and you have only to take data (if not, start from this point!),
  • you have to install a Universal Forwarder on each server to monitor (probably you already did),
  • then create a Technical Add-On (TA) containing the inputs.conf to take the logs you need for monitoring (see requirements),
  • when you have these logs in Splunk you have to create a search to find what you need (see requirements),
  • using the same search you can create a dashboard to display the status of you AV, an alert and eventually (for compliance) a report to send by email (see requirements).

I found that Splunk is one of the most fantastic solutions for compliance and I use daily for this!

Ciao.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎12-13-2019 02:38 AM

Hi @itsmevic,
did the above answer solve your need?
If yes, please accept and/or upvote it, if not give me additional infos to continue to help you.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2019 03:54 AM

it is very easy to understand. thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...