Hi there! I'm looking for a comprehensive list of report ideas for all of security, including management/metrics, operations, and compliance. Has anyone created such a list? Would you mind sharing? I'd like to see a long list or reports so I can help identify gaps in security posture. Thanks!!! ... View more

Hi there, Is it possible to search for windows interactive logons from the Authentication data model? eg. I can do it this way: index=* source="*WinEventLog:Security" LogonType=2 OR LogonType=10 OR LogonType=11 And I'm looking for an equivalent way using a data model eg: | tstats summariesonly=true count from datamodel=Authentication by Authentication.action Authentication.app Authentication.dest Authentication.signature Authentication.src Authentication.src_user Authentication.user |search <SOME LOGIC> Thank you! ... View more

I would really love to use  Campus Compliance Toolkit for NIST 800-171 But I have Splunk Cloud Enterprise. Splunkbase says version 1.0.2 works, but sadly Splunk support says it doesn't. Is there any chance others like this tool and have made it work? Or is there an alternative NIST reporting app out there (that doesn't require an annual license fee)? Thank you for your feedback. ... View more

I love the simplicity of SMFS Why was it discontinued? Security Essentials isn't really suited for the same purpose.   ... View more

Hi Everyone, I'm looking for some Splunk Enterprise Security tips, maybe in the form of a cheatsheeet. Specific topics of interest: 1. Recommended 'base apps' for ES, eg: CIM ESCU CIM-Validator lookup file editor knowledge object explorer more?? 2. Some sort of validator for apps/addons for all required sourcetypes, and info on which peer to install them on. eg. For Azure: SH - App and addon, HF - App and addon 3. And finally ways to quickly validate logs eg: use CIM Validator, pick a log source and match it to a datamodel - verify the required fields exist. if it fails, and the sourcetype is supposed to be CIM compliant, verify you've installed the appropriate app/addon on the SH and/or HF. or use queries like this to validate your logs, based on a table that matches the required fields: |datamodel Intrusion_Detection IDS_Attacks search|dedup sourcetype|rename IDS_Attacks.* as *|table sourcetype action category dest signature src user vendor_product I would greatly appreciate your feedback and better ways to validate your ES installation. Thanks. ... View more

There seem to be 3 apps for the scorecard: SA-ctf_scoreboard SA-ctf_scoreboard-master SA-ctf_scoreboard_admin But scoreboard and scoreboard-master have the same app title, so if you install both of them you end up with 2 'Capture the Flag' apps listed in Splunk. is SA-ctf_scoreboard obsolete? ... View more

There's supposed to be a list of questions that can be used with the BOTS data set. From what I've read you have to fill out the form in a link. I filled out the link form, but there's no clarity on how I get the questions after that's done. ... View more