at the moment, the servers are monitored on splunk, but only win event log:security logs are being piped. I want to increase the monitoring capability to include sysmon and powershell logging, but, i do not want sysmon logs from ALL servers to be indexed and searchable, unless a security event warrants a particular server to have its sysmon indexed. i.e. 1. all severs have sysmon enabled 2. splunk's security analytics and detection queries runs in the background to monitor the sysmon, if there are any hits, it creates an alert on splunk and the alert log is indexed. 3. alert is sent to a case management system 4. at the request of the security analyst, he can request to view the sysmon of that particular server and that server' sysmon will be indexed on splunk for the past 5 days. 5. analyst will not be able to view sysmon on splunk for the rest of the servers that are not indexed as it is unrelated to the security event. he can only index the sysmon of a particular server IF he triggers that action from the case management system
... View more