I had encoutered an interesting question from my client/security SME
1. Which one is better. To have Splunk Security Essentials or to retain Enterprise Security + Content updates?
2. Where are the detection rules kept in Splunk Security Essentials kept?
As far as I understand the Splunk ES content update is quite easy to understand and we can customise the savedsearches.conf (rules) to fit our environment. On other hand, Splunk security Essentials, we couldn't figure out where the rules exist and modify them.
Any ideas how to get the detection rules of Splunk Essentials?
Also what would be the future direction of these developments? wanted to stick to one of them if possible
At first they have different scopes:
Which is better?
ES has a cost but it's surely better than Security Essentials and requires less develop services, but requires a Splunk Specialist to install and configure.
If you need a SIEM or if you have many Use Cases to develop and many logs to monitor, ES is better than Security Essentials that requires develop activities and doesn't give all the features of ES.
To take the searches of Security Essentials, you have only to install and it gives you all the informations you need to use the searches.
About future development, only Splunk can answer to you! anyway ES is one of the most important components of Splunk offering, so I'm sure that it will be improved, CU is an additional component of ES so I think the same, Security Essentials is a free app that probably will maintaind and improved, but I'm not sure, there are other specialized Security Essentials that are in end of life (e.g. SE for fraud).
I hope to answer to alla your questions.
Thanks Giuseppe. I've configured ES at client site and have all been working good for few years. But in practice client is not able to map everything to CIM as lot of effort is required and their core Splunk team cannot do all application style data thus relying on application team who don't have an idea about CIM or splunk fields.
This goes back to customising use-cases which is available in backend (currently we couldn't figure out how to get the savedsearches/use-cases from Splunk ES Content update ) to modify it to fit non-CIM fields.
I feel other large companies will also experience the same as not everyone would be able to map all fields to CIM and has to rely on SME providing search based on raw data which they understand.
if your customers haven't the capabilities to CIM normalize their data flows, it's an opportunity for your business!
Anyway, if the customers have only standard flows, you can use the TAs from Splunk baseline and you haven't CIM compatibility problems.
If instead your customers have custom flows, you can use tools from Splunk baseline to normalize these flows, I usually use SA-cim_validator (https://splunkbase.splunk.com/app/2968/) and Splunk Add-On Builder (https://splunkbase.splunk.com/app/2962/).
Remember we are talking about "custom" applications and my estimate is around 1200+ applications/sourcetypes and understanding every bit and data types is not what the Splunk team at client site is not pursuing. Also the format of logs and version changes all the time and hence the small splunk content team can never catchup. So it has to be outsourced to the Application SME.
I'm external consultant who will be called only during important or urgent requirements, so not fully into TA development these days. I've recommended few options that organisation should pursue logging standards as JSON so atleast key-value fields are present
I understand, but CIM normalization is the base for ES and, I'd say, also for every correlation rule to create: if the customer doesn't correctly extract fields, they cannot use any search!
So my hint is a deep analysis of data flow and planning of a CIM normalization, as I said, it could be an opportunity for you!