Splunk Enterprise Security

Endpoint Correlation Searches.

Albert_Cyber
Explorer

We are in the process of deploying our endpoint logging strategy. Right now, we are using CrowdStrike as our EDR. As far as I can tell if we wanted to use the logs collected by the CrowdStrike agent and forward that into Splunk we have to pay for the FDR license, which at the moment due to budget constraints we cannot.

When I look at the correlation searches that utilize the Endpoint Data model most of those detections are based on data that originates from Endpoint Detection and Response (EDR) agents. Since in our case we cannot utilize that data coming from CrowdStrike, could we use Sysmon instead to collect the data that we need to implement those corrections searches?

This is one of the use cases that I was interested in implementing

https://research.splunk.com/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/

Labels (1)
0 Karma

Laszlo_K13
New Member

Please check this addon:

https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About

Documentation says is CIM compatible:

"The Splunk Add-on for Sysmon allows a Splunk software administrator to create a Splunk software data input and CIM-compliant field extractions for Microsoft Sysmon."

If the addon feeds the Endpoint.Processes datamodel, then the use case you are interested in might work.

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...