Splunk Enterprise Security

Enterprise Security ISA FWS Logs

aelliott
Motivator

We have some new logs we would like to import.
These logs seem to contain all the fields of network traffic, but it was requested to also show them as authentication. Is it best practice to tie in a given log with multiple Common Information Models? Or should everything be Network Or Authentication Or Web etc..

I was thinking definitely not as the "action" field would need to follow each model.

0 Karma
1 Solution

aelliott
Motivator

I've solved this question. The answer is, When the log contains events that are specifically authentication, then assign those events to authentication. Otherwise a Network Log should just be a network log.

View solution in original post

0 Karma

aelliott
Motivator

I've solved this question. The answer is, When the log contains events that are specifically authentication, then assign those events to authentication. Otherwise a Network Log should just be a network log.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!