I'm a splunk es novice. I would like to ask about best practices for ingesting data into ES .
1、 I want to intergrate Active Directory to ES to trigger something worth noting in Enterprise Security. I Know I need an Add-on, but there are a lot of add-on for Active Directory on the splunk base. So what is the add-on that splunk officially recommends? Currently I want to integrate splunk es with Active Directory, Linux system logs (secure, message, audit.log), network traffic, oracle database, etc.
2、By default, splunk enterprise allows users to integrate which logs so that it can directly trigger interesting security events in the ES(means I don't need to do too much configuration).
3、for example,splunk Enterprise Security built-in ORACLE data model and TA , the official documentation does not seem to tell me, which log file of ORACLE can I intergrate to splunk ES?
Not fully true. If you have your data sources analysed and made them CIM compliance - https://splunkbase.splunk.com/app/1621/ (comes with ES) and have enabled some or your required correlations searches [ comes out of box], yes then it can create notables.