Splunk Enterprise Security

Enterprise Security Suite

LCM
Contributor

Doc Question regarding ESS

I checked out (e.g. http://www.splunk.com/view/enterprise-security-suite/SP-CAAAE8Z). It says the 50 most common security based search correlations are build-in in the ESS app.

Is there some more specific doc around ESS, where I see what EXACTLY comes already with the app (e.g. what kind of checks are done, reporting, alerts, etc., etc.)

1 Solution

LCM
Contributor
Correlation Search                                      Domain

Anomalous Audit Trail Activity Detected                 audit
Anomalous New Listening Port                            endpoint
Anomalous New Processes                                 endpoint
Anomalous New Services                                  endpoint
Anomalous User Account Creation                         endpoint
Brute Force Access Behavior Detected                    access
Cleartext Password At Rest                              access
Completely Inactive Account                             access
Default Account Usage                                   access
Default Accounts At Rest                                access
Excessive Failed Logins                                 access
Expected Host Not Reporting                             audit
High Number of Hosts With Infection                     endpoint
High Number Of Infected Hosts                           endpoint
High Or Critical Priority Host With Malware             endpoint
Host With Excessive Number Of Listening Ports           endpoint
Host With Excessive Number Of Processes                 endpoint
Host With Excessive Number Of Services                  endpoint
Host With Multiple Infections                           endpoint
Inactive Account Usage                                  access
Insecure Or Cleartext Authentication                    access
Internet Proxy Server Activity                          network
Known Web Attacker Activity                             network
LogMeIn Activity                                        network
Old Malware Infection                                   endpoint
Personally Identifiable Information Detection           audit
PirateBay Activity                                      network
Policy Or Configuration Change                          network
Prohibited Process Detection                            endpoint
Prohibited Service Detection                            endpoint
RapidShare Activity                                     network
Recurring Malware Infection                             endpoint
SANS Block List Activity                                network
Should Timesync Host Not Syncing                        endpoint
Spyware Activity                                        network
Substantial Increase in an Event                        network
Substantial Increase in Port Activity (By Destination)  network
Tor Router Activity                                     network
Unapproved Port Activity Detected                       network
Unroutable Host Activity                                network
Vulnerability Scanner Detection (by event)              network
Vulnerability Scanner Detection (by targets)            network
Watchlisted Events                                      threat

Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

we've published the documentation now along with version 2.0 -- the current search listing may be found in the User's Manual. http://docs.splunk.com/Documentation/ES/latest/User/Overview

LCM
Contributor
Correlation Search                                      Domain

Anomalous Audit Trail Activity Detected                 audit
Anomalous New Listening Port                            endpoint
Anomalous New Processes                                 endpoint
Anomalous New Services                                  endpoint
Anomalous User Account Creation                         endpoint
Brute Force Access Behavior Detected                    access
Cleartext Password At Rest                              access
Completely Inactive Account                             access
Default Account Usage                                   access
Default Accounts At Rest                                access
Excessive Failed Logins                                 access
Expected Host Not Reporting                             audit
High Number of Hosts With Infection                     endpoint
High Number Of Infected Hosts                           endpoint
High Or Critical Priority Host With Malware             endpoint
Host With Excessive Number Of Listening Ports           endpoint
Host With Excessive Number Of Processes                 endpoint
Host With Excessive Number Of Services                  endpoint
Host With Multiple Infections                           endpoint
Inactive Account Usage                                  access
Insecure Or Cleartext Authentication                    access
Internet Proxy Server Activity                          network
Known Web Attacker Activity                             network
LogMeIn Activity                                        network
Old Malware Infection                                   endpoint
Personally Identifiable Information Detection           audit
PirateBay Activity                                      network
Policy Or Configuration Change                          network
Prohibited Process Detection                            endpoint
Prohibited Service Detection                            endpoint
RapidShare Activity                                     network
Recurring Malware Infection                             endpoint
SANS Block List Activity                                network
Should Timesync Host Not Syncing                        endpoint
Spyware Activity                                        network
Substantial Increase in an Event                        network
Substantial Increase in Port Activity (By Destination)  network
Tor Router Activity                                     network
Unapproved Port Activity Detected                       network
Unroutable Host Activity                                network
Vulnerability Scanner Detection (by event)              network
Vulnerability Scanner Detection (by targets)            network
Watchlisted Events                                      threat

Nearly 50, but happy so far! Further I got an ESS User Guide from Splunk - unfortunately, it's not public!?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...