Splunk Enterprise Security

Why cant Enterprise Security App see data from a specific index despite having correct tags?

att35
Builder

Hi,

When I search all indexed data against "Intrusion Detection" data model from Search & reporting app's context, Splunk can correctly identify data from Imperva and eStreamer both, based on the tags ids, attack.

alt text

But when I run the exact same search from context of Enterprise Security, only data from Imperva is returned. It does not see eStreamer data.

alt text

I have verified that under CIM Setup for "Intrusion Detection" data model, there are no restrictions on which indexes it can search.
Also, knowledge objects which are normalizing eStreamer data do have global permissions.

What else could we be missing?

Many Thanks,

~ Abhi

0 Karma
1 Solution

mdessus_splunk
Splunk Employee
Splunk Employee

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

wstopford
New Member

I downvoted this post because it doesn't even begin to answer the question. the new version in the comment is also incompatible with es and requires hacks to make it work

0 Karma

saadmalik83
New Member

Hey guys,

I faced the same issue after upgrading my ES from 4.0.0 to 4.5.2, i stopped getting the eStreamer data in ES.

Instead of cloning the objects and assigning them to Splunk_TA_sourcefire, i added the data source of eStreamer in the import app regex and it started working.

(appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(eStreamer)

Thanks guys for all the help!

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

does your eStreamer app is imported by ES ?
See here for more details: https://answers.splunk.com/answers/252035/how-to-make-url-toolbox-available-from-the-splunk.html

att35
Builder

Thanks a ton. That was it.

We have both eStreamer app and the corresponding TA installed. There were few objects needed by data model which were missing in TA but present in the app(private to the app), so I had just made their permission global assuming that now ES should be able to see them. I did not know that ES by default is looking only for those TA's and SA's and the objects in eStreamer app wont be considered.

I cloned these objects and this time assigned the context to the TA Sourcefire, which is already part of the Regex ES looks for. This resolved the issue and now ES is able to see eStreamer sourcetype as well.

If I understand this correctly, the following three things should be in place for ES to successfully use data for correlation

** Events should be tagged as per CIM Data model requirements.
** Raw fields should be aliases as needed by the Data model
** Any Knowledge Objects used to normalize the data should be part of the Apps ES is checking for using the inputs.conf

Thanks again,

~ Abhi

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

att35
Builder

Thanks for the link.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...