- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Creating new notable events based on new inputs vi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating new notable events based on new inputs via Enterprise Security's correlation engine
Does anyone have any advice on how to use Splunk's pre-canned correlation searches within Enterprise Security and have events fire for incident review (notable event) based on new sourcetypes/data inputs? We have for example bit9 and bro logs coming into Splunk and I'd like to have some logic applied to these inputs for any anomalies, etc., so that analysts can look at this stuff while using the Enterprise Security app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Tyrone,
Logs that have sourcetype's applied, if their to be used with ES, would adhere to Splunk's CIM (Common Information Model).
As part of the CIM, tags will be added to the logs, that direct which part of ES (datamodels really) the logs apply to (eg, Endpoint, Network, etc..)
In theory, you can keep adding new sources of data, as long as your using CIM-compliant app's or TA's, ES should be making use of the data (if it's security relevant data that is..)
You can alway adjust the configs yourself, or even write your own TA or app, so ES processes the data as you prefer.
Or you could simply write your own correlation-searches, to process pre-CIM'ed data the way you want.
Hope it helps..
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the assist- really helpful. Any ideas on how to adjust the configs of these respective apps? Does the manipulation occur within ES, the app itself, or does it just depend on what you are trying to do?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. Think of CIMing as preparing the data for ES to process correctly, then you can use either the built-in, or write your own correlation-searches, to apply the security logic you want.
CIMing is done in the app or TA. When you look for apps on Splunkbase (eg for Bro, Bit9, etc) look on the right column, and it'll list if it's CIM-compliant (and usually a CIM version, eg 4.7, etc..)
If it's not CIM compliant it wont work out of the box with ES until it's CIMed. Of course, it'll work with vanilla Splunk, but ES expects CIM'ed data.
Then to change your security logic, you can create your own correlation-searches to look for different security threats, or adjust the supplied ones. Remember, correlation-searches are just searches at heart.
Also you can adjust the workflow also in ES to suit your runbooks.
Some useful links..
http://docs.splunk.com/Documentation/CIM/4.7.0/User/UsetheCIMtonormalizedataatsearchtime
http://docs.splunk.com/Documentation/ES/4.6.0/Tutorials/CorrelationSearch
Cheers.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
