All Apps and Add-ons

How do I get data into the splunk's security essentials app?

jcorkey
Explorer

I have an indexer with the security essentials app installed on it and I'm wondering what kind of data the security essentials app looks at? For example, the Linux auditd app looks at audit logs. So I am wondering how to get the right data into the security essentials app?

woodcock
Esteemed Legend

Make sure that you are using the very latest version of the app which has breakouts/searches based on sourcetype/data so you can turn your question inside out and ask I have this sourcetype./data, what content can I exploit? There has been a huge amount of work in this are in the latest releases so this is fully built-in now.

0 Karma

David
Splunk Employee
Splunk Employee

We just launched Splunk Security Essentials 2.0, which actually includes data onboarding guides for some of the top data sources. Many of the examples today that leverage Windows Security logs could be adapted to Linux logs -- if you want to get really deep, let me know, and we can hopefully help out. We'll be doing more enhancements to take advantage of Linux Auth data as well in the near future, so stay tuned.

0 Karma

pil321
Communicator

David - I'm having an issue defining the user field from the Windows Security logs. The Splunk TA for Windows is installed and the 'WinEventLog://Security' stanza is enabled. Is there a specific stanza(s) that needs to be enabled in addition to the Security one for the user field to be defined?

0 Karma

dbroggy
Path Finder

those onboarding guides are terrific. is there any way to export them all or will Splunk be providing a web resource for that outside of the app? thanks.

0 Karma

David
Splunk Employee
Splunk Employee

The official windows TA includes props.conf + transforms.conf that will define the user. Make sure that you have the TA installed on your SH, and it should work.

(For tons of detail, in props.conf there is a source::*:Security stanza that contains a REPORT-user_for_windows_security line. That line will invoke three stanzas in transforms.conf that define the user field. You shouldn't need to know any of that though -- just make sure that TA is on your search head, or your all-in-one instance.)

0 Karma

pil321
Communicator

My all-in-one instance is Linux. Should I install it anyway?

0 Karma

David
Splunk Employee
Splunk Employee

Yep! All the inputs are disabled, so it will just easily allow you to get the proper field extractions.

0 Karma

pil321
Communicator

Thanks David - that did the trick!

I had the app installed on the UFs only....once the app was installed on the server (plain out-of-the-box install....every setting disabled in inputs.conf) everything started working as advertised.

0 Karma

adonio
Ultra Champion

navigate to the app,
click on the "Data Source Check" button -> click "Start Searching" ->check the use cases on left and the "live data" column which represents data that exist in your environment.
kindly read through the full introduction and description of this app. this app provides examples for searches around security data and use cases.
there are close to 50 different use cases and plenty of different data sources this app takes into consideration.
what kind of security relevant data do you have today? do you bring it to splunk?
if not, time to bring it on and show the power of Splunk after exploring the Security Essentials App
good luck

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...