Solved: Re: Enterprise Security APP Indexers mapping

ahmedhassanean · ‎10-01-2016

Dears,

i would like to know how can i choose which index i forward data to it from my devices

for example if i would like to ingrate Active Directory Cisco Juniper Logs

which index i should choose from default indexes that came with Security Enterprise APP

LukeMurphey · ‎10-01-2016

ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.

Put your data in a separate index when you want:

To restrict access to the index (prevent certain people from searching it)
To apply different retention policies (for example, put data you want to keep for 30 days in a different index than data you want to keep around for 90 days)

The key to getting ES to see you data is making sure that:

The data you are ingesting has the correct sourcetype (matches what the TA expects, for example, making sure that your Juniper Netscreen data is sourcetyped "netscreen:firewall")
You have the correct TAs deployed to handle that given data (you have "Splunk Add-on for Juniper" installed)

View solution in original post

LukeMurphey · ‎10-01-2016

ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.

Put your data in a separate index when you want:

To restrict access to the index (prevent certain people from searching it)
To apply different retention policies (for example, put data you want to keep for 30 days in a different index than data you want to keep around for 90 days)

The key to getting ES to see you data is making sure that:

The data you are ingesting has the correct sourcetype (matches what the TA expects, for example, making sure that your Juniper Netscreen data is sourcetyped "netscreen:firewall")
You have the correct TAs deployed to handle that given data (you have "Splunk Add-on for Juniper" installed)

koshyk · ‎10-01-2016

I wouldn't choose any default indexes. You need to plan your index names inline with your organisation structure. Eg if my company is Amazon, then my index names would be like
amz_os_windows, amz_os_linux, amz_network_cisco, amz_network_juniper etc

So in future if u want to give access for network team/role u can give amz_network* to that roke

ahmedhassanean · ‎10-01-2016

you are talking about default index name in case there is no APP but the case here is that Security APP has default indexers and we must insert data in Correct Indexer to be able for dashboards to populate Data

koshyk · ‎10-01-2016

The data still can be in u specified indexes. All you need to make is to use CIM standards and accurate sourcetype and ES will take them automatically

ahmedhassanean · ‎10-01-2016

So why are there default Indexes in Enterprise Security?

ekost · ‎10-05-2016

The indexes that ship with ES are created for internal use, and may be provided for supporting legacy installations that have upgraded from prior releases. As an example, when a notable event is generated by a correlation search, the results are written to the 'notable' index before being displayed in the Incident Review dashboard.

ahmedhassanean · ‎10-01-2016

Many thanks for your support

Enterprise Security APP Indexers mapping

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk