Splunk ES

Splunk Enterprise Security

Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today's enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses the search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains.

Prerequisites

Before initiating the installation process, it's important to verify if your data is CIM-compliant (normalization process) for all sources using multiple methods, including:

  1. The "SA-cim_vladiator" app

  2. Add-ons documentation

  3. Lantern (Data Descriptors)

  4. Splunk Connect for Syslog (Sources)

Installation

Required Apps/Addons

Optional

Configuration

  • Configure → General → General Settings:

    • Distributed Configuration Management (Download Splunk "helper" applications for distributed deployments)

    • Domain Analysis

    • Large Email Threshold

    • Microsoft 365

    • Top 1M Site Source

  • Configure → CIM Setup:

    • Alerts

    • Application State

    • Authentication

    • Certificates

    • Change Analysis

    • Change

    • Compute Inventory

    • Data Access

    • Databases

    • DLP

    • Email

    • Endpoint

    • Event Signatures

    • Interprocess Messaging

    • Intrusion Detection

    • JVM

    • Malware

    • Network Resolution

    • Network Sessions

    • Network Traffic

    • Performance

    • Ticket Management

    • Updates

    • Vulnerabilities

    • Web

  • Configure → Data Enrichment → Asset and Identity Management:

    • Asset Lookups → New → LDAP Lookup

    • Identity Lookups → New → LDAP Lookup

    • Correlation Setup → Enable for all sourcetypes

  • Configure → Data Enrichment → Threat Intelligence Management:

    • Sources → Enable | New --- Note: Needed to open the URLs (on firewall) for Search head to access all sources and download IoCs to keep it up to date.

    • Global Settings → Parse domain from URL

  • Configure → Content:

    • Content Management (Type: Correlation Search) → Enable | Create New Content

    • Use Case Library

Use Cases - Correlation Searches

  • DA-ESS-AccessProtection

  • DA-ESS-EndpointProtection

  • DA-ESS-IdentityManagement

  • DA-ESS-NetworkProtection

  • DA-ESS-ThreatIntelligence

  • SA-AccessProtection

  • SA-AuditAndDataProtection

  • SA-EndpointProtection

  • SA-IdentityManagement

  • SA-NetworkProtection

  • SA-ThreatIntelligence

SPL Qeury

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches
      | search disabled=*
      | spath input=action.correlationsearch.metadata 
      | spath input=action.correlationsearch.annotations 
      | rename *{} AS * 
      | eval appVersion = 'eai:acl.app'.":".detection_version
      | rename action.correlationsearch.label AS title, eai:acl.app AS app, mitre_attack AS mitreTechnique, action.notable.param.security_domain AS security_domain, action.escu.eli5 AS description,action.escu.how_to_implement AS how_to_implement
      | search title!="" AND title!="*Experimental*"
      | where confidence >= 80 AND impact=100
      | table title analytic_story confidence impact security_domain how_to_implement description
Uninstall Splunk ES (Linux)
# Stop Splunk
/opt/splunk/bin/splunk stop

# Uninstall Splunk ES
cd /opt/splunk/etc/apps
rm -rf SplunkEnterpriseSecurity*
rm -rf SA-*
rm -rf DA-ESS*
Troubleshoot & Others
KV Store Logs file:
cat /opt/splunk/var/log/splunk/mongod.log

Permissions:
chmod 600 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key

Resrouces

Enterprise Security

Docs

Lantern

Normalization

PreviousSplunk DeploymentNextSyslog-ng

Last updated