Splunk ES

Splunk Enterprise Security

Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today's enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses the search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains.

Prerequisites

Before initiating the installation process, it's important to verify if your data is CIM-compliant (normalization process) for all sources using multiple methods, including:

Installation

Required Apps/Addons

Optional

InfoSec App for Splunk

Configuration

Configure → General settings
- Distributed Configuration Management
- Domain Analysis
- Large Email Threshold
- Configure Microsoft 365 index
- Top 1 million site source
Configure → All configurations → Data → CIM Setup
Configure → All configurations → Data → Assets and identities
- Asset Lookups → New → LDAP Lookup
- Identity Lookups → New → LDAP Lookup
- Correlation Setup → Enable for all sourcetypes
Configure → Threat intelligence:
- Threat intelligence sources
- Proxy and parser settings → Parse domain from URL
Security Content → Content Management
- Type: Event-based detection
Security Content → Security use case library

List all ES Correlation Searches

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" 
| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" 
| rename
    action.correlationsearch.label as Search_Name
    title as Rule_Name
    eai:acl.app as Application_Context
    description as Description
    Data_Model as Guided_Mode:Data_Model
    Dataset as Guided_Mode:Dataset
    action.customsearchbuilder.enabled as Guided_Mode
    search as Search
    dispatch.earliest_time as Earliest_Time
    dispatch.latest_time as Latest_Time
    cron_schedule as Cron_Schedule
    schedule_window as Schedule_Window
    schedule_priority as Schedule_Priority
    alert_type as Trigger_Conditions:Trigger_Alert_When
    alert_comparator as Trigger_Conditions:Alert_Comparator
    alert_threshold as Trigger_Conditions:Alert_Threshold
    alert.suppress.period as Throttling:Window_Duration
    alert.suppress.fields as Throttling:Fields_To_Group_By
    action.notable.param.rule_title as Notable:Title
    action.notable.param.rule_description as Notable:Description
    action.notable.param.security_domain as Notable:Security_Domain
    action.notable.param.severity as Notable:Severity
| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") 
| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") 
| table
    disabled 
    Search_Name,
    Rule_Name,
    Application_Context,
    Description,
    Guided_Mode:Enabled,
    Guided_Mode:Data_Model,
    Guided_Mode:Dataset,
    Search,
    Earliest_Time,
    Latest_Time,
    Cron_Schedule,
    Real-time_Scheduling_Enabled,
    Schedule_Window,
    Schedule_Priority,
    Trigger_Conditions:Trigger_Alert_When,
    Trigger_Conditions:Alert_Comparator,
    Trigger_Conditions:Alert_Threshold,
    Throttling:Window_Duration,
    Throttling:Fields_To_Group_By,
    Notable:Title,
    Notable:Description,
    Notable:Security_Domain,
    Notable:Severity,

Uninstall Splunk ES (Linux)

# Stop Splunk
/opt/splunk/bin/splunk stop

# Uninstall Splunk ES
cd /opt/splunk/etc/apps
rm -r SplunkEnterpriseSecuritySuite missioncontrol SA-* DA-ESS*

Troubleshoot

# KV Store Logs file
cat /opt/splunk/var/log/splunk/mongod.log

# Permission
chmod 600 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key

Resrouces

Enterprise Security

Docs

Lantern

Normalization

PreviousSplunk Deployment NextSyslog-ng

Last updated 19 days ago

| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" | rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time cron_schedule as Cron_Schedule schedule_window as Schedule_Window schedule_priority as Schedule_Priority alert_type as Trigger_Conditions:Trigger_Alert_When alert_comparator as Trigger_Conditions:Alert_Comparator alert_threshold as Trigger_Conditions:Alert_Threshold alert.suppress.period as Throttling:Window_Duration alert.suppress.fields as Throttling:Fields_To_Group_By action.notable.param.rule_title as Notable:Title action.notable.param.rule_description as Notable:Description action.notable.param.security_domain as Notable:Security_Domain action.notable.param.severity as Notable:Severity | eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") | eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") | table disabled Search_Name, Rule_Name, Application_Context, Description, Guided_Mode:Enabled, Guided_Mode:Data_Model, Guided_Mode:Dataset, Search, Earliest_Time, Latest_Time, Cron_Schedule, Real-time_Scheduling_Enabled, Schedule_Window, Schedule_Priority, Trigger_Conditions:Trigger_Alert_When, Trigger_Conditions:Alert_Comparator, Trigger_Conditions:Alert_Threshold, Throttling:Window_Duration, Throttling:Fields_To_Group_By, Notable:Title, Notable:Description, Notable:Security_Domain, Notable:Severity,