Splunk
  • README
  • Docs
    • OS Migration
    • Resources
    • SSL
    • Settings
  • Integrations
    • Cisco
    • Cloudflare
    • Crowdstrike Integrations with Splunk Enterprise and ES
    • JAVA for DB Connect app
    • Delinea
    • F5 BIG-IP
    • FortiGate
    • Microsoft Azure
    • Integration Netflow with Splunk
    • Splunk Mobile
    • Sysmon
    • Telegram
    • Tenable
    • Twilio SMS
    • VMware
  • SPL Queries
    • MISC
    • SPL Queries
  • Splunk Deployment
    • Apps & Addons
    • Firewall rules
    • Indexer cluster deployment
    • Splunk Deployment Specifications
    • Splunk Deployment
    • Splunk ES
    • Syslog-ng
    • Universal Forwarder
Powered by GitBook
On this page
  • Splunk Enterprise Security
  • Prerequisites
  • Installation
  • Configuration
  • Resrouces
  1. Splunk Deployment

Splunk ES

Splunk Enterprise Security

Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today's enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses the search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains.

  • About the ES solution architecture

  • Installing and upgrading to Splunk Enterprise Security 8x

Prerequisites

Before initiating the installation process, it's important to verify if your data is CIM-compliant (normalization process) for all sources using multiple methods, including:

  1. The "SA-cim_vladiator" app

  2. Add-ons documentation

  3. Lantern (Data Descriptors)

  4. Splunk Connect for Syslog (Sources)

Installation

Required Apps/Addons

  • Splunk Security Essentials

  • Splunk Enterprise Security

  • Splunk ES Content Update

  • SA-Investigator for Enterprise Security

  • MITRE ATTACK App for Splunk

  • ES Choreographer & Documentation & SEC1441A

Optional

  • InfoSec App for Splunk

Configuration

  • Configure → General settings

    • Distributed Configuration Management

    • Domain Analysis

    • Large Email Threshold

    • Configure Microsoft 365 index

    • Top 1 million site source

  • Configure → All configurations → Data → CIM Setup

  • Configure → All configurations → Data → Assets and identities

    • Asset Lookups → New → LDAP Lookup

    • Identity Lookups → New → LDAP Lookup

    • Correlation Setup → Enable for all sourcetypes

  • Configure → Threat intelligence:

    • Threat intelligence sources

    • Proxy and parser settings → Parse domain from URL

  • Security Content → Content Management

    • Type: Event-based detection

  • Security Content → Security use case library

  • Search Macros

    • o365-index-value

    • aws-index-value

    • linux_auditd

    • linux_hosts

    • sysmon

    • admon

    • wineventlog_security

    • wineventlog_system

    • wineventlog_application

    • cisco_secure_firewall

    • linux_auditd_normalized_execve_process

    • linux_auditd_normalized_proctitle_process

    • normalized_service_binary_field

    • cisco_networks

    • o365_suspect_search_terms_regex

    • system_network_configuration_discovery_tools

    • appLocker

    • capi2_operational

    • certificateservices_lifecycle

    • powershell

    • printservice

    • remoteconnectionmanager

    • o365_suspect_search_terms_regex

    • crowdstrike_identities

    • crowdstrike_stream

Queries

`notable` | search NOT `suppression` 
| inputlookup append=t es_notable_events
index=notable
 
| append [
  | rest /servicesNS/-/-/saved/searches splunk_server=local
  | search action.correlationsearch.enabled=1 disabled=0
  | fields title
  | rename title AS search_name
  | eval _time=946688461 ]

| eval search_name=replace(search_name, "\S+ - (.+) - \S+$", "\1")

| stats sparkline, count, max(_time) AS last_seen, min(_time) AS first_seen by search_name

| eval _comment="Only active ones will meet following criteria"
| where first_seen=946688461

| eval days_missing=round((now()-last_seen)/84600)
| eval last_seen=strftime(last_seen, "%F")
| sort 0 +num(last_seen), -num(days_missing)

| eval count=if(last_seen="2000-01-01", 0, count)
| eval days_missing=case(last_seen="2000-01-01", "Never seen!", days_missing=0, "Today :)", 1=1, days_missing)
| eval last_seen=if(last_seen="2000-01-01", "Never seen!", last_seen)

| streamstats count AS ID

| table ID search_name sparkline days_missing last_seen

List all ES Correlation Searches

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" 
| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" 
| rename
    action.correlationsearch.label as Search_Name
    title as Rule_Name
    eai:acl.app as Application_Context
    description as Description
    Data_Model as Guided_Mode:Data_Model
    Dataset as Guided_Mode:Dataset
    action.customsearchbuilder.enabled as Guided_Mode
    search as Search
    dispatch.earliest_time as Earliest_Time
    dispatch.latest_time as Latest_Time
    cron_schedule as Cron_Schedule
    schedule_window as Schedule_Window
    schedule_priority as Schedule_Priority
    alert_type as Trigger_Conditions:Trigger_Alert_When
    alert_comparator as Trigger_Conditions:Alert_Comparator
    alert_threshold as Trigger_Conditions:Alert_Threshold
    alert.suppress.period as Throttling:Window_Duration
    alert.suppress.fields as Throttling:Fields_To_Group_By
    action.notable.param.rule_title as Notable:Title
    action.notable.param.rule_description as Notable:Description
    action.notable.param.security_domain as Notable:Security_Domain
    action.notable.param.severity as Notable:Severity
| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") 
| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") 
| table
    disabled 
    Search_Name,
    Rule_Name,
    Application_Context,
    Description,
    Guided_Mode:Enabled,
    Guided_Mode:Data_Model,
    Guided_Mode:Dataset,
    Search,
    Earliest_Time,
    Latest_Time,
    Cron_Schedule,
    Real-time_Scheduling_Enabled,
    Schedule_Window,
    Schedule_Priority,
    Trigger_Conditions:Trigger_Alert_When,
    Trigger_Conditions:Alert_Comparator,
    Trigger_Conditions:Alert_Threshold,
    Throttling:Window_Duration,
    Throttling:Fields_To_Group_By,
    Notable:Title,
    Notable:Description,
    Notable:Security_Domain,
    Notable:Severity,

Uninstall Splunk ES (Linux)

# Stop Splunk
/opt/splunk/bin/splunk stop

# Uninstall Splunk ES
cd /opt/splunk/etc/apps
rm -r SplunkEnterpriseSecuritySuite missioncontrol SA-* DA-ESS*

Troubleshoot

# KV Store Logs file
cat /opt/splunk/var/log/splunk/mongod.log

# Permission
chmod 600 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key

Resrouces

Enterprise Security

Docs

  • Administer Splunk Enterprise Security

  • Manage internal lookups in Splunk Enterprise Security

  • Manage assets and identities in Splunk Enterprise Security

  • Manage UI issues impacting threat intelligence after upgrading Splunk Enterprise Security

  • Add intelligence to Splunk Enterprise Security

Lantern

  • Getting Started With Splunk Enterprise Security

  • Using threat intelligence in Splunk Enterprise Security

  • Configuring and optimizing Enterprise Security

  • Using Enterprise Security for security investigation and monitoring

  • Foundational Visibility

  • Cyber frameworks

  • Proactive Response

  • Optimized Experiences

Normalization

  • How to use the CIM data model reference tables

  • Use the CIM to normalize data at search time

  • Normalizing values to a common field name with the Common Information Model (CIM)

PreviousSplunk DeploymentNextSyslog-ng

Last updated 1 day ago