These are pre-packaged searches that (once enabled) run in the background to identify known threats, attacks, and some vulnerabilities. Splunk Enterprise Security and Correlation SearchesĪs mentioned, correlation searches are another big piece of how Splunk Enterprise Security functions. If the data isn’t available, ES can’t help. The data models that they run their searches from will not be built due to a lack of data types. For example, if you only have network traffic data coming into Splunk, most of the prebuilt dashboards in ES will not populate. To achieve the most value out of Splunk Enterprise Security, you should have a good mix of data types including web, network traffic, vulnerability, authentication, etc. Splunk ES tries to build a holistic view of your security infrastructure by conducting correlation searches across different data types. While CIM compliance is central to the use of Splunk Enterprise Security, it’s worth noting that this data normalization, or what we’ll call “data hygiene”, is recommended by Aditum’s Splunk Professional Services engineers outside of Splunk ES, as it ensures that all fields coming into Splunk are consistent, and as a result, all users get the same use out of the data.Īnother consideration with the data you are sending to Splunk in preparation for using Splunk Enterprise Security is the different types of data sources. The modifications include things such as renaming fields, adding tags that are not available, fixing tags (tags translate log-speak into “plain English” for those not familiar with the logs, for instance, NOC or SOC Analysts), modifying data that may in the wrong fields, and other modifications. The majority of the time, this entails working with existing Splunk Apps and TAs and making modifications as opposed to writing custom apps. Our PS staff prefaces these estimates with “if the person knows what they are doing”, and also notes that Aditum has built a library of Apps and TAs for common data sources (Palo Alto, Juniper, Checkpoint, Windows, etc.) that have been made fully CIM compliant. It could take anywhere from 30 minutes to a full day per data source to modify the logs to be CIM compliant. For the half that is not, there is a bit of legwork required by an organization’s Splunk Admin (or Aditum’s Professional Services could be utilized). What work needs to go into making your data CIM compliant? Aditum’s Professional Services engineers estimate that roughly 50% of the Apps and Technology Add-ons (TAs) on Splunkbase are already CIM compliant. All searches, dashboards, and reports use the data models to return results and events to users. Only events that have been normalized to the CIM will be included in the data models that are being accelerated. The Common Information Model is Splunk’s method of data normalization. The most important part of getting Splunk ES to work and getting its pre-built dashboards and other content to “light up” is ensuring that all your data is Splunk CIM (Common Information Model) compliant. Ok, so you have purchased Splunk Enterprise Security and you have the right hardware in place. Getting Up and Running with Splunk Enterprise Security You can read more about the recommended hardware requirements here. Under the hood, ES is performing data model acceleration and correlation searches that are very resource-intensive, especially on CPU. This also needs to be paired with sufficient disk I/O and storage space at the indexing layer (minimum 800 IOPs random seek). The minimum hardware requirement specifications to run ES efficiently are 16 CPUs and 32 GB. Unlike some other Splunk server roles, the ES app requires its own dedicated search head. You need to have a mature, performant Splunk environment in place before you can reap the full benefits of Enterprise Security. The first thing to know about Splunk Enterprise Security is that it runs on top of Splunk Enterprise (or Splunk Core). In this article, we will discuss the features that make Splunk Enterprise Security the high-powered SIEM tool that it is. The Splunk Enterprise Security app provides prebuilt content, including correlation searches, to help security analysts streamline investigations within their IT environments. Splunk is a log aggregation and analysis tool that can also serve as a SIEM (Security Information and Event Management) product when the Splunk Enterprise Security app (in most cases, simply referred to as Splunk ES) is installed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |