Splunk Enterprise Security Training | Setting up data models to populate dashboards
ฝัง
- เผยแพร่เมื่อ 24 ก.พ. 2023
- Splunk Enterprise Security is an amazing SIEM tool that can simplify many of your security logs, but it is not as simple as just downloading the app and installing it on your splunk instance. This video playlist is dedicated to covering all of the details to setting up ES in you own environment. This is a video in a playlist and not intended to be watched alone.
This video covers on looking at a dashboard and finding the tstats commands that are populating those datamodels and trying to figure out what fields you need to have to make your logs fit inside the Common Information Model (CIM) Splunk data models.
This is a playlist and we strongly encourage you to watch the playlist for all of the videos on Enterprise security below.
• Splunk Enterprise Secu...
Join this channel to get access to early release of videos and exclusive training videos that will help make you L.A.M.E. ninja: / @lamecreations_guides
Great stuff! Do you have one on just Security Essentials?
I'll put it on my road map
@@lamecreations_guides thanks!
Hey man, I love your content. Thanks for sharing!! Is there a change you will be doing Cribl videos?
Funny you should say that. This week I have been creating almost nothing but cribl videos. Look for releases this week on how to install cribl, setup cribl, use it to get logs from a syslog server, and how to use it in place of syslog. They all should be released this week.
@@lamecreations_guides Thanks for responding to my comment. Your content is always top quality. I will have to look at the videos cribl for my lab. I keep consuming your content,
I just watched the anomaly detection video, that was great! Thanks so much!
Thank you for the contents you upload.
You are doing the cimming trough cribl but the thing is, you need to still create the eventtypes and the tags to actually get it in the datamodels. And the second thing is that you don't need to accelerate the datamodels when you are sending the data trough cribl with the extracted fields. When i do tstats all the fields besides (source, sourcetype and host) are showing the values. Correct me if i'm wrong.
you are correct. In my environment (and it sounds like yours) I send all my logs through cribl first so they become extracted and, yes as you pointed out accelerated. I do need to map the eventtype to my data and I have to turn off the setting to use accelerated data in ES, (the usesummarydate=true part of all of the queries, which can be turned off in settings). Yeah, cribl saves me massive processing because I am not accelerating data so I can run ES on a much smaller system that one normally can run ES. Nice catch.
I'm using Cribl now..
Hello,normally we don't need to create data models right as they are readily available with addons. Only we need to create data models for which data sources they are not available. Sorry I am new to this. Having little confusion. thanks
As a general rule, you don't want to create new data models. Any custom data models you use, will only be useful to you and your organization at best. leveraging existing data models allows you to benefit from other organization and splunk apps.
On Enterprise Security, in order to make any of the prebuilt dashboards work and any of the correlations searches, you will need your data to match those ES data models. This video is talking about how to match up network logs to network data models, etc. Hope this explanation helps.
If you have more questions, feel free to jump on my discord channel and we can discuss these topics in more detail.
Are you going to be at .conf23? Your videos are amazing!
I will be at .conf23. This channel actually got nominated for a Splunkie award. Thanks for the kind words.
@@lamecreations_guides Good! Everyone else sucks.