It would be great if you could give me these rules and explain (or not) how they will work. All OOB ES rules should be considered POC to help you get started and never be ready to produce. Your customer will only have a bad experience with OOB rules without any extra effort. This is in the nature of any SIEM tool. You`d better show the value of the product through a limited selection of highly effective rules, based on your available time. The Splunk Enterprise Security (ES) application includes several correlation searches (rules, detections), but it is difficult to deploy them without fine-tuning (customization). I don`t think any of the rules are ready to be put into production directly. See here for a dashboard matrix: docs.splunk.com/Documentation/ES/5.3.0/Admin/Dashboardrequirements I`ve done this several times for customers, boom. Nothing is feasible. You can`t even explain how the rules are triggered or what happens. I`ve done the Splunk/ES thing now in 4 companies (working as an internal Splunk ninja) and in my experience, correlation rules need to be extremely adapted to the environment. If you happen to have really good CIM-compliant data (either through the data source`s logs/MTs or because someone did the work to beautify it), out-of-the-box ES correlation searches are a good place to start, but it`s only a starting point. You simply can`t hang your hat on a decent monitoring and response program with a ready-made setup.
Be sure to consider the correlation rule logic of ES Content Updates (ESCU) and Splunk Security Essentials (SSE) when running your baseline assessment of use cases that need to start with customization and activation, as they could effectively extend the core rule set at no additional cost and better match your customers` use cases. Hello dear Ninjas Splunk! I have a question. What ready-to-use rules can I offer my customers? They gave me a list of sources I could use in production, and they want to use ONLY ready-made rules. They don`t want my colleagues and I to do correlation research. So my manager expects this project to take 3-4 months, and he wants to offer them a lot of rules. That`s why he asked me to create the list of rules, but I don`t have much experience in ES or SIEM. Again, these rules should be able to be added based on their sources. Also check out the Security Essentials app, you may be able to set these rules as “out of the box” because Splunk has been pushing them so hard lately. Well.
My manager wants to give them a list of CS without data. In the meantime, based on the use cases, you need to be familiar with these sources. You have AD, but which logging should be enabled accordingly? And what about the volume of logs? Such things should also be taken into account. Security sources: IPS, DLP, Email Security Gateway, Web Security Gateway, Sandbox, Vulnerability Scanner, Endpoint Security, NGFW, Privileged Session Management System, Access Control System, Web Application Firewall, OSSEC. I agree with everyone not to run things by default, but the requirements are the requirements. Thank you!P.S. I found all the ES correlation searches ready to use. If you need it, I can send it to you! Developing use cases based on needs is the only choice;) After all, Siem is not something like AV, you need to develop and maintain things further 😉 IT sources:Microsoft Active Directory, database, operating system, virtualization, network (routers, switches), web server Is your team part of the managed service provider selling this to a customer? If I were the customer, I would be very frustrated to learn that the company I pay to build my ES facility has no experience with ES or SIEM tools in general. I think your manager is making some very important mistakes here and it will create a very bad relationship with your client.
This is especially useful for those who are constantly designing and deploying new detection content, and also provides guidance for those new to this field. Then, you may also be able to identify which CSs are likely to work based on their DMs. This is an attempt to contribute to the Splunk community with some simple yet powerful ideas that help users and customers write more effective SPL detection code. Crashes. Start with the ES Health Check after you have integrated all the data and normalized it accordingly.
