Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure data models

Splunk Enterprise Security leverages accelerated data models to populate dashboards and views and provide correlation search results. The data models are defined and provided in the Common Information Model app (Splunk_SA_CIM), which is included in the Enterprise Security installation. Enterprise Security also installs unique data models that only apply to ES content.

Data model acceleration search load

A data model is accelerated through a scheduled summarization search process initiated on the search head. The summarization search runs on the indexers, searching newly indexed data while using the data model as a filter. The resulting matches are saved to disk alongside the index bucket for quick access.

On Splunk Enterprise 6.3 and later, up to 2 simultaneous summarization searches can run per data model, per indexer. For more information, see Parallel summarization in the Capacity Planning Manual.

Data model acceleration storage and retention

Data model acceleration uses the indexers for processing and storage, placing the accelerated data alongside each index. To calculate the additional storage needed on the indexers based on the total volume of data, use the formula:

Accelerated data model storage/year = Data volume per day * 3.4

This formula assumes that you are using the recommended retention rates for the accelerated data models.

For example, if you process 100GB/day of data volume for use with Enterprise Security, you need approximately 340GB of additional space available across all of the indexers to allow for up to one year of data model acceleration and source data retention.

Configuring storage volumes

Data model acceleration storage volumes are managed in indexes.conf using the tstatsHomePath parameter. The data model acceleration storage path defaults to the Splunk Enterprise default index path of $SPLUNK_HOME/var/lib/splunk unless explicitly configured otherwise. The storage used for data model acceleration is not added to index sizing calculations for maintenance tasks such as bucket rolling and free space checks.

To manage the data model acceleration storage independently of index settings, you must define a new storage path with [volume:] stanzas. For an example of defining a volume and storing data model accelerations, see Configure size-based retention for data models summaries in the Knowledge Manager Manual.

Data model default retention

The data model retention settings are contingent on the use case and data sources. A shorter retention uses less disk space and requires less processing time to maintain in exchange for limiting the time range of accelerated data.

Data Model Summary Range Data Model Summary Range
Alerts All Time Application State 1 month
Assets And Identities (ES) None Authentication 1 year
Certificates 1 year Change Analysis 1 year
Databases None Data Loss Prevention 1 year
Domain Analysis (ES) 1 year Email 1 year
Incident Management (ES) All Time Interprocess Messaging 1 year
Intrusion Detection 1 year Inventory None
Malware 1 year Java Virtual Machines All Time
Network Resolution (DNS) 3 months Network Sessions 3 months
Network Traffic 3 months Performance 1 month
Risk Analysis (ES) All Time Splunk Audit Logs 1 year
Threat Intelligence (ES) All Time Ticket Management 1 year
Updates 1 year User and Entity Behavior Analytics (ES) All Time
Vulnerabilities 1 year Web 3 months

Use the CIM Setup page in the Splunk Common Information Model app to modify the retention setting for CIM data models. For more information, see Change the summary range for data model accelerations in the Splunk Common Information Model Add-on User manual. To change the summary range or other settings on a custom data model, manually edit the datamodels.conf provided with the app or add-on. For more information, see the datamodels.conf spec file in the Splunk Enterprise Admin manual.

Data model acceleration rebuild behavior

In Splunk Enterprise, if the configuration of the data model structure changes, or the underlying search that creates the data model changes, a complete rebuild of the data model acceleration will initiate. Enterprise Security modifies the default behavior by applying data model configuration changes to the latest accelerations only, and prevents the removal of the prior accelerations. The indexers will retain all existing accelerated data models with the prior configuration until the defined retention period is reached, or rolled with the index buckets.

  • Use the Data Models management page to force a full rebuild. Navigate to Settings > Data Models, select a data model, use the left arrow to expand the row, and select the Rebuild link.
  • To review the acceleration status for all data models, use the Data Model Audit dashboard.

Data model acceleration enforcement

Enterprise Security enforces data model acceleration through a modular input. To disable acceleration for a data model in ES:

  1. On the Splunk Enterprise toolbar, open Settings > Data inputs and select Data Model Acceleration Enforcement.
  2. Select a data model.
  3. Uncheck the Acceleration Enforced option.
  4. Save.

Common Information Model data models

For a list of the data models that are included in the Splunk Common Information Model Add-on, see What data models are included in the Common Information Model Add-on Manual.

Customized data models in Enterprise Security

In addition to the data models available as part of the Common Information Model add-on, Splunk Enterprise Security implements and uses custom data models.

Domain Analysis

The fields in the Domain Analysis data model describe data generated by the whois modular input. This data model does not employ any tags.

Object name Field name Data type Description
All_Domains created time The date when the domain was registered.
All_Domains expires time The date when the domain will expire.
All_Domains retrieved time The date when the domain information was retrieved.
All_Domains tag string Tags associated with the domain analysis events.
All_Domains updated time The date when the domain registration was updated.
All_Domains domain string The domain or IP that was scanned.
All_Domains nameservers string The list of authoritative name servers for the domain.
All_Domains registrant string The name of the organization or individual that registered the domain name with the registrar.
All_Domains registrar string The name of the organization or individual that maintains the domain name registration.
All_Domains resolved_domain string The domain name that a scanned IP address resolved to.

Identity Management

The fields in the Identity Management data model describe data generated by the asset and identity framework in Enterprise Security. This data model does not employ any tags.

Object name Field name Data type Description
All_Assets:Expected_Assets For a list of fields, see the topic Asset lookup fields in the Enterprise Security User manual. Various Assets expected to splunk data.
All_Assets:Should_Timesync_Assets Assets expected to splunk data.
All_Assets:Should_Update_Assets Assets that should update.
All_Assets:Requires_AV_Assets Assets that require antimalware.
All_Identities:High_Critical_Identities For a list of fields, see the topic Identity lookup fields in the Enterprise Security User manual. Various High or critical priority identities.
All_Identities:New_Identities New identities.
All_Identities:Expired_Identities Identities that have an expiration defined.
All_Identities:Watchlisted_Identities Watch listed identities.
All_Identities employedDays eval A calculated field based upon the identity startDate field.
Expired_Identity_Activity src_user string The source user name.
Expired_Identity_Activity src_user_endDate time The source identity's end date.
Expired_Identity_Activity user string The source user name.
Expired_Identity_Activity user_endDate time The source identity's end date.
Expired_Identity_Activity expired_user string The user that was identified as being expired (either src_user or user)


Incident Management

The fields in the Incident Management data model describe data generated by the notable event framework in Enterprise Security. This data model does not employ any tags.

Object name Field name Data type Description
Notable_Events_Meta tag string Splunk tags associated with the notable event.
Notable_Events_Meta rule_id string The rule_id of the notable event
Notable_Events_Meta orig_tag string Splunk tags associated with the original events that contributed to the notable event
Notable_Events rule_name string The rule name of the notable event
Notable_Events owner string The splunk id of the owner of the notable event.
Notable_Events owner_realname string The splunk real name of the owner of the notable event.
Notable_Events security_domain string The security domain of the notable event.
Notable_Events status string The status id of the notable event.
Notable_Events status_label string The status label of the notable event
Notable_Events status_group string The status group of the notable event.
Notable_Events tag string Splunk tags associated with the notable event.
Notable_Events urgency string The urgency of the notable event.
Notable_Events dest string The dest of the notable event.
Notable_Events src string The src of of the notable event.
Suppressed_Notable_Events rule_name string The rule_name of the suppressed notable event.
Suppressed_Notable_Events security_domain string The security_domain of the suppressed notable event.
Suppressed_Notable_Events suppression string The name of the suppression that suppressed this notable event.
Suppressed_Notable_Events tag string Splunk tags associated with the suppressed notable event.
Suppressed_Notable_Events urgency string The urgency of the notable event.
Suppressed_Notable_Events dest string The dest of the notable event.
Suppressed_Notable_Events src string The src of the notable event.
Incident_Review _time time The time of the review.
Incident_Review comment string The review comment.
Incident_Review owner string The owner of the notable event.
Incident_Review reviewer string The reviewer of the notable event.
Incident_Review rule_id string The rule_id of the notable event
Incident_Review status_label string The status_label of the notable event
Incident_Review status_group string The status_group of the notable event
Correlation_Search_Lookups.Notable_Owners owner string The splunk user id of a potential notable owner.
Correlation_Search_Lookups.Notable_Owners owner_realname string The splunk user real name of a potential notable owner.
Correlation_Search_Lookups.Notable_Owners owner string The splunk user id of a potential notable owner.
Correlation_Search_Lookups.Security_Domains security_domain string The security domain label.
Correlation_Search_Lookups.Security_Domains is_enabled string Whether or not the security domain is enabled.
Correlation_Search_Lookups.Security_Domains is_expected string Whether or not the security domain is expected.
Correlation_Search_Lookups.Security_Domains is_ignored string Whether or not the security domain is ignored.
Notable_Event_Suppressions.Suppression_Audit action string The action performed on the suppression (enable/disable.)
Notable_Event_Suppressions.Suppression_Audit signature string The signature of the suppression audit event.
Notable_Event_Suppressions.Suppression_Audit status string The status of the suppression audit event (success/failure.)
Notable_Event_Suppressions.Suppression_Audit suppression string The name of the suppression
Notable_Event_Suppressions.Suppression_Audit user string The user who performed the CRUD operation on suppression.
Notable_Event_Suppressions.Suppression_Audit_Expired signature string The signature of the suppression audit event.
Notable_Event_Suppressions.Suppression_Audit_Expired suppression string The name of the suppression.
Notable_Event_Suppressions.Suppression_Eventtypes start_time time The start time of the suppression.
Notable_Event_Suppressions.Suppression_Eventtypes end_time time The end time of the suppression.
Notable_Event_Suppressions.Suppression_Eventtypes description string The description of the suppression.
Notable_Event_Suppressions.Suppression_Eventtypes disabled boolean If the suppression is enabled or disabled.
Notable_Event_Suppressions.Suppression_Eventtypes search string The notable event suppression search.
Notable_Event_Suppressions.Suppression_Eventtypes suppression string The notable event suppression name.

Risk

The fields in the Risk data model describe data generated by the risk framework in Enterprise Security. This data model does not employ any tags.

Object name Field name Data type Description
All_Risk creator string If the modifier was created adhoc, this is the splunk user id that created the modifier.
All_Risk tag string Splunk tags associated with the risk modifiers.
All_Risk description string The description of the risk modifier as specified by the creator or the saved search.
All_Risk risk_object string The object for which the risk modifier applies.
All_Risk risk_object_type string The type of object for which the risk modifier applies (system, user, other.)
All_Risk risk_score number The risk score associated with the risk modifier.

Threat Intelligence

The fields in the Threat Intelligence data model describe data generated by the threat intelligence framework in Enterprise Security. This data model does not employ any tags.

Object name Field name Data type Description
Threat_Activity dest_bunit string The destination asset business unit.
Threat_Activity dest_category string The destination asset category.
Threat_Activity dest_priority string The destination asset priority.
Threat_Activity src_bunit string The source asset business unit.
Threat_Activity src_category string The source asset category.
Threat_Activity src_priority string The source asset priority.
Threat_Activity threat_match_field string The name of the field for which we found a threat match.
Threat_Activity threat_match_value string The value we matched on.
Threat_Activity threat_collection string The collection of intelligence we matched on.
Threat_Activity threat_collection_key string The kvstore key of the intelligence we matched on.
Threat_Activity threat_key string The key for the threat attribution associated with the intelligence we matched on.
Threat_Activity dest string The destination of the event that we matched on.
Threat_Activity orig_sourcetype string The original sourcetype of the event we matched on.
Threat_Activity src string The source of the event that we matched on.

This datamodel also contains all of the fields in the threat intelligence KVStore collections.

User and Entity Behavior Analytics

The fields in the UEBA data model describes the data communicated by Splunk UBA for use in Enterprise Security. This data model does not employ any tags.

Object name Field name Data type Description
All_UEBA_Events action string The recommended action to take in response to a threat in Splunk UBA.
All_UEBA_Events app string A multi-value attribute with the names of all the applications associated with the anomaly or threat.
All_UEBA_Events uba_event_id string The internal id for an anomaly or threat in Splunk UBA.
All_UEBA_Events uba_event_type string An anomaly or threat.
All_UEBA_Events category string The category or categories associated with an anomaly.
All_UEBA_Events description string The long description of an anomaly.
All_UEBA_Events dvc string A multi-value attribute with the names of all devices associated with an anomaly or threat.
All_UEBA_Events link string The link to view the anomaly or threat in Splunk UBA.
All_UEBA_Events sender string The Splunk UBA host IP address or name.
All_UEBA_Events sender_id number A value from 1 to 10.
All_UEBA_Events severity string The severity level of an anomaly or threat. Based on the risk score in Splunk UBA.
All_UEBA_Events signature string The internal name of a threat or anomaly.
All_UEBA_Events threat_category string The category of a threat in Splunk UBA.
All_UEBA_Events user string A multi-value attribute with the names of all users associated with an anomaly.
All_UEBA_Events url string A multi-value attribute with the names of all domains associated with an anomaly.
All_UEBA_Events uba_time time The time the anomaly or threat was forwarded to Enterprise Security.
All_UEBA_Events modify_time time The time an anomaly or threat was last modified by Splunk UBA.
All_UEBA_Events start_time time The time an anomaly or threat was first identified by Splunk UBA.
All_UEBA_Events.UEBA_Anomalies uba_model time The name of the Splunk UBA model that detected the anomaly.
All_UEBA_Events.UEBA_Anomalies uba_model_version string The version of the Splunk UBA model that detected the anomaly.
Last modified on 15 December, 2016
Configure users and roles   Planning an upgrade

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters