Scribd
Upload
74 views1 page

Splunk Enterprise Security Part1

The document discusses Splunk indexes used by various apps and add-ons. It lists several non-system indexes used for different purposes like threat intelligence, audit data, endpoint protection, and more. It also mentions tools for deploying and configuring indexes and provides pointers for more documentation.

Uploaded by

hjmclddgbolrlsxbkn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views1 page

Splunk Enterprise Security Part1

The document discusses Splunk indexes used by various apps and add-ons. It lists several non-system indexes used for different purposes like threat intelligence, audit data, endpoint protection, and more. It also mentions tools for deploying and configuring indexes and provides pointers for more documentation.

Uploaded by

hjmclddgbolrlsxbkn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

• Multiple storage paths

• Accelerated data models


• Data retention
• Bucket sizing
• Use of volume parameters.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

Indexes by app

You might see additional or fewer indexes, depending on your capabilities and which apps you have installed. The
following are non-system indexes.

App context Index Description


Summary index used by the Geographically Improbable Access panel on
DA-ESS-AccessProtection gia_summary
the Access Anomalies dashboard.

ioc Unused in this release.


DA-ESS-ThreatIntelligence
threat_activity Contains events that result from a threat list match.

SA-AuditAndDataProtection audit_summary Audit and Data Protection summary index.

SA-EndpointProtection endpoint_summary Endpoint protection summary index.

SA-NetworkProtection whois WHOIS data index.

notable Contains the notable events.


SA-ThreatIntelligence
notable_summary Contains a stats summary of notable events used on select dashboards.

risk Contains the risk modifier events.

pci If PCI is installed, contains the PCI event data.


Splunk_DA-ESS_PCICompliance
pci_posture_summary If PCI is installed, contains the PCI compliance status history.

pci_summary If PCI is installed, contains the PCI summary data.

cim_summary Unused in this release.


Splunk_SA_CIM
cim_modactions Contains the adaptive response action events.

Does not contain event data. Used behind the scenes for routing to your
ubaroute
Splunk_TA_ueba UBA target.

ueba Contains UBA events.

Contains sequenced event data, after the successful termination of a


SplunkEnterpriseSecuritySuite sequenced_events
sequence template.
Add-ons can include custom indexes defined in an indexes.conf file. See About managing indexes in the Splunk
Enterprise Managing Indexers and Clusters of Indexers manual.

Index deployment

Splunk Enterprise Security includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf
settings from all enabled apps and add-ons on the search head and assemble them into one add-on. For more details,
see Deploy add-ons included with Splunk Enterprise Security in this manual.

26

You might also like