Splunk Configuration Instructions #4
Description
Hi,
We're trying to try out this tool, which looks like it could be very useful. We have data in a Splunk instance, which our CASCADE server is successfully authenticating against.
I understand that the next step for us is to normalise our sensor data using the CAR data model. However this appears to be easier said than done, because:
- Our Splunk instance doesn't have the CAR Data Model created.
- Our Splunk instance doesn't have any of the tags created which are used by the CASCADE server. (See example query below)
- Our Splunk instance also doesn't understand the 'export' command, which I assume is a custom search command. (See example query below)
Example query:
tag=dm-process-create ( exe="sc.exe" AND command_line="* start *") | fields command_line current_directory duration exe fqdn hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_image_path pid ppid sha1_hash sha256_hash sid terminal_session_id user | export add_timestamp=f add_offset=t segmentation=none
Are we missing something here - do we need to manually create the data models and tags, or are configuration scripts / a Splunk app available? What about the missing 'export' command?
Thank you in advance.