![]() Then to get data out, I can use the Splunk "tstats" command to query and aggregate information, such as by source address or source and destination pair, and then apply various tools like count, distinct count, minimum and maximum values, unique values, and averages and standard deviation. What that means is that I can have all my signature and behavioral detection events in one view that uses the same fields. The Splunk CIM datamodels are meant to normalize similar types of events in to the same fields sets and then make them available for accelerated aggregation queries. The Cloud table in the ECS doesn't seem to have fields for a lot of the stuff I want to monitor like operation, and success or failure.Īnyway, that's my quick look. The second question would be about monitoring cloud activities. I can't see how I would re-implement all the AAA alerting I've built over the last year in the ECS. I guess the biggest question I have in my head right now is how to deal with AAA monitoring. My first reaction was that it would be hard to normalize, but even if it is the extra information is really nice considering how many data sources are including Mitre and indicator information. I also really like how the ECS combines all threat records in to one table, rather then the 2 CIM uses (Intrusion_Detection and Malware). There's a lot of similarities but generally the ECS has more detail fields for traffic specific traffic types, which I think would be an improvement in my implementation. ![]() I've been doing a lot with CIM normalization recently, I didn't even realize that Elastic had a normalization schema.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |