How to import McAfee data into Splunk May 3, 2012
Posted by alexoldman in Malware, Security.Tags: correlation technology, enterprise security suite
add a comment
I am a huge fan of Splunk. I still think it’s the most innovative system I’ve seen in the last 15 years.
Splunk Enterprise Security 2.0 (formally called ESS – Enterprise Security Suite) is a pay to play add-on to Splunk. It includes McAfee EPO Anti-virus as an out of the box datasource. For a list of supported datasources see http://docs.splunk.com/Documentation/ES/latest/CreateTA/Out-of-the-boxsourcetypes
There are many advantages to ESS, including really cool correlation technology, which would allow for better APT (Advanced Persistent Threat) detection, for example, by building rules that look at infections, AV service halts with firewall and IDS/IPS activity.
The other anti-virus add-in’s provided with ES 2.0 are TA-sep which supports Symantec AntiVirus version 10 and earlier, and Symantec AntiVirus 11 and later; and TA-trendmicro for Trend Micro.
I would hope that Splunk would see good sense in making the TA-McAfee more generally available, since their licensing is built on data volumes and not on features. But for the moment this is a niche requirement, with some really innovative technology that goes beyond “normal Splunk”. I understand why early adopters have to pay for this.
You can also create custom add-ons to EA for other anti-virus datasources. For information about creating technology add-ons for ES 2.0 see http://docs.splunk.com/Documentation/ES/latest/CreateTA/CreatingaTechnologyAdd-on
Alex Oldman's blog 