Splunk Configuration Instructions

[6252906]

Hi,

We're trying to try out this tool, which looks like it could be very useful. We have data in a Splunk instance, which our CASCADE server is successfully authenticating against.

I understand that the next step for us is to normalise our sensor data using the CAR data model. However this appears to be easier said than done, because:

• Our Splunk instance doesn't have the CAR Data Model created.
• Our Splunk instance doesn't have any of the tags created which are used by the CASCADE server. (See example query below)
• Our Splunk instance also doesn't understand the 'export' command, which I assume is a custom search command. (See example query below)

Example query:

tag=dm-process-create ( exe="sc.exe" AND command_line="* start *") | fields command_line current_directory duration exe fqdn hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_image_path pid ppid sha1_hash sha256_hash sid terminal_session_id user | export add_timestamp=f add_offset=t segmentation=none

Are we missing something here - do we need to manually create the data models and tags, or are configuration scripts / a Splunk app available? What about the missing 'export' command?

Thank you in advance.

[sulaimanbale]

Hi, how do you autheitcate your splunk to cascade , please guide me thanks