Additional Configuration for OMB¶
Please do not enable the '* Data Inventory' Data Models acceleration before configuring the macro settings below
Note: * see table below for list of Data Inventory datamodels
OMB Data Inventory Setup¶
OMB Data Inventory panels uses the Data Inventory datamodels included in the app and can be found under Settings > Data Models (under Knowledge). Run the following steps to setup the datamodels:
- Set Index Macros: Each Data Set uses a macro in the base search to define which index to search events in. Navigate to Settings > Advanced Search (under Knowledge) and select "Search Macros". Set each '*_indexes' macro listed in "Compliance Essentials" to the relevant index e.g. (index=windows_events)
-
Choose which Datamodels to Accelerate:
a. Navigate to Settings > Data Models (under Knowledge).
b. Click Edit > Edit Acceleration under Actions for each "* Data Inventory" Datamodel
c. Select "Accelerate" and select the Summary Range.
The speed of summary creation depends on the amount of events involved and the size of the summary range. You can track progress towards summary completion on the Data Models management page. Under the Data Inventory datamodel, expand its row, and review the information that appears under ACCELERATION.
For more information on Accelerated Data Models, view Splunk Docs
Add additional Sourcetypes to the "* Data Inventory" Data Models (Optional)¶
Custom Sourcetypes can be added to the Data Model by running the following steps:
Creating an Eventtype¶
- Navigate to Settings > Eventtypes (under Knowledge)
- Create a new eventtype
- Set destination app to "compliance_essentials", add a name and the new sourcetype in the search string (e.g. sourcetype=wineventlog) and enter a tag (view the steps below on how to determine which tag to enter)
Linking an Eventtype to the "* Data Inventory" Data Models through Tags¶
- Navigate to Settings > Data Models (under Knowledge) > OMB Data Inventory
- Select the Dataset to link the eventtype to and copy the tag under "Constraints" (e.g. to add to Windows Security Logs, click Windows Security Logs under Vendor-Specific Data, and copying the tag VendorSpecific-winsec).
- Add that tag to step 3 under "Creating an Eventtype"
List of Data Inventory datamodels and associated macros that ship with Compliance Essentials¶
| Data Model | Associated macro |
|---|---|
| Anti-Virus or Anti-Malware Data Inventory | AntiVirus_or_AntiMalware_indexes |
| Application Data Inventory | Application_Data_indexes |
| Application Load Balancer Inventory | Application_Load_Balancer_indexes |
| Authentication Data Inventory | Authentication_indexes |
| Configuration Management Data Inventory | Configuration_Management_indexes |
| Database Server Data Inventory | DatabaseServer_indexes |
| DLP Data Inventory | DLP_indexes |
| DNS Data Inventory | DNS_indexes |
| Email Data Inventory | Email_indexes |
| Endpoint Detection and Response Data Inventory | Endpoint_Detection_and_Response_indexes |
| Host Performance Data Inventory | Host_Performance_indexes |
| IDS or IPS Alerts Data Inventory | IDS_IPS_indexes |
| IP Address Assignment Data Inventory | IP_Address_Assignment_indexes |
| Network Communication Data Inventory | Network_Communication_indexes |
| Patch Management Data Inventory | Patch_Management_indexes |
| System Logs Data Inventory | System_Logs_indexes |
| Vendor-Specific Data Inventory | VendorSpecific_Data_indexes |
| Vulnerability Detection Data Inventory | Vulnerability_Detection_indexes |
| Web Application Firewall Data Inventory | Web_Application_Firewall_indexes |
| Web Proxy Data Inventory | Web_Proxy_indexes |
| Web Server Data Inventory | Web_Server_indexes |
| Windows Group Management Data Inventory | Windows_Group_Management_indexes |