ES Helper Overview

Overview

ES Helper

Splunk Enterprise Security (ES) is a powerful tool that can help organizations achieve a clearer picture of their security posture, perform advanced threat detection, and rapidly investigate and respond to threats. However, to truly realize the value of Splunk Enterprise Security you must ensure that you are ingesting the data sources required to populate the ES dashboards. Without the appropriate data onboarded into your Splunk implementation, ES cannot deliver the value that it should. More importantly, identifying the data sources and prioritizing which data should be brought in first is typically where customers get stuck when attempting to implement ES. A stalled ES implementation leads to valuable time that is lost leaving your organization in a vulnerable state.

Atlas ES Helper is designed to provide you with expert guidance for achieving a successful ES deployment by helping you to identify the data sources that are required to get the real value out of Splunk’s Enterprise Security platform. ES Helper tracks your progress and provides a scoring mechanism that will show you the health of your ES deployment by analyzing your Splunk system.

ES Helper Capabilities

• Provides a health score that measures how well your Enterprise Security deployment is populated with actionable data

• Automated recommendations report that recommends data sources based on their coverage gaps and priorities of use cases

• Report that identifies where data is currently being utilized in an ES deployment

• Identify unaccelerated data models that can cripple alert search speeds

Requirements & Installation

Installation Overview

This document contains the steps required install the Atlas “ES Helper” application for non-Splunk Cloud customers. ES Helper utilizes Splunk’s REST API with the assumption that prerequisite applications are installed and reachable at certain endpoints. For assistance with completing these steps, please reach out to your Atlas Expertise on Demand (EOD) contact. It is recommended that Atlas support is present when completing the steps included in this document.

Supported Splunk ES Configurations

ES Helper requires Splunk Enterprise Security to be installed and configured to meet one of the following requirements:

• Stacked Install

  • Enterprise Security is installed and configured on the same Search Head as Atlas.

• Duplicated Install

  • Enterprise Security is installed and configured on a dedicated Search Head separate from the primary Search Head with Atlas, but Atlas and ES Helper are also installed on the Enterprise Security Search Head.

• DSG (Distributed Search Groups) Install

  • Enterprise Security is installed and configured on a dedicated Search Head separate from the primary Search Head with Atlas but can be reached using a Distributed Search Group.

• Splunk Cloud DSG (Distributed Search Groups) Install

  • Enterprise Security is located on Splunk Cloud’s managed Search Head and Atlas resides on a hybrid Search Head that has Distributed Search Groups for the Splunk Cloud Search Heads.

Regardless of installation strategy, the Search Head where ES Helper is installed requires the Splunk Common Information Model (CIM) Add-on and the data model it defines. This add-on is installed during Splunk Enterprise Security’s configuration process, but it can be separately installed from Splunkbase.

Configuration Instructions

Stacked Install

• Atlas is installed on a Search Head and is configured. Enterprise Security is already present on this Search Head. With no changes, ES Helper functions.

Duplicated Install

1. Atlas is installed on a Search Head and Enterprise Security is separated on another Search Head. The Atlas Search Head does not need to be able to ‘reach’ the Enterprise Security Search Head.

2. Upload Atlas Core and Atlas ES Helper to the ES Search Head as well, following standard Atlas installation procedures. Those procedures can be found below.

3. Duplicate your Atlas Key from your "main" Atlas installation to the new Atlas Core created in Step 2.

4. ES Helper on the Atlas Duplicate on the ES Search Head now functions as expected.

DDistributed Search Groups Install

Distributed Search Groups (DSGs) enable Atlas users to search data over a specific set of search peers, such as all Search Heads or all Cloud Indexers. DSG will enable the Search Head the Atlas ES Helper instance rests on to communicate and query the Enterprise Security Search Head. It is recommended that Atlas Expertise On Demand assists you on completing these steps.

1. In the ES Helper app, change the es_helper_target macro’s definition to “splunk_server_group=ES” if you have created an ES DSG, or “splunk_server=<ES Search Head URI>” if you have not, or if there is only one ES Search Head.

   • <ES Search Head URI> in this case is the URL of the ES Search Head.

2. Configure Data Model Acceleration:

   • Atlas ES Helper requires the Search Head where it is installed to define the same Data Models and Acceleration settings as the Enterprise Security Search Head.

     • Install Splunk_SA_CIM from Splunkbase and configure datamodels.conf in the local directory to match the same file on your Enterprise Security Search Head.

   • By default, Splunk Indexers create separate Data Model Summaries for each Search Head or Search Head cluster that defines a Data Model even if the definitions are identical. However, you can configure Splunk to use another Search Head’s Data Model summaries instead. Therefore, you should configure remote summaries to save indexer space and compute. Follow the following steps to configure a Remote Data Model Summary:

     • Ensure the ES Search Head has been added as a search peer on the Atlas Search Head.

     • To find the GUID of the ES Search Head, run the following search:

       | rest splunk_server=local /services/search/distributed/peers 
       | table peerName title guid search_groups

     • In the Splunk_SA_CIM app edit datamodels.conf. For each data model, add the following property: acceleration.source_guid=<GUID from Above Step>

     • Additional information about acceleration summaries can be found here.

Splunk Cloud DSG Install

1. In the ES Helper app: Change the es_helper_target macro’s definition to “splunk_server_group=ES” if you have created an ES DSG, or “splunk_server=<ES Search Head server name>” if you have not, or if there is only one ES Search Head.

   • The server name can be found by running the following on the ES Search Head:

     | rest /services/server/info
     | table splunk_server

   • Navigate to Settings > Advanced search > Search macros, click the es_helper_target marco, edit the Definition field per the instructions above and Save.

   • 

2. Configure Data Model Acceleration:

   • Atlas ES Helper requires the Search Head where it is installed to define the same Data Models and Acceleration settings as the Enterprise Security Search Head.

     • Install Splunk_SA_CIM from Splunkbase and configure datamodels.conf in the $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local directory to match the same file on your Enterprise Security Search Head.

   • By default, Splunk Indexers create separate Data Model Summaries for each Search Head or Search Head cluster that defines a Data Model even if the definitions are identical. However, you can configure Splunk to use another Search Head’s Data Model summaries instead. Therefore, you should configure remote summaries to save indexer space and compute. Follow the following steps to configure a Remote Data Model Summary:

     • Ensure the ES Search Head has been added as a search peer on the Atlas Search Head.

     • To find the GUID of the ES Search Head, run the following search:

       | rest splunk_server=local /services/search/distributed/peers
       | table peerName title guid search_groups

     • In the $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local folder edit datamodels.conf. For each data model, add the following property:

       • acceleration.source_guid=<GUID from step ii>

     • Additional information about acceleration summaries can be found here