diff --git a/docs/gettingstarted/index.md b/docs/gettingstarted/index.md index ecc06ec..7eb766c 100644 --- a/docs/gettingstarted/index.md +++ b/docs/gettingstarted/index.md @@ -37,6 +37,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * email * epav +* epintel * netauth * netdlp * netdns @@ -46,6 +47,7 @@ using the SC4S defaults. SC4S can be easily customized to use different indexes * netwaf * netproxy * netipam +* oswin * oswinsec * osnix * em_metrics (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index) diff --git a/docs/sources/VMWare/index.md b/docs/sources/VMWare/index.md index 42a7dc0..c96ecd4 100644 --- a/docs/sources/VMWare/index.md +++ b/docs/sources/VMWare/index.md @@ -1,5 +1,61 @@ # Vendor - Dell - VMware +## Product - Carbon Black Protection + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | none | +| Splunk Add-on Source Specific | https://bitbucket.org/SPLServices/ta-cef-imperva-incapsula/downloads/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| cef | Common sourcetype | + +### Source + +| source | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| carbonblack:protection:cef | Note this method of onboarding is not recommended for a more complete experience utilize the json format supported by he product with hec or s3 | + +### Index Configuration + +| key | source | index | notes | +|----------------|----------------|----------------|----------------| +| Carbon Black_Protection | carbonblack:protection:cef | epintel | none | + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +Note listed for reference processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype=cef source="carbonblack:protection:cef") +``` + + ## Product - vSphere - ESX NSX (Controller, Manager, Edge) diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example index 3bc7e0e..eaf6a00 100644 --- a/package/etc/context_templates/splunk_metadata.csv.example +++ b/package/etc/context_templates/splunk_metadata.csv.example @@ -2,8 +2,8 @@ bluecoat_proxy,index,netproxy brocade_syslog,index,netops ArcSight_ArcSight,index,main ArcSight_ArcSight,source,ArcSight:ArcSight -Carbon Black_Protection,sourcetype,carbonblack:protection:cef -Carbon Black_Protection,index,cb:cef +Carbon Black_Protection,source,carbonblack:protection:cef +Carbon Black_Protection,index,epintel Cyber-Ark_Vault,index,netauth Cyber-Ark_Vault,sourcetype,cyberark:epv:cef CyberArk_PTA,index,main