Log Data Collection in SIEM

When the log data from Compliance Reporter is collected, it can then be sent to the configured security information and event management (SIEM) software. Using the SIEM software, you can perform searches to report on data that is relevant to your organization. The following provides an example of how a search can be created in Splunk using data collected by Compliance Reporter:

(index="compliancereporter") parent_process="*" NOT subject.terminal_id.ip_address=0.0.0.0 
| eval Destination=coalesce(app,'path.1','subject.process_name')
| stats values(Destination), values(exec_chain.thread_uuid), values(host_info.host_name) count by parent_process
| rename values(Destination) as Application, parent_process as "Originating App",values(exec_chain.thread_uuid) as "Thread UUIDs", values(host_info.host_name) as Hosts
| table count, Hosts, "Originating App" "Thread UUIDs", Application
| sort count
This example search uses the following search fields:
  • subject.terminal_id.ip_address—IP address of the remotely controlling computer. Any actions performed in an SSH session will be tagged with the remote IP address. Any local actions will have a value of "0.0.0.0".

  • host_info.host_name or host_uuid—Filters and sorts events based on which host they occurred on.

  • exec_chain.thread_uuid—Follows a process execution tree linked together with a single thread_uuid. This can be used to find out what actions executed scripts performed on a computer.