![]() ![]() Splunk's support for integration is subpar and has room for improvement. Depending on the playbook, it can sometimes get a little crazy and overwhelming, but I think it's generally okay. Nevertheless, it's highly beneficial when it works. While APIs probably leverage more than ever, it's still like pulling teeth to get some vendors to support it correctly. For example, I would like to automate file extraction, and a particular vendor seems to have an API that should do that, but I can't. However, it comes down to which APIs are available. Many vendors focus on the product first and save the API information for the very last. API documentation is typically a weak spot. ![]() That goes back to an inability to detect these kinds of events. It was something in this feed with legitimate and security events, so we tried to understand the names and what we would call them. We couldn't figure out why it broke or what actually happened there. We have playbooks written to extract these events and put them into the workflow since it wasn't structured as expected. There was another type that was security-related, but we didn't know about it before. I don't know if they injected this or if this was the first time we saw it. We get some normal events, but we also see some security issues occasionally in the same feed. Sometimes we flag events based on conditions in the app or service that is sending us the feed, and we focused on a couple. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |