All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Veeam Enrichment Not Available Outside Veeam App Context

marycordova
SplunkTrust
SplunkTrust
Friday

Veeam has a really nice Veeam App for Splunk.  It’s actually one of the nicer apps that has easy data integration and pre-built dashboards that pretty much work out-of-the-box.  

 

However, the Veeam data is really only usable within the Veeam App.  If you are in a different App in Splunk and try to query the Veeam data a lot of fields will be “missing”.  You can see here that I need use 3 fields (EventGroup, ActivityType, and severity) to find the specific events I’m looking for, but only 1 of those fields is actually availble in the _raw data:
83bd5c91-ebf7-449a-b01a-e737dc215f18.png

 

Ok...so why are these fields available in the Veeam App but not in any other App in Splunk, especially since they don’t even actually exist?  This is due to the “enrichment” the Veeam App is performing translating things like “instanceId” into something human-readable and informative.  For example instanceId here is “41600” and when you query the Veeam events there is a lookup that references 41600 and returns additional information:
5945478c-622c-4917-8cea-d6df1d97ccc3.png

 

Great, so if this is available in the Veeam App, why don’t I just do all my work there rather than trying to make this extra information available outside the Veeam App?  The short answer is I want to be able to work with more than one dataset at a time. 

The longer answer is that I have a custom “app” where I store all my SOC security detection queries.  Splunk also has their Enterprise Security App which basically does the same thing.  

What this allows is the creation of correlated searches, such as one search that picks up any “ransomware” related event regardless of whether it comes from Veeam or AntiVirus or UEBA, etc.  

But if the Veeam data isn’t usable outside of the Veeam app you can’t incorporate it into your standard SOC process.  

 

What you need to do is make the all the enrichment in the Veeam App (props, lookups, transforms, datamodels, etc) readable from any App in Splunk, not just from the Veeam App.  

You can do all this from the Splunk GUI (you might need to be an Admin...not sure...I’m an Admin so I can do everything/whatever I want LOL 😁)

Share the Data Model Globally:
e2bab8fe-3f7b-4185-9c1a-e7c41c330d19.png

 

Share the enrichment (“props” & “transforms”) Globally:
c88d7281-f336-4c6f-be7e-deb1900768eb.png

 

You can see here before and after snips of the “export” config after I modified all the properties:

(default.meta)
6e2d3431-a5f6-4fb1-816d-08a92394924e.png

 

(local.meta which overrides defaul created dynamically after edit)
ab795da8-b26c-4eda-ab17-3ce7d9842038.png

@marycordova
Tags (4)
0 Karma
Reply
1 Solution
Get Updates on the Splunk Community!

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
OSZAR »