Endpoint security is used to protect corporate networks from inadvertent attacks by compromised devices using untrusted remote networks such as hotspots. By installing clients on laptops or other wireless and mobile devices, endpoint security software can monitor activity and provide security teams with warnings of devices attempting to spread malware or pose other threats. In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications.
Endpoint data can be used for a variety of security uses, including identifying newly detected binaries, file hash, files in the file system and registries. Endpoints also log device configurations and various security parameters (certificates, local anti-malware signatures, etc.). In the Common Information Model, endpoint data is typically mapped to the Endpoint data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion:
Common data sources
Use cases for the Splunk platform
- Detecting recurring malware on a host
- Monitoring for Windows updates
- Monitoring for signs of Windows privilege escalation attack
- Checking for files created on a system
- Detecting the disabling of security tools
- Detecting Windows file extension abuse
- Visualizing processes and their parent/child relationships
- Running common General Data Privacy Regulation compliance searches
- Monitoring NIST SP 800-53 rev5 control families