SIEM & Splunk Integration

Architecture Overview

Data Collection

Log Sources

log_sources:
  application:
    type: application_logs
    sourcetype: oan:application
    index: oan_apps
    inputs:
      - /var/log/oan/*.log
      - /var/log/apps/*.json
    
  security:
    type: security_events
    sourcetype: oan:security
    index: oan_security
    inputs:
      - /var/log/audit/*.log
      - /var/log/security/*.log
    
  infrastructure:
    type: infrastructure_logs
    sourcetype: oan:infrastructure
    index: oan_infra
    inputs:
      - /var/log/kubernetes/*.log
      - /var/log/docker/*.log

Data Processing

Data Pipeline Configuration

pipeline_config:
  parsing:
    timestamp_format: "%Y-%m-%d %H:%M:%S.%L"
    timezone: UTC
    fields_extraction:
      - source
      - severity
      - event_type
      - user_id
      
  enrichment:
    lookups:
      - user_details
      - business_units
      - asset_inventory
    
  transformation:
    field_aliases:
      src_ip: source_ip
      dst_ip: destination_ip
      evt_type: event_type

Search & Analytics

Search Templates

search_templates:
  security_incidents:
    search: |
      index=oan_security sourcetype=oan:security 
      severity IN (critical, high) 
      | stats count by event_type, source
      | sort -count
    
  authentication:
    search: |
      index=oan_apps sourcetype=oan:application 
      event_type=authentication 
      | stats count by status, user_id, source_ip
      | where count > 5
    
  system_health:
    search: |
      index=oan_infra sourcetype=oan:infrastructure 
      | timechart span=5m avg(cpu_usage) avg(memory_usage) by host

Alerting Configuration

Alert Rules

alert_rules:
  security_threats:
    name: High Severity Security Threats
    search: index=oan_security severity=critical
    condition: result_count > 0
    throttle: 5m
    actions:
      - email_security_team
      - create_incident_ticket
      
  system_performance:
    name: System Performance Issues
    search: index=oan_infra cpu_usage>80 OR memory_usage>80
    condition: result_count > 3
    throttle: 15m
    actions:
      - email_ops_team
      - trigger_auto_scaling

Dashboards

Security Operations

security_dashboard:
  panels:
    - title: Security Incidents
      type: statistics
      search: |
        index=oan_security 
        | stats count by severity, category
        
    - title: Authentication Activity
      type: timechart
      search: |
        index=oan_apps event_type=auth 
        | timechart count by status
        
    - title: Threat Map
      type: geo
      search: |
        index=oan_security 
        | iplocation src_ip 
        | geostats count

System Operations

operations_dashboard:
  panels:
    - title: System Health
      type: single_value
      search: |
        index=oan_infra 
        | stats avg(cpu_usage) avg(memory_usage)
        
    - title: API Performance
      type: timechart
      search: |
        index=oan_apps sourcetype=api 
        | timechart avg(response_time) by endpoint
        
    - title: Error Rates
      type: bar_chart
      search: |
        index=oan_apps status>=400 
        | stats count by status, service

Data Retention

Retention Policy

retention_policy:
  hot_tier:
    duration: 30d
    index_location: fast_storage
    
  warm_tier:
    duration: 90d
    index_location: medium_storage
    
  cold_tier:
    duration: 365d
    index_location: slow_storage
    
  archive:
    duration: 7y
    storage: s3_archive

Best Practices

Data Collection

1. Standardized logging
2. Proper timestamping
3. Field extraction
4. Source categorization

Search Optimization

1. Efficient queries
2. Field usage
3. Time range optimization
4. Summary indexing

Alert Management

1. Alert prioritization
2. Throttling configuration
3. Action planning
4. Alert tracking

Dashboard Design

1. Performance metrics
2. User experience
3. Data visualization
4. Real-time updates