Splunk Data Ingestion: Reducing noise from Windows Event Log ID 4662?
Our Splunk environment is being overwhelmed by Windows Event Log ID 4662 (An attempt was made to access a securable object) events. These events are generating millions of events per day, making it difficult to identify actual security threats. Current situation: - ~50 million 4662 events per day - High storage costs - Slow search performance - Important security events getting lost in the noise I've tried: - Filtering at the Universal Forwarder level - Using props.conf to drop certain events - Creating data models to focus on relevant events What filtering strategies have worked for you? Should we filter at the source, in Splunk, or both?
1 Answer
Implement Network Policies immediately. Default Kubernetes setups allow all-to-all communication, which is a significant security risk in multi-tenant environments. Key recommendations: 1. Start with deny-all network policies, then explicitly allow required traffic 2. Implement OPA Gatekeeper for policy enforcement at the API level 3. Use namespace isolation with resource quotas 4. Implement Pod Security Standards (restricted profile) 5. Use network segmentation with Calico or Cilium Also consider: - Separate node groups for different tenant tiers - Service mesh (Istio/Linkerd) for additional network controls - Regular security scanning of container images
Your Answer
infoGuest answers require review before being published. Sign in for faster approval.