Out-of-the-box source types
Out-of-the-box source types
This section provides a list of the data sources for which the Splunk App for Enterprise Security provides out-of-the-box support. It also provides a list of the source types that are used for the different data sources and technology add-ons.
Source types are important because Enterprise Security uses source types as the basis of understanding for all data coming in from a particular source. Source types need to be carefully defined so that they are not overloaded or misused.
When a supported data type is imported, the correct source type needs to be assigned to the data to ensure that data is recognized and parsed correctly by the Splunk App for Enterprise Security. For example, events from a Juniper firewall must be assigned a netscreen:firewall source type for TA-juniper to recognize and parse them correctly.
To learn more about the supported data types and source types, see the "List of pretrained source types" in the core Splunk product documentation. For more information on assigning source types to data inputs, see "About default fields" in the core Splunk product documentation.
The following table lists the data sources with out-of-the-box support in the Splunk App for Enterprise Security, along with the associated source type and technology add-on name:
| Data source | Source type(s) | Technology add-on |
|---|---|---|
| Proxies | ||
| Blue Coat ProxySG | bluecoat | TA-bluecoat |
| Juniper NetScreen firewalls and IDP intrusion detection/prevention systems | juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm | TA-juniper |
| Fortinet Unified Threat Management (UTM) systems | fortinet | TA-fortinet |
| Palo Alto firewalls | pan, pan:config, pan:system, pan:threat, pan:traffic | TA-paloalto |
| Websense firewalls | websense | TA-websense |
| Intrusion Detection/Prevention Systems | ||
| TippingPoint | tippingpoint | TA-tippingpoint |
| Juniper IDP | juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm | TA-juniper |
| OSSEC host-based Intrusion Detection System (IDS) | ossec | TA-ossec |
| Snort network intrusion prevention and detection system (IDS/IPS) | snort | TA-snort |
| McAfee firewall | mcafee:ids | TA-mcafee |
| WMI | WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version | Splunk_TA_windows |
| Networking Devices | ||
| Common Event Format (CEF) | cef | TA-cef |
| flowd NetFlow collector | flowd | TA-flowd |
| FTP (File Transfer Protocol) servers | vsftpd | TA-ftp |
| Anti-virus / Endpoint Software | ||
| Sophos | SEC server log or sys log (sophos:threats) | TA-sophos |
| FireEye | cef logs or XML output | TA-fireeye |
| McAfee anti-virus | mcafee:epo, mcafee:ids | TA-mcafee |
| Symantec AntiVirus version 10 and earlier. Use sep for version 11 and later. | sav, winsav | TA-sav |
| Symantec Endpoint Protection (SEP) host-based intrusion detection/prevention system and Symantec AntiVirus version 11 and later. | sep, sep:scm_admin | TA-sep |
| source::WinEventLog:Application | WinEventLog:Application:trendmicro | TA-trendmicro |
| Vulnerability Management Systems | ||
| nCircle IP360 vulnerability management system | ncircle:ip360 | TA-ncircle |
| Nessus vulnerability scanner | nessus | TA-nessus |
| Nmap security scanner | nmap | TA-nmap |
| Operating Systems | ||
| Snare | snare | Splunk_TA_windows |
| NTSyslog | ntsyslog | Splunk_TA_windows |
| Monitorware | monitorware | Splunk_TA_windows |
| Platform-specific Unix authentication (security) logs. | dhcpd, linux_secure, aix_secure, osx_secure, syslog; | Splunk_TA_nix |
| Windows event, DHCP, and system update logs. | DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts | Splunk_TA_windows |
| Other | ||
| IP2Location geolocation software | (not applicable) | TA-ip2location |
| Oracle database | oracle | TA-oracle |
| source::WinEventLog:Application | WinEventLog:Application:rsa | TA-rsa |
| Splunk access and authentication logs | audittrail | TA-splunk |
| Perfmon | PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork | Splunk_TA_windows |
This documentation applies to the following versions of ES: 2.4 View the Article History for its revisions.