Access and install additional apps and add-ons to use the InfoSec app for Splunk
You must install the following supporting Splunk apps and add-ons from Splunkbase before you can use the InfoSec app for Splunk:
- Splunk Common Information Model (CIM)
- Punchcard visualization
- Force Directed app for Splunk
- Lookup File Editor
A requirement for the InfoSec app versions 1.5 and higher. - Splunk Sankey Diagram visualization
An optional prerequisite for the experimental VPN Access dashboard version 1.5.3 and higher.
Optionally, you can also install the following three apps and add-ons:
The Splunk Security Essentials (SSE) app includes hundreds of additional security searches that you can integrate into the Splunk InfoSec App. The SSE app also includes comprehensive guided data on-boarding examples that can help identify the data sources required to enable the security controls and assist in the configuration of the underlying data source.
The third-party Alert Manager app and Alert Manager add-on provide an incident management capability with simple workflows to support the management of triggered alerts from within the Splunk InfoSec app.
For more information on installing and configuring the SSE app, see the Splunk Security Essentials app documentation. For more information on installing and configuring the Alert Manager app, see the Alert Manager documentation.
You can install any of these apps within Splunk Cloud except the Splunk Common Information Model (CIM) app.
Access the additional apps or add-ons
Follow these steps to access the additional app or add-ons in your Splunk Cloud or Splunk Enterprise environment:
Steps
- Log into your Splunk environment with an account that has administrative privileges.
- In Splunk Web, select the App menu in the menu bar.
- Click Find More Apps.
- Type the name of the app or add-on in the search bar.
The app is listed as one of the available apps for installation.
Install the additional app or add-on
Follow these steps to install the additional app or add-on in your Splunk Cloud or Splunk Enterprise environment:
- In your Splunk platform instance, click Install next to the additional app or add-on name.
- Log in with the credentials that you use to log in to the Splunk Support Portal on
www.splunk.com
website or Splunkbase. - Confirm that the additional app or add-on is installed by selecting the app or add-on from the app menu.
You are ready to configure the InfoSec app. Proceed to confirm the health of the Splunk Infosec app. See Confirm the health of the Splunk InfoSec app.
Troubleshooting display issues on dashboards due to Sankey and Punchcard apps
Issue
If you are installing the Splunk app for InfoSec for the first time and you are on a Splunk on-premise or Splunk Cloud (Classic or Victoria experience), you might see display issues with some dashboards. For example, the default charts on the Security Posture dashboard might display an error indicating that the Punchcard application is not installed.
Cause
Dashboard visualizations for the Splunk app for Infosec depend on the Sankey and Punchcard apps. However, the Sankey and Punchcard visualization apps are no longer supported and do not appear on Splunkbase. These apps are not displayed in the Splunk UI for Managing Apps and therefore, you can't automatically install the apps.
Solution
You can manually install the Sankey and Punchcard visualization apps.
This workaround exists only for Splunk on-prem or Splunk Cloud (Classic) experience.
Install Sankey and Punchcard apps manually
Follow these steps to install the Sankey and Punchcard apps manually:
Use this procedure if you are on Splunk on-prem or Splunk Cloud (Classic) experience. If you are on Splunk Cloud (Victoria) experience, you won't be able to install these visualization apps due to validation issues.
- Download the Sankey and Punchcard apps from the Splunkbase archive. Use the following links on Splunkbase to download the Sankey and Punchcard apps:
- Save the downloaded
.spl
or.tgz
file. - Login to Splunk Web and select the Apps gear icon.
- Go to Apps and then select Manage apps.
- Select Install app from the file.
- Select Upload app.
- Enter your splunk.com account credentials such as username and password.
Splunk Cloud Platform uses these credentials to authenticate using AppInspect. - Select Agree and Login to confirm that you accept the specified license conditions.
- Select your app package and then select Upload. This displays the installation success dialog and the app appears in the Uploaded Apps table.
- Restart your Splunk instance.
- Go to Manage Apps in Splunk Web and check if the app is listed.
This verifies that the installation was completed successfully.
Troubleshoot access to the InfoSec app for Splunk | Collect data from data sources to use the InfoSec app for Splunk |
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0
Feedback submitted, thanks!