Splunk® Enterprise Security

Data Source Integration Manual

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Out-of-the-box source types

This topic provides a list of the add-ons included in the Splunk App for Enterprise Security. The tables below map the add-on to the data source and the source type used, along with a brief description.

The source type assignment is critical to the proper functioning of Enterprise Security. A source type determines how an incoming data source is mapped into the Common Information Model. The CIM fields are combined with other search time objects from the add-ons to provide the knowledge needed when searching the source. And the searches use that knowledge to return results which are displayed in the Dashboards and Views that comprise Enterprise Security. See "Source vs sourcetype" for more information on default fields in Splunk Enterprise.

Wireless Devices

Data source Source type(s) Add-on Description
Motorola AirDefense wireless IDS airdefense TA-airdefense Parses AirDefense log data for use in CIM compliant Splunk apps
Alcatel alcatel TA-alcatel Parses Alcatel network switch log data for use in CIM compliant Splunk apps

Proxies

Data source Source type(s) Add-on Description
Blue Coat ProxySG bluecoat TA-bluecoat Parses Bluecoat proxy data for use in CIM compliant Splunk apps
Juniper NetScreen firewalls and IDP intrusion detection/prevention systems juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
Fortinet Unified Threat Management (UTM) systems fortinet TA-fortinet Parses Fortinet log data for use in CIM compliant Splunk apps
Palo Alto firewalls pan, pan:config, pan:system, pan:threat, pan:traffic TA-paloalto Parses Palo Alto firewall log data for use in CIM compliant Splunk apps
Websense firewalls websense TA-websense Parses Websense log data for use in CIM compliant Splunk apps

Intrusion Detection/Prevention Systems

Data source Source type(s) Add-on Description
TippingPoint tippingpoint TA-tippingpoint Parses Tipping Point log data for use in CIM compliant Splunk apps
Juniper IDP juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
OSSEC host-based Intrusion Detection System (IDS) ossec TA-ossec Parses OSSEC HIDS log data for use in CIM compliant Splunk apps
Snort network intrusion prevention and detection system (IDS/IPS) snort TA-snort Parses Snort IDS (open source) log data for use in CIM compliant Splunk apps
McAfee firewall mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Norse IPViking norse Splunk_TA_norse Allows you to download Norse Darklist threat intelligence data for use in Splunk. It also includes support for contextual lookups to Norse IPViking
Windows Management Instrumentation (WMI) WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Networking Devices

Data source Source type(s) Add-on Description
Bro IDS 2.1 bro TA-Bro Allows you to ingest packet captures (pcap) in Splunk using Bro IDS 2.1
Common Event Format (CEF) cef TA-cef Parses ArcSight CEF data to the field names for use in CIM compliant Splunk apps, and is a useful template to start from when building a new add-on
flowd NetFlow collector flowd TA-flowd Parses flowd NetFlow data for use in CIM compliant Splunk apps
NetFlow flowfix Splunk_TA_flowfix Allows you to ingest NetFlow versions 5 and 7, along with IPFIX without vendor extensions.
FTP servers vsftpd TA-ftp Parses vsftpd log data for use in CIM compliant Splunk apps

Anti-virus / Endpoint Software

Data source Source type(s) Add-on Description
Sophos SEC server log or sys log (sophos:threats) TA-sophos Parses Sophos log data for use in CIM compliant Splunk apps
FireEye cef logs or XML output TA-fireeye Parses FireEye data for use in CIM compliant Splunk apps
McAfee anti-virus mcafee:epo, mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Symantec AntiVirus
Version 10 and earlier.
sav, winsav TA-sav Parses Symantec Anti-Virus log data for use in CIM compliant Splunk apps
Symantec Endpoint
Protection (SEP) and Symantec AntiVirus
version 11 and later.
sep, sep:scm_admin TA-sep Parses Symantec Endpoint Protection log data for use in CIM compliant Splunk apps
Trend Micro Endpoint Protection WinEventLog:Application:trendmicro TA-trendmicro Parses Trend Micro log data for use in CIM compliant Splunk apps

Vulnerability Management Systems

Data source Source type(s) Add-on Description
nCircle IP360 vulnerability management system ncircle:ip360 TA-ncircle Allows you to ingest nCircle log data for use in CIM compliant Splunk apps
Nessus vulnerability scanner nessus TA-nessus Allows you to ingest Tenable Nessus log data for use in CIM compliant Splunk apps
Nmap security scanner nmap TA-nmap Parses Network Mapper log data for use in CIM compliant Splunk apps

Operating Systems

Data source Source type(s) Add-on Description
Snare snare Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
NTSyslog ntsyslog Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Monitorware monitorware Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Platform-specific Unix authentication (security) logs. dhcpd, linux_secure, aix_secure, osx_secure, syslog; Splunk_TA_nix Includes predefined inputs to collect data from *nix systems and normalize the data for use in CIM compliant Splunk apps
Windows event, DHCP, and system update logs. DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Windows Perfmon PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Other data sources

Data source Source type(s) Add-on Description
IP2Location geolocation software (not applicable) TA-ip2location Provides the ability to correlate IP addresses to locations using the Python IP2Location library
Oracle database oracle TA-oracle Parses Oracle database server log data for use in CIM compliant Splunk apps
RSA ACE (SecurID) WinEventLog:Application:rsa TA-rsa Parses RSA ACE log data for use in CIM compliant Splunk apps
Splunk Enterprise access and authentication logs audittrail TA-splunk Parses Splunk audit log data for use in CIM compliant Splunk apps
Last modified on 19 June, 2014
Create an add-on   Generic example

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters