The Splunk App for Enterprise Security gives the security practitioner visibility into security-relevant data that is captured and indexed within Splunk.
The reports and correlation searches of the Splunk App for Enterprise Security, present a unified view of security across heterogeneous vendor data formats. Splunk does this based on search-time mappings to a common set of field names and tags that can be defined at any time after the data is captured, indexed, and available for an immediate search.
This means that you do not need to write parsers before you can start collecting and searching the data. However, you need to define the field extractions and tags for each data format before the Enterprise Security reports and correlation searches will work on that data. These tags and field extractions for data formats are defined in add-ons. The Splunk App for Enterprise Security ships with an initial set of these add-ons. This guide explains how to create your own.
Add-ons contain the Splunk "knowledge" (field extractions, tags, and source types) that is necessary to extract and normalize information from the data sources at search time and make the resulting information available for reporting. By creating your own add-ons, you can add new or custom types of data and fully integrate them with the existing dashboards and reports within the Splunk App for Enterprise Security.
After you create an add-on, you can add it to your Enterprise Security deployment or post it to Splunkbase to share with others.
What is an add-on?
An add-on is a Splunk app that extracts knowledge from IT data so that it can be processed by Enterprise Security, as well as other apps that leverage the Common Information Model (CIM). The add-on may pull data into Splunk or map data that is coming in. Add-ons might conflict with or duplicate other Splunk apps that are pulling in the same sort of data if they conflict on the source type. The difference between an add-on and another Splunk app is compliance with the CIM.
Note: The add-on does not require a user interface because reporting is handled by existing dashboards, centers, and searches in Enterprise Security.
Define a source type for the data
By default, Splunk sets a source type for a given data input. Each add-on has at least one source type defined for the data that is captured and indexed within Splunk. This action requires an override of the automatic source type that Splunk attempts to assign to the data source, because the primary source type must be set in the add-on in order to apply the correct field extractions used by Enterprise Security. An add-on can extrapolate key data within the raw text of logs to extract "fields" that are fully compliant with the Common Information Model.
An add-on performs the following functions:
- Capture and index the data If necessary, the add-on can import and source type the data into Splunk. This action is not required if the data is in Splunk and source-typed correctly.
- Identify the relevant events that should be visible for security purposes, such as a successful login to a server.
- Extract fields and aliases that match the CIM so that notable events are generated and dashboards function correctly.
- Create tags to categorize the data. For example, tag all data indicating network communication with the tags "network" and "communicate."
- Create additional required fields that are not in the original data source, such as fields that describe the vendor or product.
- Normalize field values to a common standard, such as changing "Accepted public key" or "Success Audit" to "action=success."
Each add-on is designed for a specific data format, such as a particular vendor's firewall or router. After the add-on is created, data sources need to be assigned the corresponding source type for the add-on to begin processing the data.
Tasks you need to build an add-on
See the Knowledge Manager Manual in the core Splunk product documentation for information about the following tasks.
- How to create field extractions
- How to create tags
- How to create any additional fields you might need
- How to normalize field values
- How to map your data
See "Out-of-the-box source types" in this document for a list of tags and source types that are available with the Splunk App for Enterprise Security.
Each Enterprise Security add-on is specific to a single technology or portion of a technology that provides the Splunk knowledge necessary to incorporate that technology into the Splunk App for Enterprise Security. You can use prepackaged add-ons when they are available.
Add-ons for a number of common source types are bundled with the Splunk App for Enterprise Security. You might need to configure some of these add-ons for your environment. Each add-on contains a README file that describes the required configurations.
Create an add-on
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1