Out-of-the-box source types
This topic provides a list of the add-ons included in the Splunk App for Enterprise Security. The tables below map the add-on to the data source and the source type used, along with a brief description.
The source type assignment is critical to the proper functioning of Enterprise Security. A source type determines how an incoming data source is mapped into the Common Information Model. The CIM fields are combined with other search time objects from the add-ons to provide the knowledge needed when searching the source. And the searches use that knowledge to return results which are displayed in the Dashboards and Views that comprise Enterprise Security.
See "Source vs sourcetype" for more information on default fields in Splunk Enterprise.
Wireless Devices
Data source
|
Source type(s)
|
Add-on
|
Description
|
Motorola AirDefense wireless IDS
|
airdefense
|
TA-airdefense
|
Parses AirDefense log data for use in CIM compliant Splunk apps
|
Alcatel
|
alcatel
|
TA-alcatel
|
Parses Alcatel network switch log data for use in CIM compliant Splunk apps
|
Proxies
Data source
|
Source type(s)
|
Add-on
|
Description
|
Blue Coat ProxySG
|
bluecoat
|
TA-bluecoat
|
Parses Bluecoat proxy data for use in CIM compliant Splunk apps
|
Juniper NetScreen firewalls and IDP intrusion detection/prevention systems
|
juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm
|
TA-juniper
|
Parses Juniper log data for use in CIM compliant Splunk apps
|
Fortinet Unified Threat Management (UTM) systems
|
fortinet
|
TA-fortinet
|
Parses Fortinet log data for use in CIM compliant Splunk apps
|
Palo Alto firewalls
|
pan, pan:config, pan:system, pan:threat, pan:traffic
|
TA-paloalto
|
Parses Palo Alto firewall log data for use in CIM compliant Splunk apps
|
Websense firewalls
|
websense
|
TA-websense
|
Parses Websense log data for use in CIM compliant Splunk apps
|
Intrusion Detection/Prevention Systems
Data source
|
Source type(s)
|
Add-on
|
Description
|
TippingPoint
|
tippingpoint
|
TA-tippingpoint
|
Parses Tipping Point log data for use in CIM compliant Splunk apps
|
Juniper IDP
|
juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm
|
TA-juniper
|
Parses Juniper log data for use in CIM compliant Splunk apps
|
OSSEC host-based Intrusion Detection System (IDS)
|
ossec
|
TA-ossec
|
Parses OSSEC HIDS log data for use in CIM compliant Splunk apps
|
Snort network intrusion prevention and detection system (IDS/IPS)
|
snort
|
TA-snort
|
Parses Snort IDS (open source) log data for use in CIM compliant Splunk apps
|
McAfee firewall
|
mcafee:ids
|
TA-mcafee
|
Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
|
Norse IPViking
|
norse
|
Splunk_TA_norse
|
Allows you to download Norse Darklist threat intelligence data for use in Splunk. It also includes support for contextual lookups to Norse IPViking
|
Windows Management Instrumentation (WMI)
|
WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
Networking Devices
Data source
|
Source type(s)
|
Add-on
|
Description
|
Bro IDS 2.1
|
bro
|
TA-Bro
|
Allows you to ingest packet captures (pcap) in Splunk using Bro IDS 2.1
|
Common Event Format (CEF)
|
cef
|
TA-cef
|
Parses ArcSight CEF data to the field names for use in CIM compliant Splunk apps, and is a useful template to start from when building a new add-on
|
flowd NetFlow collector
|
flowd
|
TA-flowd
|
Parses flowd NetFlow data for use in CIM compliant Splunk apps
|
NetFlow
|
flowfix
|
Splunk_TA_flowfix
|
Allows you to ingest NetFlow versions 5 and 7, along with IPFIX without vendor extensions.
|
FTP servers
|
vsftpd
|
TA-ftp
|
Parses vsftpd log data for use in CIM compliant Splunk apps
|
Anti-virus / Endpoint Software
Data source
|
Source type(s)
|
Add-on
|
Description
|
Sophos
|
SEC server log or sys log (sophos:threats)
|
TA-sophos
|
Parses Sophos log data for use in CIM compliant Splunk apps
|
FireEye
|
cef logs or XML output
|
TA-fireeye
|
Parses FireEye data for use in CIM compliant Splunk apps
|
McAfee anti-virus
|
mcafee:epo, mcafee:ids
|
TA-mcafee
|
Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
|
Symantec AntiVirus Version 10 and earlier.
|
sav, winsav
|
TA-sav
|
Parses Symantec Anti-Virus log data for use in CIM compliant Splunk apps
|
Symantec Endpoint Protection (SEP) and Symantec AntiVirus version 11 and later.
|
sep, sep:scm_admin
|
TA-sep
|
Parses Symantec Endpoint Protection log data for use in CIM compliant Splunk apps
|
Trend Micro Endpoint Protection
|
WinEventLog:Application:trendmicro
|
TA-trendmicro
|
Parses Trend Micro log data for use in CIM compliant Splunk apps
|
Vulnerability Management Systems
Data source
|
Source type(s)
|
Add-on
|
Description
|
nCircle IP360 vulnerability management system
|
ncircle:ip360
|
TA-ncircle
|
Allows you to ingest nCircle log data for use in CIM compliant Splunk apps
|
Nessus vulnerability scanner
|
nessus
|
TA-nessus
|
Allows you to ingest Tenable Nessus log data for use in CIM compliant Splunk apps
|
Nmap security scanner
|
nmap
|
TA-nmap
|
Parses Network Mapper log data for use in CIM compliant Splunk apps
|
Operating Systems
Data source
|
Source type(s)
|
Add-on
|
Description
|
Snare
|
snare
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
NTSyslog
|
ntsyslog
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
Monitorware
|
monitorware
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
Platform-specific Unix authentication (security) logs.
|
dhcpd, linux_secure, aix_secure, osx_secure, syslog;
|
Splunk_TA_nix
|
Includes predefined inputs to collect data from *nix systems and normalize the data for use in CIM compliant Splunk apps
|
Windows event, DHCP, and system update logs.
|
DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
Windows Perfmon
|
PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork
|
Splunk_TA_windows
|
Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
|
Other data sources
Data source
|
Source type(s)
|
Add-on
|
Description
|
IP2Location geolocation software
|
(not applicable)
|
TA-ip2location
|
Provides the ability to correlate IP addresses to locations using the Python IP2Location library
|
Oracle database
|
oracle
|
TA-oracle
|
Parses Oracle database server log data for use in CIM compliant Splunk apps
|
RSA ACE (SecurID)
|
WinEventLog:Application:rsa
|
TA-rsa
|
Parses RSA ACE log data for use in CIM compliant Splunk apps
|
Splunk Enterprise access and authentication logs
|
audittrail
|
TA-splunk
|
Parses Splunk audit log data for use in CIM compliant Splunk apps
|
Feedback submitted, thanks!