The Splunk App for Enterprise Security provides a set of views that summarizes the security status for the enterprise.
- Domain Add-ons, or DA's provide the users view into the various security domains. They contain search knowledge for investigation and summarization of security-relevant data.
- Supporting Add-ons, or SA's provide an intermediary knowledge and normalization layer used by the DA's.
- Technology Add-ons, TA's, or just add-ons are responsible for formatting the indexed data for use by the SA's.
All add-on layers must be installed and configured properly for the Enterprise Security app to function.
The Splunk App for Enterprise Security
The Splunk App for Enterprise Security provides high-level aggregate views for all security domains, and functionality that summarizes the information into a single visual reference. The Enterprise Security app inherits the knowledge objects provided through the various DA's, SA,'s and TA's during the setup process.
The DA's provide dashboards, views, and searches that provide visibility into the primary domains of security:
- Access protection
- Endpoint protection
- Network protection
Each domain includes summary dashboards that give an overview of important security metrics, along with search views that make it possible to drill down to more detailed information. These views act as interactive starting points to investigate and explore the data to discover abnormal behavior.
The SA's provide the intermediary knowledge and normalization layer used by the DA's. The SA layer is responsible for the schemas used to map data sources into the Common Information Model for analysis through data models. They also host the information about assets and identities along with the searches to correlate that data and provide alerts and other events to the domains.
- Threat Intelligence
- Network Protection
- Access Protection
- Audit and Data protection
- Endpoint Protection
- Identity Management
The TA's or add-ons provides a layer of abstraction that forms the link between data from specific technologies such as McAfee data or Juniper firewall logs and the higher-level configurations in the Enterprise Security app. They also contain search-time knowledge mappings that assign fields and tags to the data to be used by the higher-level search layer.
The TA layer is the most critical during the planning and installation phase of the Enterprise Security app.
- The TA's should be tested against the source data to confirm that the extraction are functioning properly.
- The TA's may need to be deployed to indexers if index-time modifications are required.
- The TA's may be deployed to forwarders, depending upon the data source and network architecture.
For a list of the add-ons included with the Enterprise Secuirty app, see "Out-of-the-box source types" in the Data Source Integration Manual.
The Splunk App for Enterprise Security uses the knowledge objects layers provided in Splunk Enterprise.
|Knowledge object||Description||How it's used in the Enterprise Security app|
|Tags||An abstraction of one or more field values. Used with event types.||The combination of tags and event types is used in add-ons to facilitate data mappings.|
|Event types||A type of search to categorize and label a group of matching events. Used with tags.||The combination of tags and event types is used in add-ons to facilitate data mappings.|
|Data Models||A hierarchically structured collection of fields.||Required for CIM. See Common Information Model overview. Data models are used for searching and populating dashboards. See Data models in the Enterprise Security app|
|Lookups||A tabular structured data source.||Used with assets and identities. See Identity Management Used to normalize common data fields. See Common Information Model Normalization.|
|Macros||A type of search that is designed for reuse.||Macros allow for fast search modification through the reuse of common search strings.|
|Swim lane search||A type of search with a specific visualization|
|Key security indicator||A type of search with a specific visualization||Used at the top of many dashboards. See Key indicators.|
|Correlation searches||A type of search that looks across multiple data sources for defined patterns. Creates an alert.||Used to generate notable events and risk scores. See Configure correlation searches.|
|Notable event||An alert type used to create an audited, tracked event.||Creates a stored event to be assigned, tracked, updated, and audited. See Configure notable events|
|Risk score||An alert type used to create an risk modifier.||Creates a stored event that increments the risk score of an object. See Configure risk scoring.|
Plan your data inputs
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1