Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Solution architecture

The Splunk App for Enterprise Security provides a set of views that summarizes the security status for the enterprise.

  • Domain Add-ons, or DA's provide the users view into the various security domains. They contain search knowledge for investigation and summarization of security-relevant data.
  • Supporting Add-ons, or SA's provide an intermediary knowledge and normalization layer used by the DA's.
  • Technology Add-ons, TA's, or just add-ons are responsible for formatting the indexed data for use by the SA's.

All add-on layers must be installed and configured properly for the Enterprise Security app to function.


Es-architecture 3-1.png

The Splunk App for Enterprise Security

The Splunk App for Enterprise Security provides high-level aggregate views for all security domains, and functionality that summarizes the information into a single visual reference. The Enterprise Security app inherits the knowledge objects provided through the various DA's, SA,'s and TA's during the setup process.

Domain add-ons

The DA's provide dashboards, views, and searches that provide visibility into the primary domains of security:

  • Access protection
  • Endpoint protection
  • Network protection

Each domain includes summary dashboards that give an overview of important security metrics, along with search views that make it possible to drill down to more detailed information. These views act as interactive starting points to investigate and explore the data to discover abnormal behavior.

Supporting add-ons

The SA's provide the intermediary knowledge and normalization layer used by the DA's. The SA layer is responsible for the schemas used to map data sources into the Common Information Model for analysis through data models. They also host the information about assets and identities along with the searches to correlate that data and provide alerts and other events to the domains.

  • Threat Intelligence
  • Network Protection
  • Access Protection
  • Audit and Data protection
  • Endpoint Protection
  • Identity Management

Technology add-ons

The TA's or add-ons provides a layer of abstraction that forms the link between data from specific technologies such as McAfee data or Juniper firewall logs and the higher-level configurations in the Enterprise Security app. They also contain search-time knowledge mappings that assign fields and tags to the data to be used by the higher-level search layer.

The TA layer is the most critical during the planning and installation phase of the Enterprise Security app.

  • The TA's should be tested against the source data to confirm that the extraction are functioning properly.
  • The TA's may need to be deployed to indexers if index-time modifications are required.
  • The TA's may be deployed to forwarders, depending upon the data source and network architecture.

For a list of the add-ons included with the Enterprise Secuirty app, see "Out-of-the-box source types" in the Data Source Integration Manual.

Knowledge objects

The Splunk App for Enterprise Security uses the knowledge objects layers provided in Splunk Enterprise.

Knowledge object Description How it's used in the Enterprise Security app
Tags An abstraction of one or more field values. Used with event types. The combination of tags and event types is used in add-ons to facilitate data mappings.
Event types A type of search to categorize and label a group of matching events. Used with tags. The combination of tags and event types is used in add-ons to facilitate data mappings.
Data Models A hierarchically structured collection of fields. Required for CIM. See Common Information Model overview. Data models are used for searching and populating dashboards. See Data models in the Enterprise Security app
Lookups A tabular structured data source. Used with assets and identities. See Identity Management Used to normalize common data fields. See Common Information Model Normalization.
Macros A type of search that is designed for reuse. Macros allow for fast search modification through the reuse of common search strings.
Swim lane search A type of search with a specific visualization
Key security indicator A type of search with a specific visualization Used at the top of many dashboards. See Key indicators.
Correlation searches A type of search that looks across multiple data sources for defined patterns. Creates an alert. Used to generate notable events and risk scores. See Configure correlation searches.
Notable event An alert type used to create an audited, tracked event. Creates a stored event to be assigned, tracked, updated, and audited. See Configure notable events
Risk score An alert type used to create an risk modifier. Creates a stored event that increments the risk score of an object. See Configure risk scoring.
Last modified on 13 November, 2014
Plan your data inputs   Install Add-ons

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters