Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Install Add-ons

The Splunk App for Enterprise Security solution includes a number of add-ons to work with the data you want to monitor. The add-ons provide the feeds to get data from different sources, and also provide search-time knowledge maps to normalize the data for use within the app. Add-ons ensure that the data is correctly consumed for use by the Splunk App for Enterprise Security.

Add-ons provided with Enterprise Security

A number of add-ons compatible with the Splunk App for Enterprise Security and the Common Information Model (CIM) are provided within the ES app installer.

The add-ons include:

"Splunk Add-on for Bro IDS" "Splunk Add-on for McAfee" "Splunk Add-on for Microsoft Windows" "Splunk Add-on for Nessus"
"Splunk Add-on for NetFlow" "Splunk Add-on for Oracle Database" "Splunk Add-on for Sophos" "Splunk Add-on for Sourcefire"
"Splunk Add-on for Unix and Linux" TA-airdefense TA-alcatel TA-bluecoat
TA-cef TA-fireeye TA-fortinet TA-ftp
TA-juniper TA-ncircle TA-nmap TA-ossec
TA-paloalto TA-rsa TA-sav TA-sep
TA-tippingpoint TA-trendmicro TA-websense

For more information about add-ons and their sourcetypes, see "Out-of-the-box sourcetypes" in the Data Source Integration Manual.

How to get more add-ons

Each add-on is specific to a single technology, or version of a technology, and provides the knowledge necessary to incorporate that source into Enterprise Security. You can use pre-packaged add-ons or create your own.

Note: Install only apps or add-ons that state they are compatible with the Common Information Model.

  • Add-ons for a number of common source types are bundled with the Splunk App for Enterprise Security. You might need to configure some of these add-ons for your environment. Each add-on contains a README file that details the required configurations.
  • Splunkbase hosts downloadable apps and add-ons for Splunk Enterprise.
  • You can develop add-ons for unsupported or custom data formats, including your own application logs. For information on creating your own add-ons, see the Data Source Integration Manual.

You are encouraged to upload your add-ons and share them with the Splunk community. To share your add-ons:

  1. Log into splunk.com
  2. Browse to Splunkbase
  3. Choose "Submit your App" and follow the instructions for the upload.

Splunk Stream integration

The Enterprise Security app offers direct integration with "Splunk Stream".

Splunk Stream has two components:

1. The Splunk App for Stream is responsible for the job management of the Splunk Stream Add-on. The Splunk App for Stream is installed on the Splunk App for Enterprise Security search head.

2. The Splunk Stream Add-on is the listener that siphons data from the network. The Splunk Stream Add-on is installed on forwarders.

Data collection using the Splunk Stream Add-on requires a review and analysis of the network topology to determine the best method and location for data capture. See "Network collection architectures" in the Splunk Stream User Manual.

Stream data collection utilizes system resources that scale with the number of protocols polled and the volume of network data. See "Hardware requirements" in the Splunk Stream User Manual.

Splunk Stream communications

Integrating the Splunk App for Enterprise Security with Splunk Stream requires the installation of the Stream app on the ES search head. The Splunk Stream Add-on is installed on the forwarders, and initiates communications with the Stream app on the search head over HTTP.

Stream data capture jobs are managed from the Splunk App for Stream, and are retrieved for processing by the Stream Add-on. The Splunk Stream Add-on must be configured to communicate with the Splunk App for Stream. See "Configure Stream Forwarder" in the Splunk Stream User Manual.

Create a Stream capture job

There are 2 methods to create a Stream capture job from the Enterprise Security app.

A workflow action

Any event view in Splunk Enterprise and the Splunk App for Enterprise Security that has an action menu, and displays a source or destination IP can be used to create a Stream packet capture job through a workflow action.

Upon initiating the workflow action, the Create Stream Capture page is displayed.

Review the requirements and change as desired:

  • Description: Defaults to the source or destination IP chosen in the workflow action.
  • Protocols to capture: Defaults to All. For more information, see "Supported Protocols" in the Splunk Stream User Manual.
  • Capture duration: Defaults to 7 days.

Choose Create Capture to finish and create a job for Splunk Stream.

Note: If Splunk Stream is not installed, a warning and a link to the app is displayed.

To view and analyze the Stream data events captured, see the "Protocol Intelligence dashboards" in the Enterprise Security User Manual.

A correlation search alert action

A correlation search can initiate a Stream capture job as an alert action. See "Configure correlation search actions" in this manual.

Installing add-ons

Use the Splunk Apps manager to configure or add additional CIM-compatible add-ons to your deployment.

Find an add-on

  1. Log into splunk.com
  2. Browse to Splunkbase.
  3. Browse and search the list of apps.
  4. Select an app to install.

Add an add-on from a local file

  1. Click Apps next to Splunk in the menu bar.
  2. From the drop-down menu, select Manage Apps.
  3. Select Install app from file.
  4. In the Upload an app panel, browse for the location of the app and select it.
  5. Click Upload.

Edit an existing add-on

  1. Click Apps next to Splunk in the menu bar.
  2. From the drop-down menu, select Manage Apps.
  3. Select the app from the list.
  4. Click Edit Properties for the app you want to configure.
  5. When you finish, click Save.

Note: Do not use the Create app option on the Apps page with the Enterprise Security app.

Updating add-ons

Some add-ons are released independently of the Enterprise Security app, and can be downloaded directly from Splunkbase.

Update the app from within Splunk

To check for the new version of an app, select Manage Apps on the Apps menu. A link will appear in the Version column if a new version is available.

  1. Log into splunk.com
  2. Click the link in the version column in Splunk Enterprise.
  3. Confirm that an updated version of the add-on exists. Click Update to get the new version.
  4. To install the add-on, choose Restart.

Update the app manually

  1. Log into splunk.com.
  2. Find the new version of the add-on on Splunkbase.
  3. Download the add-on to your desktop or local directory.
  4. Browse to Apps > Manage Apps > Install app from file.
  5. Browse to the add-on location and select the add-on.
  6. Select Upgrade app... so that the new version of the add-on overwrites the prior version.
  7. Choose Upload.
  8. To install the add-on, choose Restart.

Add a custom add-on to the ES app

The Enterprise Security app is assembled from a collection of apps with an import process that and inherits the content. After an app is inherited, the app objects are viewable and can be referenced as a function of the ES app.

Using the update ES modular input

The Enterprise Security app runs a modular input to import all apps that match a filter. The input runs a modular input script every 5 minutes, and automatically imports any add-ons that follow the naming conventions: DA-*, SA-*, TA-*, Splunk_DA_*, Splunk_SA_*, and Splunk_TA_*

Imports are transitive

App imports are transitive. This means than an app (A) that imports another app (B), also imports all of the apps (C) imported by that app.

  1. If app A imports B,
  2. and app B imports C,
  3. then A imports C.

Because supporting add-ons import each other, you might see only one supporting add-on with an updated local.meta file. This is usually SA-AccessProtection; it is the first supporting add-on in the list of apps.

View current app imports

Note: You must have administrator permissions to run the command.

View the current app imports by using rest search commands.

This example views the imports for the SplunkEnterpriseSecuritySuite app: | rest /servicesNS/nobody/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import

Import add-ons with a different naming convention

To add a new add-on naming convention for importing custom apps into ES, modify the inputs.conf used by the modular input.

  1. Open the $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf file.
  2. Edit or create the [app_imports_update://update_es] stanza.
  3. Edit or create the app_regex = field
  4. Make the necessary changes using regex and save the file.
  5. Click Restart to incorporate the changes.

For example, the app new_data_source has been added to this stanza:

[app_imports_update://update_es]

app_regex = (new_data_source)

Remove an add-on from app import

To remove an add-on from app import:

  1. Open the $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf file.
  2. Edit or create the [app_imports_update://update_es] stanza.
  3. Edit or create the app_exclude_regex = field
  4. Make the necessary changes using regex and save the file.
  5. Click Restart to incorporate the changes.

For example, remove a custom TA from the import process:

[app_imports_update://update_es]

app_exclude_regex = TA_new_test

Determine which add-ons to deploy

Add-ons might perform index-time operations. See the README associated with the add-on to determine if it includes index-time operations.

If an add-on requires index-time operations, deploy them to the indexers with the deployment server. See "About deployment server" in the Distributed Deployment Manual.

If there is no README, you can look at the configuration files. The props.conf.spec lists all includes index-time operations. See "props.conf.spec" in the Admin Manual.

PREVIOUS
Solution architecture
  NEXT
Install the Splunk App for Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters