Splunk® InfoSec App

Installation Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Collect data from data sources to use the InfoSec app for Splunk

To check that the InfoSec app for Splunk functions as you expect it to, you must onboard data from various data sources.

Make sure that you have data from the following security sources in your Splunk environment:

  • Firewall and Intrusion Detection Systems (IDS/IPS) data. For example, data from Cisco, Palo Alto Networks, Check Point, Fortinet, or Juniper.
  • Authentication data. For example, Active Directory data from the Windows logs on Domain Controllers or Microsoft365.

For Microsoft Active Directory, the audit policy must be set to ensure the accurate logging of the event data.

  • Malware or antivirus tools data. For example, data from Symantec, McAfee, Sophos, Trend Micro, and so on.

All data used by the InfoSec app must be Common Information Model (CIM) compliant. To check that the data is CIM compliant, use the CIM-compliant Splunk add-ons for your security devices.

Onboard data from data sources

Follow these steps to onboard data sources if the Splunk Security Essentials (SSE) app is already installed in your environment:

  1. In Splunk Web, select the App menu in the menu bar.
  2. Open the Splunk Security Essentials app.
  3. Navigate to Data>Data Source Onboarding Guides.
    A list of commonly available data sources in the Splunk platform displays.
  4. Expand Authentication from the Data Source column to view the authentication logs.
  5. Click Windows Security Logs from the Technology column.
  6. Follow the instructions provided for data onboarding.
Last modified on 25 February, 2021
PREVIOUS
Access and install additional apps and add-ons to use the InfoSec app for Splunk
 

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters