Splunk® InfoSec App

User Guide

Overview of the InfoSec app for Splunk

Use the InfoSec App for Splunk as an entry level security solution powered by the Splunk platform to address the most common security use cases, including continuous monitoring and security investigations. You can also use the InfoSec app for a number of advanced threat detection use cases and expand them using other security apps and add-ons that you can download from Splunkbase.

Following is a list of the applications supported by the Infosec App (version 1.7.0):

  • Force Directed app For Splunk (version 3.1.0)
  • Lookup File Editor (version 3.5.0)
  • Punchcard - Custom Visualization (version 1.5.0)
  • Splunk Sankey Diagram - Custom Visualization (version 1.6.0)
  • Splunk Common Information Model (CIM) (version 4.20.0)

How the InfoSec app for Splunk works

The InfoSec app is a free app for the Splunk platform that can be downloaded and installed into your Splunk environment. Download the InfoSec app for Splunk from Splunkbase.

The InfoSec app is a collection of comprehensive, extensible dashboards and alerts that focus on the most common security-oriented technology components within your typical corporate environment. Use this app to investigate incidents, automate compliance tasks, and help protect your network, users, and intellectual property from external adversaries and malicious insider threats. You can also use the app to provide executive-level reporting metrics, trends, and summaries. You can use this app to assist in completing audits by mapping customizable reports to common compliance frameworks such as NIST, HIPPA, PCI, and ISO.

The InfoSec app provides a standard Splunk search page from within the app. For more information on how to search using the Splunk Platform, see this introductory Search, filter, and correlate video.

Use the Dashboards page to list all the saved dashboards within the Splunk platform. The Dashboards page allows you to perform the following actions:

  • Open and view a dashboard
  • Adjust who can access a dashboard by modifying it's permissions
  • Edit a dashboard
  • Clone a dashboard

Use the following table to learn about the dashboards available on the InfoSec app and how you can use them to monitor your Splunk environment:

Dashboard Function
Security Posture Provides a high level view to monitor the security in your Splunk environment.
For more information to monitor your security posture, see Monitor your security posture using the InfoSec app for Splunk.
Continuous Monitoring Comprises of the following dashboards that continuously monitor your Splunk environment:
  • Windows Access and Changes dashboard to view events in MS Windows
  • All Authentications dashboard to view all authentication actions
  • Malware dashboard to view antivirus solutions
  • Intrusion Detection (IDS/IPS) dashboard to view intrusion detection and prevention systems
  • Firewalls dashboard to view firewall events
  • Network Traffic dashboard to view firewall data in your network
  • VPN Access dashboard to view VPN session data

For more information to continuously monitor your Splunk environment, see Monitor your environment continuously using the InfoSec app for Splunk

Advanced Threat Comprises of the following dashboards that leverage the power of the Splunk Platform's search capabilities to highlight security events of interest:
  • Access Anomalies dashboard to identify security risks
  • Network Anomalies dashboard to identify network anomalies
  • Custom Use Cases dashboard to incorporate custom searches and dashboards

For more information to highlight interesting security events, see Identify advanced threats using the InfoSec app for Splunk

User and Host Investigation Helps to investigate user and host-based behaviors and actions
For more information to investigate user or host behaviors, see Investigate behaviors using the InfoSec app for Splunk
Compliance Provides visibility into controls that are required under different compliance frameworks.
For more information to set up up visibility into compliance requirements, see Set up controls using the InfoSec app for Splunk.
Executive View Provides a high-level view of certain security metrics and the environment status.
For more information to report on high level security metrics, see Display high level security metrics using the InfoSec app for Splunk
Alerts Helps to investigate and manage alerts
For more information to investigate and manage alerts, see Manage alerts using the InfoSec app for Splunk
Health Performs a health-check of your Splunk environment
For more information to perform a health check, see Perform a health check using the InfoSec app for Splunk

For more information on the InfoSec app, review the InfoSec app for Splunk - Introduction video.

What you can do with the InfoSec app for Splunk

Use the InfoSec app dashboards to provide coverage in the following areas:

  • Authentication, including Active Directory, LDAP
  • Malware, including antivirus, next generation antivirus
  • Network traffic, including firewalls, next generation firewalls

You can use the InfoSec app to accomplish the following tasks:

  • Direct the powerful features of the Splunk platform towards security.
  • Access a single pane view of security events and posture.
  • Investigate security alerts and incidents.
  • Customize and expand a base security platform to integrate with additional apps and add-ons from Splunkbase.

Extending the features of the InfoSec App for Splunk

You may configure and integrate the InfoSec app with the SSE app, the Common Information Model (CIM), Splunk Enterprise Security, Splunk SOAR, and other Splunk apps and add-ons. You may also use the InfoSec app with the Splunk Machine Learning Toolkit (MLTK) and enable advanced ML based correlation searches within the InfoSec app to detect threats and provide alerts.

Download any of the following apps to extend the capabilities of the Infosec app:

Additionally, you can directly download and install many other apps and add-ons from the Splunkbase library and configure them within your Splunk environment. Using these Splunk apps with the InfoSec app provide solutions for many common use case and provide specialized insight into your data and systems with preconfigured dashboards, reports, data inputs, and saved searches.

Last modified on 24 August, 2023
  Monitor your security posture using the InfoSec app for Splunk

This documentation applies to the following versions of Splunk® InfoSec App: 1.7.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters