Overview of the InfoSec app for Splunk
The InfoSec App for Splunk is an entry level security solution powered by the Splunk platform that is designed to address the most common security use cases, including continuous monitoring and security investigations. You can also use the InfoSec app for a number of advanced threat detection use cases and expand them using other security apps and add-ons that you can download from Splunkbase.
Following is a list of the applications supported by the Infosec App (version 1.7.0):
- Force Directed app For Splunk (version 3.1.0)
- Lookup File Editor (version 3.5.0)
- Punchcard - Custom Visualization (version 1.5.0)
- Splunk Sankey Diagram - Custom Visualization (version 1.6.0)
- Splunk Common Information Model (CIM) (version 4.20.0)
How the InfoSec app for Splunk works
The InfoSec app is a free app for the Splunk platform that can be downloaded and installed into your Splunk environment. Download the InfoSec app for Splunk from Splunkbase.
The InfoSec app is a collection of comprehensive, extensible dashboards and alerts that focus on the most common security-oriented technology components within your typical corporate environment. Use this app to investigate incidents, automate compliance tasks, and help protect your network, users, and intellectual property from external adversaries and malicious insider threats. You can also use the app to provide executive-level reporting metrics, trends, and summaries. You can use this app to assist in completing audits by mapping customizable reports to common compliance frameworks such as NIST, HIPPA, PCI, and ISO.
The InfoSec app provides a standard Splunk search page from within the app. For more information on how to search using the Splunk Platform, see this introductory Search, filter, and correlate video.
Use the Dashboards page to list all the saved dashboards within the Splunk platform. The Dashboards page allows you to perform the following actions:
- Open and view a dashboard
- Adjust who can access a dashboard by modifying it's permissions
- Edit a dashboard
- Clone a dashboard
Use the following table to learn about the dashboards available on the InfoSec app and how you can use them to monitor your Splunk environment:
|Security Posture||Provides a high level view to monitor the security in your Splunk environment.|
For more information to monitor your security posture, see Monitor your security posture using the InfoSec app for Splunk.
|Continuous Monitoring||Comprises of the following dashboards that continuously monitor your Splunk environment:|
For more information to continuously monitor your Splunk environment, see Monitor your environment continuously using the InfoSec app for Splunk
|Advanced Threat||Comprises of the following dashboards that leverage the power of the Splunk Platform's search capabilities to highlight security events of interest:
For more information to highlight interesting security events, see Identify advanced threats using the InfoSec app for Splunk
|User and Host Investigation||Helps to investigate user and host-based behaviors and actions|
For more information to investigate user or host behaviors, see Investigate behaviors using the InfoSec app for Splunk
|Compliance||Provides visibility into controls that are required under different compliance frameworks.|
For more information to set up up visibility into compliance requirements, see Set up controls using the InfoSec app for Splunk.
|Executive View||Provides a high-level view of certain security metrics and the environment status. |
For more information to report on high level security metrics, see Display high level security metrics using the InfoSec app for Splunk
|Alerts||Helps to investigate and manage alerts|
For more information to investigate and manage alerts, see Manage alerts using the InfoSec app for Splunk
|Health||Performs a health-check of your Splunk environment|
For more information to perform a health check, see Perform a health check using the InfoSec app for Splunk
For more information on the InfoSec app, review the InfoSec app for Splunk - Introduction video.
What you can do with the InfoSec app for Splunk
Use the InfoSec app dashboards to provide coverage in the following areas:
- Authentication, including Active Directory, LDAP
- Malware, including antivirus, next generation antivirus
- Network traffic, including firewalls, next generation firewalls
You can use the InfoSec app to accomplish the following tasks:
- Direct the powerful features of the Splunk platform towards security.
- Access a single pane view of security events and posture.
- Investigate security alerts and incidents.
- Customize and expand a base security platform to integrate with additional apps and add-ons from Splunkbase.
Extending the features of the InfoSec App for Splunk
You may configure and integrate the InfoSec app with the SSE app, the Common Information Model (CIM), Splunk Enterprise Security, Splunk Phantom, and other Splunk apps and add-ons. You may also use the InfoSec app with the Splunk Machine Learning Toolkit (MLTK) and enable advanced ML based correlation searches within the InfoSec app to detect threats and provide alerts.
Download any of the following apps to extend the capabilities of the Infosec app:
- Splunk Security Essentials (SSE) app.
- Splunk Phantom
- Splunk Machine Learning Toolkit (MLTK) app
- Splunk Enterprise Security
Additionally, you can directly download and install many other apps and add-ons from the Splunkbase library and configure them within your Splunk environment. Using these Splunk apps with the InfoSec app provide solutions for many common use case and provide specialized insight into your data and systems with preconfigured dashboards, reports, data inputs, and saved searches.
Monitor your security posture using the InfoSec app for Splunk
This documentation applies to the following versions of Splunk® InfoSec App: 1.7.0