Getting data onboarded to Splunk Enterprise Security
The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For assistance with ES 8.x, Splunk Professional Services can help.
After identifying your use cases, the next step is to get your data onboarded. Splunk Enterprise Security requires that all data sources comply with the Splunk Common Information Model (CIM) which normalizes field names needed for correlation. After your security data is sent into a Splunk deployment to be indexed, you can correlate events from disparate data sources across time, and identify complex behavior that could be malicious.
The document Data source planning for Splunk Enterprise Security has detailed configuration information for add-ons and other data input components.
To get data into Splunk Enterprise Security, you'll need to follow these steps:
- Identify the data source required.
- Identify and install the technical add-on required.
- Configure the corresponding server, device, or technology.
- Customize the add-on where necessary.
- Set up a Splunk data input and confirm the source type settings.
The use of the TAs provides you with CIM-compliant data going into a Splunk deployment. In the event you need to validate or troubleshoot, see the manual for the CIM add-on. This add-on is normally included with the Splunk Enterprise Security installation.
The terms "Add-on" and "TA" are often used interchangeably. However, they are different.
- An add-on (TA) is a type of app that provides specific capabilities to apps, such as getting data in, mapping data, or providing saved searches and macros. An add-on is not typically run as a standalone app. Instead, an add-on is a reusable component that supports other apps across a number of different use cases.
- An application (app) typically addresses several use cases. An app contains one or more views. An app can include various knowledge objects such as reports, lookups, scripted inputs, and modular inputs. An app sometimes depends on one or more add-ons for specific functionality.
You can easily download the TAs needed to send data into a Splunk deployment to drive your use cases. There are currently over 1,400 security-related apps and add-ons on Splunkbase that support security products from Cisco, McAfee, CrowdStrike, Z-Scaler, and many others. Examples of commonly used TAs include:
- Splunk Add-on for Microsoft Windows
- Palo Alto Networks Add-on for Splunk
- Splunk Add-on for Check Point Log Exporter
- Splunk Add on for Microsoft Azure
- Splunk Add-on for Amazon Web Services (AWS)
Syslog
Syslog is a technology frequently employed, and considered a best practice, when collecting data from security devices such as firewalls and security appliances. You can set up a syslog server to collect data from its sources, and then forward it from the syslog server to a Splunk deployment. Further considerations with syslog are documented in the Spunk validated architecture whitepaper.
Additional resources
Here are more resources that can help you to get data in:
- Docs: Getting data in to Splunk Cloud
- Docs: Getting data in to Splunk Enterprise
- Docs: Data source planning for ES
- Docs: Use apps to get data in
- Docs: Use CIM to validate your data
- Tech Talk: Getting data into Splunk
- Community Getting data In channel