Skip to main content
Lantern Home
 
 
Splunk Lantern

Normalizing Enterprise Security data with technology add-ons

  1. Last updated
  2. Save as PDF

 

You want to use events from Cisco router logs with the cisco:asa source type. You confirm the data is present in Splunk indexes, but Splunk Enterprise Security is not displaying it in any dashboards. You run | tstats count FROM datamodel=Network_Traffic.All_Traffic BY sourcetype and discover that the Network Traffic data model does not contain events with the cisco:asa source type. You ask a coworker fo help and he suggests that this is because the events are not being tagged with the network and communicate tags, and the fields are not being aliased to the proper names required in the data model. You need to fix this. 

Solution 

Splunk Enterprise Security uses data models that normalize data from various sources to conceptual maps to make all the different data types comparable and your reporting better understood. Normalization can be accomplished by adding tags and changing field aliases and values to conform to data model specifications, but this is very time consuming. A better solution is to automate the processes through technology add-ons (TAs).

TAs provide the Common Information Model (CIM)-compliant knowledge necessary to incorporate source data into Splunk Enterprise Security. They can configure inputs on forwarders, parsing on indexers, and normalizing data on search heads. Aside from the User Behavior Analytics (UBA) add-on, no TAs are included. It's up to the Splunk Enterprise Security admin or users to decide which TAs they need, and then to install them.

In the scenario above, the user could find the Splunk Add-on for Cisco ASA on Splunkbase and work with the Splunk Enterprise Security admin to get it installed. However, for less common sources, the user might have to build a custom TA. Let's look at both of these options.

Find a Splunk-supported, CIM-compatible add-on on Splunkbase

Technology add-ons are intended for use with specific technologies, such as Websense, Zeek (Bro) IDS, and Juniper. You can find them by searching Splunkbase or looking at the Splunks Docs page for all supported add-ons. A few things to note:

  • TAs must be CIM-compliant to be compatible with Splunk Enterprise Security.
  • Each has a specific add-on name and one or more event source types.
  • Some, like the *NIX, and Windows add-ons, are designed to input OS data and will require configuration before use.
  • Different TAs have different deployment methodologies. Read the README file included with each one. You should also read Deploy add-ons to Splunk Enterprise Security.
  • TAs also have different configuration steps. Use the README file and make sure you set the correct sourcetype name.

As your organization changes, you might have TAs that are no longer required. They can be disabled under Apps > Manage Apps.

Build a custom add-on with the Splunk Add-on Builder

If you have custom data sources that you want Splunk Enterprise Security to recognize, create an add-on to make your custom events CIM-compliant. To do this, you need the Splunk Add-on Builder. While the Add-on Builder is a fast, easy way to create a TA, you still need to do some planning to map your custom data into the Common Information Model. 

  1. Determine which data model should reference your events by doing the following:
    1. Use the dashboard requirements matrix to determine the data model(s) and field names the dashboard(s) require.
    2. Review the list of required and optional fields for each data model. 
  2. Map the fields of your custom source type to the CIM fields. Keep in mind the following:
    • You need to at least populate the fields used by Splunk Enterprise Security dashboards and correlation searches. 
    • Mapping as many of the data model fields as possible will make your events more robust for future use in new views, searches, or reports.
    • Not all of the source fields will match CIM fields. You can ignore the extra source fields as appropriate.
    • Not all of the CIM fields will be present in the source events. Use eval statements or regex-based field extractions to generate these fields with valid values if possible, or with placeholder values if no valid values can be determined.

For complete instructions about using the Add-on Builder, see the Splunk Add-on Builder User Guide.

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on administering Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

  • Examine how Splunk Enterprise Security functions, including data models, correlation searches, notable events, and dashboards
  • Create custom correlation searches
  • Customize the Investigation Workbench
  • Learn how to install or upgrade Splunk Enterprise Security
  • Learn the steps to setting up inputs using technology add-ons
  • Fine tune Splunk Enterprise Security Global Settings
  • Customize risk and configure threat intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.