Splunk Enterprise Security (ES) solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of organizations’ security postures with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises or hybrid deployment models. Splunk ES enables you to: - Conquer alert fatigue with high-fidelity Risk-Based Alerting. - Bring visibility across your hybrid environment with multicloud security monitoring. - Conduct flexible investigations for effective threat hunting across security, IT and DevOps data sources. Splunk ES is a premium security solution requiring a paid license.

Splunk DB Connect is a generic SQL database extension for Splunk that enables easy integration of database information with Splunk queries and reports. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, Teradata, InfluxDB and MongoDB Atlas & Standalone. Use Splunk DB Connect's Inputs to import structured data for powerful indexing, analysis, and visualization. Use Outputs to export machine data insights to a legacy database to increase your organization's insight. Use Lookups to add meaningful information to your event data by referencing fields in an external database. Use query commands to build live dashboards mixing structured and unstructured data.

*** Important: Read upgrade instructions and test add-on update before deploying to production *** The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the documented upgrade instructions to avoid data loss. A best practice is to test the upgraded version in a non-production environment before deploying to production. Neither the Splunk Add-on for Windows DNS version 1.0.1 nor the Splunk Add-on for Windows Active Directory version 1.0.0 is supported when installed alongside the Splunk Add-on for Windows version 6.0.0. The Splunk Add-on for Windows version 6.0.0 includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory. The Splunk for Microsoft Windows add-on includes predefined inputs to collect data from Windows systems and maps to normalize the data to the Common Information Model.

*** Important: Read upgrade Instructions and test add-on update before deploying to production *** There are changes to default indexes and .conf changes in version 6.0 of Splunk Add-on for Unix and Linux that can break an existing installation if upgrade instructions are not followed in detail. If an existing Splunk Add-on for Unix and Linux is being upgraded, please test in a non-production environment first. The Splunk Add-on for Unix and Linux works with the Splunk App for Unix and Linux to provide rapid insights and operational visibility into large-scale Unix and Linux environments. With its new pre-packaged alerting capability, flexible service-based hosts grouping, and easy management of many data sources, it arms administrators with a powerful ability to quickly identify performance and capacity bottlenecks and outliers in Unix and Linux environments.

The Splunk Add-on for AWS, from version 7.0.0 and above, includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This allows you to configure the Splunk Add-on for AWS to ingest data across all AWS data sources, facilitating the integration of AWS data into your Splunk platform deployment. If you use both the Splunk Add-on for Amazon Security Lake as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Security Lake before upgrading the Splunk Add-on for AWS to version 7.0.0 or later in order to avoid any data duplication and discrepancy issues. __________________________________________________________________________________________________________ Ingesting data from AWS to Splunk Cloud? Have you tried the new Splunk Data Manager yet? Data Manager makes AWS data ingestion simpler, more automated and centrally managed for you, while co-existing with AWS and/or Kinesis TAs. Read our blog post to learn more about Data Manager and it’s availability on your Splunk Cloud instance: https://splk.it/3e9F863 __________________________________________________________________________________________________________ The Splunk Add-on for Amazon Web Services allows a Splunk software administrator to collect: * Configuration snapshots, configuration changes, and historical configuration data from the AWS Config service. * Metadata for your AWS EC2 instances, reserved instances, and EBS snapshots. * Compliance details, compliance summary, and evaluation status of your AWS Config Rules. * Assessment Runs and Findings data from the Amazon Inspector service. * Management and change events from the AWS CloudTrail service. * VPC flow logs and other logs from the CloudWatch Logs service. * Performance and billing metrics from the AWS CloudWatch service. * Billing reports that you have configured in AWS. * S3, CloudFront, and ELB access logs. * Generic data from your S3 buckets. * Generic data from your Kinesis streams. * Generic data from SQS. * Security events from Amazon Security Lake This add-on provides modular inputs and CIM-compatible knowledge to use with other apps, such as the Splunk App for AWS, Splunk Enterprise Security and Splunk IT Service Intelligence. Versions 5.0.0 and later of the Splunk Add-on for AWS is compatible only with Splunk Enterprise version 8.0.0 and above.

The Splunk Add-on for Microsoft Cloud Services allows a Splunk software administrator to pull activity logs, service status, operational messages, Azure audit, Azure resource data and Azure Storage Table and Blob data from a variety of Microsoft cloud services using Event Hubs, Azure Service Management APIs and Azure Storage API. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance and Splunk IT Service Intelligence.

Ever want to edit a lookup within Splunk with a user interface? Now you can. This app provides an Excel-like interface for editing, importing, and exporting lookup files (KV store and CSV-based). This app also makes your lookups work in Search Head Clustered environments (edits to lookups will be propagated to other search heads). Revision history is maintained for lookups so that you can view or restore older lookups quickly in the interface. Check out the Documentation site: https://docs.splunk.com/Documentation/LookupEditor https://docs.splunk.com/Documentation/LookupEditor/4.0.4/User/Whatsnew

Get started with Splunk for Security with Splunk Security Essentials (SSE). Explore security use cases and discover security content to start address threats and challenges. Security Content Library Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Cybersecurity Frameworks Identify gaps in your defenses and take control of your security posture with automatic mapping of data and security detections to MITRE ATT&CK® and Cyber Kill Chain® framework. Data and Content Introspection Gain visibility of the data coming into your environment to add context and telemetry to security events. Enrich your security detections with metadata and tags from the Security Content Library. Security Data Journey Get prescriptive security and data recommendations and establish a data strategy to develop a security maturity roadmap. We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0. Learn more: Download the Product Brief : https://www.splunk.com/pdfs/product-briefs/splunk-security-essentials.pdf Try out Splunk Security Essentials: https://www.splunk.com/en_us/form/splunk-security-essentials-online-demo.html Check out the Documentation site: https://docs.splunk.com/Documentation/SSE

This add-on collects data from Microsoft Azure including the following: Microsoft Entra ID (formerly Azure Active Directory) Data - Users - Microsoft Entra ID user data - Interactive Sign-ins - Microsoft Entra ID sign-ins including conditional access policies and MFA - Directory audits - Microsoft Entra ID directory changes including old and new values - Devices - Registered devices - Groups - Risk Detection Microsoft Security Graph API Topology - IaaS relationships Azure Security Center - Alerts - Tasks Azure Resource Graph This add-on contains the following alert actions: - Stop Azure VM - stops an Azure Virtual Machine. - Add member to group - adds a user to a group. This can be useful if you need to enable additional policies like MFA based on search results. - Dismiss Azure Alert - dismisses an Azure Security Center alert. Version 3.0.0 and later of the Microsoft Azure Add-on for Splunk is compatible only with Splunk Enterprise version 8.0.0 and above. While this app is not formally supported, the developer can be reached at https://github.com/splunk/splunk-add-on-microsoft-azure/issues. Responses are made on a best-effort basis. Feedback is always welcome and appreciated!

The Splunk Add-on for Microsoft Office 365 allows a Splunk software administrator to pull service status, service messages, and management activity logs from the Office 365 Management API. You can collect: * Audit logs for Azure Active Directory, Sharepoint Online, and Exchange Online, supported by the Office 365 Management API. * Historical and current service status, and service messages for the corresponding Microsoft Office 365 Management API. * Data Loss Prevention on Microsoft Office 365 Management API. After the Splunk platform indexes the events, you can then directly analyze the data or use it as a contextual data feed to correlate with other data in the Splunk platform

The Splunk ES Content Update (ESCU) app delivers pre-packaged Security Content. ESCU provides regular Security Content updates to help security practitioners address ongoing time-sensitive threats, attack methods, and other security issues. Security Content consists of tactics, techniques, and methodologies that help with detection, investigation, and response. Security Content enables security teams to directly operationalize detection searches, investigative searches, and other supporting details. ESCU can generate Notable/Risk Events in Splunk Enterprise Security. Security Content also contains easy-to-read background information and guidance, for key context on motivations and risks associated with attack techniques, as well as pragmatic advice on how to combat those techniques. The analytic stories and their searches are also available at - https://github.com/splunk/security_content.

The Splunk Add-on for Microsoft Security collects incidents and alerts from Microsoft 365 Defender OR alerts from Microsoft Defender for Endpoint. Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation. https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate Customers migrating from Microsoft 365 Defender Add-on for Splunk who would like to continue using the dashboards it includes should install Microsoft 365 App for Splunk, as the functionality has been moved there. https://splunkbase.splunk.com/app/3786/ Microsoft 365 Defender Incidents * Incident (impossible travel, activity from Tor IP, suspicious inbox forwarding, successful logon using potentially stolen credentials, etc.) * Assignee * Classification * Severity * Status * Alerts associated with the Incident Microsoft Defender for Endpoint Alerts * Categories (Malware, Initial Access, Execution, etc.) * Detection source * Evidence * Computer name * Related user * Severity * Status

The Splunk Machine Learning Toolkit delivers new SPL commands, custom visualizations, assistants, and examples to explore a variety of ML concepts. Each assistant includes end-to-end examples with datasets, plus the ability to apply the visualizations and SPL commands to your own data. You can inspect the assistant panels and underlying code to see how it all works. MLTK Quick Reference Guide: https://docs.splunk.com/images/3/3f/Splunk-MLTK-QuickRefGuide-2019-web.pdf Assistants: * Predict Numeric Fields (Linear Regression): e.g. predict median house values. * Predict Categorical Fields (Logistic Regression): e.g. predict customer churn. * Detect Numeric Outliers (distribution statistics): e.g. detect outliers in IT Ops data. * Detect Categorical Outliers (probabilistic measures): e.g. detect outliers in diabetes patient records. * Forecast Time Series: e.g. forecast data center growth and capacity planning. * Cluster Numeric Events: e.g. cluster business anomalies to reduce noise. Smart Assistants (new assistants with revamped UI and better ml pipeline/experiment management): * Smart Forecasting Assistant:: e.g. forecasting app logons with special days. * Smart Outlier Detection Assistant: e.g. find anomalies in supermarket purchases. * Smart Clustering Assistant: e.g. cluster houses by property descriptions. * Smart Prediction Assistant: e.g. predict vulnerabilities in firewall data. Available on both on-premises and cloud. (c) Splunk 2024. All rights reserved.

The Common Information Model is a set of field names and tags which are expected to define the least common denominator of a domain of interest. It is implemented as documentation on the Splunk docs website and JSON data model files in this add-on. Use the CIM add-on when modeling data or building apps to ensure compatibility between apps, or to just take advantage of these data models to pivot and report.

The Splunk Add-on for Palo Alto Networks lets you collect data from Cortex XDR, IoT Security, Firewalls, Panorama, and Strata Logging Service. The new Add-on provides a health check monitoring dashboard and CIM-compatible knowledge objects. Key Highlights of the release: Modular inputs for IoT Security & Cortex XDR CIM normalisation Health check monitoring dashboard Support for the latest PanOS Important information for users of the Palo Alto Networks-owned Add-on and App: Due to certain differences between the Palo Alto Networks-owned Add-on and the Splunk-supported Add-on, it's important to understand the key changes, such as revised CIM mapping, macro adjustments, and configuration updates for IoT Security and Cortex XDR inputs. Familiarizing yourself with these changes and their impact is crucial to ensuring a smooth migration to the Splunk-supported Add-on and App. More details can be found in the Migration section of the Add-on documentation. Documentation for this add-on is posted at [Splunk Docs](https://splunk.github.io/splunk-add-on-for-palo-alto-networks)

The Splunk Add-on for ServiceNow allows a Splunk software administrator to collect data from ServiceNow and create incidents and events in ServiceNow. The add-on collects incident, event, change, user, user group, location, and CMDB CI information from ServiceNow via ServiceNow REST APIs. The add-on also provides workflow actions that allow users to link directly from events in the Splunk platform search results to relevant ServiceNow incidents, events, and Knowledge Base articles. The Splunk Add-on for ServiceNow allows Splunk software administrators to use custom commands, alert actions, and scripts to create new incidents and events in your ServiceNow instance, as well as update the incidents created from the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

This app integrates with the ThreatConnect platform to provide various hunting actions in addition to threat ingestion

The Splunk App for Chargeback aids customers in understand Splunk Virtual Compute (SVC) usage categorized by business units and departments, utilizing the identical SVC usage data available in the Cloud Monitoring Console (CMC) App within the customer's stack. To access bonus videos from conf23, click on the "Details" tab. IMPORTANT NOTES: 1. The document is now integrated into the app, accessible from the home dashboard. 2. For an optimal experience, consider installing the app independently. Search for "chargeback" among available apps, then click "Install" next to the Splunk App for Chargeback. Refer to the document on the home page for guidance. 3. If you're comfortable reviewing a slightly older document, visit this site: https://docs.splunk.com/Documentation/ChargebackApp/current/Use/Overview Description Splunk App for Chargeback provides an easy-to-use experience to analyze how internal business units are leveraging Splunk. The App provides the framework necessary for Chargeback and/or Showback use cases for: 1. Splunk Virtual Compute (SVC) 2. Dynamic Data: Active Searchable (DDAS) 3. Dynamic Data: Active Archive (DDAA) 4. Dynamic Data: Self-Storage (DDSS) 5. SmartStore The app provide the following functionally to all Splunk customers: - Framework for customers to build their own Chargeback and/or Showback models - Means to determine how many SVCs are allocated to various business units, departments, and users in those departments [Accounting]. - Means to automatically determine how Splunk Cloud stack resources are being used by the various business units [Utilization]. - Ability to drill-down and break down the usage starting at the highest level in the business all the way down to the user level - Ability to forecast SVC usage for the entire organization and by business unit using Splunk Machine Learning - Accurately maintained up-to-date list of identities along with corresponding Business Unit & Department information by way of indexing the data from a source like DB Connect or Active Directory ODS Support You can open an ODS request under task Install/Configure App or TA/Add-On in the support portal (https://www.splunk.com/pdfs/professional-services/splunk-ondemand-services-portal.pdf). Select after choosing Pick your Product = Splunk Core - Enterprise/Splunk Cloud. Enter under the subject/description that you need help configuring the Splunk App for Chargeback specifically. Feedback is always welcome and appreciated.

This app implements custom REST handlers for external implementations to push ingest data such as events and artifacts into Phantom

Splunk Add-on for Stream Forwarders is part of the purpose-built wire data collection and analytics solution from Splunk along with Splunk App for Stream for data visualization and forwarder management and Splunk Add-on for Stream Wire Data for data parsing and formatting. The Splunk App for Stream with the Add-on for Stream Forwarder and Add-on for Stream Wire Data actively or passively capture packets, dynamically detect applications, parse protocols, and send metadata back to your Splunk environment for over 30 protocols and 300 commercial applications. Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation. Ingest PCAP files in real-time or on-demand. Create MD5 hashes of file attachments for Threat Intelligence correlations using Splunk ES, and extract and store those reassembled files for forensic or DLP purposes. Parse SQL statements to help understand user intent. Understand IP client-server connections with patent-pending visualization.

Splunk App for Stream is part of the purpose-built wire data collection and analytics solution from Splunk along with Splunk Add-on for Stream Forwarders for data collection and Splunk Add-on for Stream Wire Data for data parsing and formatting. The Splunk App for Stream with the Add-on for Stream Forwarder and Add-on for Stream Wire Data actively or passively capture packets, dynamically detect applications, parse protocols, and send metadata back to your Splunk environment for over 30 protocols and 300 commercial applications. Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation. Ingest PCAP files in real-time or on-demand. Create MD5 hashes of file attachments for Threat Intelligence correlations using Splunk ES, and extract and store those reassembled files for forensic or DLP purposes. Parse SQL statements to help understand user intent. Understand IP client-server connections with patent-pending visualization.

This is the official Splunk app that integrates Splunk Enterprise or Splunk Cloud with Splunk SOAR. This app, formerly known as the “Phantom App for Splunk,” is responsible for sending data from your Splunk Enterprise/Cloud instances to Splunk SOAR. Once that data is in Splunk SOAR, you can perform automated actions with over 350+ different security tools. Also included with this app is an integration with Splunk Enterprise Security, allowing you to send ES data to SOAR. Splunk SOAR is a Security Automation and Orchestrated Response (SOAR) platform that integrates with your existing security tools in order to provide a layer of “connective tissue” between them. Splunk SOAR streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of products that you use every day. Splunk SOAR doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger. (Formerly known as Phantom App for Splunk) Documentation: https://docs.splunk.com/Documentation/SOARExport/latest/UserGuide/Introduction

This app supports executing various endpoint-based investigative and containment actions on an SSH endpoint

The Splunk Remote Upgrader for Linux Universal Forwarders is used to remotely upgrade your universal forwarder for Linux. You install the upgrader on the same Linux instance as your universal forwarder. The upgrader then monitors for new universal forwarder packages in a predefined folder and if a new universal forwarder package is found, the upgrader upgrades the universal forwarder with that package.

The Common Information Model is a set of field names and tags which are expected to define the least common denominator of a domain of interest. It is implemented as documentation on the Splunk docs website and JSON data model files in this add-on. Use the CIM add-on when modeling data or building apps to ensure compatibility between apps, or to just take advantage of these data models to pivot and report.

Splunk Enterprise Security (ES) solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of organizations’ security postures with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises or hybrid deployment models. Splunk ES enables you to: - Conquer alert fatigue with high-fidelity Risk-Based Alerting. - Bring visibility across your hybrid environment with multicloud security monitoring. - Conduct flexible investigations for effective threat hunting across security, IT and DevOps data sources. Splunk ES is a premium security solution requiring a paid license.

Splunk AI Assistant for SPL offers bi-directional translation between natural language (NL) and Splunk Search Processing Language (SPL). Before you can use Splunk AI Assistant for SPL, you must review and sign the legal terms for the app. This specialized End-User License Agreement (EULA) covers data usage and is only accessible if you have a Splunk.com account. See: https://www.splunk.com/en_us/download/ai-assistant.html Once the EULA is signed,, please wait 3-4 business days for email notification that you can install Splunk AI Assistant for SPL. What's in the app . . . On the Write SPL tab, compose what you want to search in plain English, and the Splunk AI Assistant for SPL translates the request into Splunk Search Processing Language (SPL). You can execute or build on that SPL search, all within a familiar Splunk interface. On the Explain SPL tab, Splunk AI Assistant for SPL explains what any SPL search is doing in plain English, along with a detailed breakdown of the search. On the Tell me about tab, Splunk AI Assistant for SPL answers questions about Splunk documentation and any Splunk platform term or product. (c) Splunk 2025. All rights reserved.

The Splunk ES Content Update (ESCU) app delivers pre-packaged Security Content. ESCU provides regular Security Content updates to help security practitioners address ongoing time-sensitive threats, attack methods, and other security issues. Security Content consists of tactics, techniques, and methodologies that help with detection, investigation, and response. Security Content enables security teams to directly operationalize detection searches, investigative searches, and other supporting details. ESCU can generate Notable/Risk Events in Splunk Enterprise Security. Security Content also contains easy-to-read background information and guidance, for key context on motivations and risks associated with attack techniques, as well as pragmatic advice on how to combat those techniques. The analytic stories and their searches are also available at - https://github.com/splunk/security_content.

The Splunk OT Intelligence is a required web-based companion app for Splunk Edge Hub. The app enables administrators to create and manage their Edge Hubs deployments.

Splunk Add-on for Stream Wire Data is part of the purpose-built wire data collection and analytics solution from Splunk along with Splunk App for Stream for data visualization and data capture management and Splunk Add-on for Stream Forwarders for data collection. The Splunk App for Stream with the Add-on for Stream Forwarder and Add-on for Stream Wire Data actively or passively capture packets, dynamically detect applications, parse protocols, and send metadata back to your Splunk environment for over 30 protocols and 300 commercial applications. Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation. Ingest PCAP files in real-time or on-demand. Create MD5 hashes of file attachments for Threat Intelligence correlations using Splunk ES, and extract and store those reassembled files for forensic or DLP purposes. Parse SQL statements to help understand user intent. Understand IP client-server connections with patent-pending visualization.

Splunk User Behavior Analytics (UBA) is a machine learning-powered solution that helps organizations find unknown threats and anomalous behavior and solves a wide range of insider threat and external attack detection use cases. It uses unsupervised machine learning algorithms to produce actionable results with risk ratings and supporting evidence that augment security operation center (SOC) analysts’ existing techniques for faster action. Additionally, it provides visual pivot points for security analysts and threat hunters to proactively investigate anomalous behavior.

Splunk UBA is a machine learning driven solution that helps organizations find hidden threats and anomalous behavior across users, devices, and applications. Its data science driven approach produces actionable results with risk ratings and supporting evidence, augmenting SOC analysts’ existing techniques. In addition, it provides visual pivot points for hunters to proactively investigate anomalous behavior. • Detects insider threats using out-of-the-box purpose-built but extensible unsupervised machine learning (ML) algorithms • Provides context around the threat via ML driven anomaly correlation and visual mapping of stitched anomalies over various phases of the attack lifecycle • Increases SOC efficiency with rank-ordered threats and supporting evidence • Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security for incident scoping, workflow management and automated response See Details for Product Downloads

The Splunk Add-on for AWS, from version 7.0.0 and above, includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This allows you to configure the Splunk Add-on for AWS to ingest data across all AWS data sources, facilitating the integration of AWS data into your Splunk platform deployment. If you use both the Splunk Add-on for Amazon Security Lake as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Security Lake before upgrading the Splunk Add-on for AWS to version 7.0.0 or later in order to avoid any data duplication and discrepancy issues. __________________________________________________________________________________________________________ Ingesting data from AWS to Splunk Cloud? Have you tried the new Splunk Data Manager yet? Data Manager makes AWS data ingestion simpler, more automated and centrally managed for you, while co-existing with AWS and/or Kinesis TAs. Read our blog post to learn more about Data Manager and it’s availability on your Splunk Cloud instance: https://splk.it/3e9F863 __________________________________________________________________________________________________________ The Splunk Add-on for Amazon Web Services allows a Splunk software administrator to collect: * Configuration snapshots, configuration changes, and historical configuration data from the AWS Config service. * Metadata for your AWS EC2 instances, reserved instances, and EBS snapshots. * Compliance details, compliance summary, and evaluation status of your AWS Config Rules. * Assessment Runs and Findings data from the Amazon Inspector service. * Management and change events from the AWS CloudTrail service. * VPC flow logs and other logs from the CloudWatch Logs service. * Performance and billing metrics from the AWS CloudWatch service. * Billing reports that you have configured in AWS. * S3, CloudFront, and ELB access logs. * Generic data from your S3 buckets. * Generic data from your Kinesis streams. * Generic data from SQS. * Security events from Amazon Security Lake This add-on provides modular inputs and CIM-compatible knowledge to use with other apps, such as the Splunk App for AWS, Splunk Enterprise Security and Splunk IT Service Intelligence. Versions 5.0.0 and later of the Splunk Add-on for AWS is compatible only with Splunk Enterprise version 8.0.0 and above.

*** Important: Read upgrade instructions and test add-on update before deploying to production *** The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the documented upgrade instructions to avoid data loss. A best practice is to test the upgraded version in a non-production environment before deploying to production. Neither the Splunk Add-on for Windows DNS version 1.0.1 nor the Splunk Add-on for Windows Active Directory version 1.0.0 is supported when installed alongside the Splunk Add-on for Windows version 6.0.0. The Splunk Add-on for Windows version 6.0.0 includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory. The Splunk for Microsoft Windows add-on includes predefined inputs to collect data from Windows systems and maps to normalize the data to the Common Information Model.

The Splunk Add-on for Google Cloud Platform allows a Splunk software administrator to collect google cloud platform events, logs, performance metrics and billing data using Google Cloud Platform API. After the Splunk platform indexes the events, you can analyze the data using the prebuilt panels included with the add-on. You can then directly analyze the data or use it as a contextual data feed to correlate with other Google Cloud-related data in the Splunk platform.

The Splunk Add-on for Microsoft Cloud Services allows a Splunk software administrator to pull activity logs, service status, operational messages, Azure audit, Azure resource data and Azure Storage Table and Blob data from a variety of Microsoft cloud services using Event Hubs, Azure Service Management APIs and Azure Storage API. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance and Splunk IT Service Intelligence.

*** Important: Read upgrade Instructions and test add-on update before deploying to production *** There are changes to default indexes and .conf changes in version 6.0 of Splunk Add-on for Unix and Linux that can break an existing installation if upgrade instructions are not followed in detail. If an existing Splunk Add-on for Unix and Linux is being upgraded, please test in a non-production environment first. The Splunk Add-on for Unix and Linux works with the Splunk App for Unix and Linux to provide rapid insights and operational visibility into large-scale Unix and Linux environments. With its new pre-packaged alerting capability, flexible service-based hosts grouping, and easy management of many data sources, it arms administrators with a powerful ability to quickly identify performance and capacity bottlenecks and outliers in Unix and Linux environments.

The Splunk Machine Learning Toolkit delivers new SPL commands, custom visualizations, assistants, and examples to explore a variety of ML concepts. Each assistant includes end-to-end examples with datasets, plus the ability to apply the visualizations and SPL commands to your own data. You can inspect the assistant panels and underlying code to see how it all works. MLTK Quick Reference Guide: https://docs.splunk.com/images/3/3f/Splunk-MLTK-QuickRefGuide-2019-web.pdf Assistants: * Predict Numeric Fields (Linear Regression): e.g. predict median house values. * Predict Categorical Fields (Logistic Regression): e.g. predict customer churn. * Detect Numeric Outliers (distribution statistics): e.g. detect outliers in IT Ops data. * Detect Categorical Outliers (probabilistic measures): e.g. detect outliers in diabetes patient records. * Forecast Time Series: e.g. forecast data center growth and capacity planning. * Cluster Numeric Events: e.g. cluster business anomalies to reduce noise. Smart Assistants (new assistants with revamped UI and better ml pipeline/experiment management): * Smart Forecasting Assistant:: e.g. forecasting app logons with special days. * Smart Outlier Detection Assistant: e.g. find anomalies in supermarket purchases. * Smart Clustering Assistant: e.g. cluster houses by property descriptions. * Smart Prediction Assistant: e.g. predict vulnerabilities in firewall data. Available on both on-premises and cloud. (c) Splunk 2024. All rights reserved.

The Common Information Model is a set of field names and tags which are expected to define the least common denominator of a domain of interest. It is implemented as documentation on the Splunk docs website and JSON data model files in this add-on. Use the CIM add-on when modeling data or building apps to ensure compatibility between apps, or to just take advantage of these data models to pivot and report.

The Splunk Event Generator (Eventgen) is a utility which allows its users to easily build real-time event generators. Eventgen allows an app developer to get events into Splunk to test their applications. It provides a somewhat ridiculous amount of configurability to allow users to simulate real data. To join the development community, please go to https://github.com/splunk/eventgen. For documentation, please go to the Eventgen Documentation(http://splunk.github.io/eventgen/).

Splunk DB Connect is a generic SQL database extension for Splunk that enables easy integration of database information with Splunk queries and reports. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, Teradata, InfluxDB and MongoDB Atlas & Standalone. Use Splunk DB Connect's Inputs to import structured data for powerful indexing, analysis, and visualization. Use Outputs to export machine data insights to a legacy database to increase your organization's insight. Use Lookups to add meaningful information to your event data by referencing fields in an external database. Use query commands to build live dashboards mixing structured and unstructured data.

Get started with Splunk for Security with Splunk Security Essentials (SSE). Explore security use cases and discover security content to start address threats and challenges. Security Content Library Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Cybersecurity Frameworks Identify gaps in your defenses and take control of your security posture with automatic mapping of data and security detections to MITRE ATT&CK® and Cyber Kill Chain® framework. Data and Content Introspection Gain visibility of the data coming into your environment to add context and telemetry to security events. Enrich your security detections with metadata and tags from the Security Content Library. Security Data Journey Get prescriptive security and data recommendations and establish a data strategy to develop a security maturity roadmap. We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0. Learn more: Download the Product Brief : https://www.splunk.com/pdfs/product-briefs/splunk-security-essentials.pdf Try out Splunk Security Essentials: https://www.splunk.com/en_us/form/splunk-security-essentials-online-demo.html Check out the Documentation site: https://docs.splunk.com/Documentation/SSE

Ever want to edit a lookup within Splunk with a user interface? Now you can. This app provides an Excel-like interface for editing, importing, and exporting lookup files (KV store and CSV-based). This app also makes your lookups work in Search Head Clustered environments (edits to lookups will be propagated to other search heads). Revision history is maintained for lookups so that you can view or restore older lookups quickly in the interface. Check out the Documentation site: https://docs.splunk.com/Documentation/LookupEditor https://docs.splunk.com/Documentation/LookupEditor/4.0.4/User/Whatsnew

The Splunk Add-on for Okta Identity Cloud: - Handles System Log event ingestion using Okta's REST API endpoints and simplifies data correlation. - Can periodically ingest Okta Universal Directory (UD) data, including users, groups, and apps. This data is not treated as time-series events. - Provides the inputs and CIM-compatible knowledge to use with other Splunk apps. The Splunk Add-on for Okta Identity Cloud provides complete data collection parity with the Okta Identity Cloud Add-on for Splunk, and corresponding features except the following two adaptive response actions: 1) Updating user's lifecycle/status, 2) Add or Remove a user from a group. In addition to this, Splunk built TA provides comprehensive CIM coverage, high reliability and multiple features and enhancements. Please see the Reference section of the documentation for more details. The Splunk Add-on for Okta Identity Cloud provides support of the below-mentioned sourcetypes: OktaIM2:log OktaIM2:user OktaIM2:group OktaIM2:app OktaIM2:groupUser OktaIM2:appUser

This app (also known as SA-ldapsearch) provides support functions to the Content Pack for Windows Dashboards and Reports (https://docs.splunk.com/Documentation/CPWindowsDash/latest/CP/About), Content Pack for Microsoft Exchange (https://docs.splunk.com/Documentation/CPExchange/latest/CP/About) that enable you to extract information from an Active Directory database. For instance, you can search Active Directory for records, presenting the records as events, or augment existing events with information from Active Directory based on information within the events.

The Splunk Add-on for Microsoft Security collects incidents and alerts from Microsoft 365 Defender OR alerts from Microsoft Defender for Endpoint. Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation. https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate Customers migrating from Microsoft 365 Defender Add-on for Splunk who would like to continue using the dashboards it includes should install Microsoft 365 App for Splunk, as the functionality has been moved there. https://splunkbase.splunk.com/app/3786/ Microsoft 365 Defender Incidents * Incident (impossible travel, activity from Tor IP, suspicious inbox forwarding, successful logon using potentially stolen credentials, etc.) * Assignee * Classification * Severity * Status * Alerts associated with the Incident Microsoft Defender for Endpoint Alerts * Categories (Malware, Initial Access, Execution, etc.) * Detection source * Evidence * Computer name * Related user * Severity * Status

This add-on contains a Python interpreter bundled with the following scientific and machine learning libraries: numpy, scipy, pandas, scikit-learn, and statsmodels. With this add-on, you can import these powerful libraries in your own custom search commands, custom rest endpoints, modular inputs, and so forth. This add-on is available for Linux (64-bit), Windows (64-bit) and Mac. Make sure you install the appropriate one for your Splunk deployment.

The Splunk ES Content Update (ESCU) app delivers pre-packaged Security Content. ESCU provides regular Security Content updates to help security practitioners address ongoing time-sensitive threats, attack methods, and other security issues. Security Content consists of tactics, techniques, and methodologies that help with detection, investigation, and response. Security Content enables security teams to directly operationalize detection searches, investigative searches, and other supporting details. ESCU can generate Notable/Risk Events in Splunk Enterprise Security. Security Content also contains easy-to-read background information and guidance, for key context on motivations and risks associated with attack techniques, as well as pragmatic advice on how to combat those techniques. The analytic stories and their searches are also available at - https://github.com/splunk/security_content.

This app supports investigative actions against a Microsoft Azure SQL Server

This App exposes various Phantom APIs as actions

This app integrates with JIRA to perform several ticket management actions

This app integrates with the VirusTotal cloud to implement investigative and reputation actions using v3 APIs

This app provides the ability to send email using SMTP

This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions

This app implements URL investigative capabilities utilizing PhishTank

This app integrates with ServiceNow to perform investigative and generic actions

This app performs email ingestion, investigative and containment actions on an on-premise Exchange installation

Integrate with Slack to post messages and attachments to channels

This app integrates with the Windows Remote Management service to execute various actions

This app integrates with the Screenshot Machine service

App specifically designed for interacting with Microsoft Active Directory's LDAP Implementation

This app supports email ingestion and various investigative actions over IMAP

This app implements investigative actions that query the whois database

This app integrates with Microsoft System Center Configuration Manager (SCCM) to execute investigative and generic actions