icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco Endpoint Security Analytics (CESA)
SHA256 checksum (cisco-endpoint-security-analytics-cesa_406.tgz) f29c6f4d047c550481414c5974c74f575409c1d1f37f64cac6a03b51f081f376 SHA256 checksum (cisco-endpoint-security-analytics-cesa_405.tgz) 4b96353ae9442b0dea6bf35edf6fb12bf7cfdf6758a1d24fb7b833c1c4b5cc1b SHA256 checksum (cisco-endpoint-security-analytics-cesa_402.tgz) 90028603e31883550ebbaa7fb97ba6429c874ac7ca6af2a2b7f8e574428cf4f8 SHA256 checksum (cisco-endpoint-security-analytics-cesa_401.tgz) ee0a8bbe552948e35b8f15238a8102284e3be24291ad5a301e8129645eb5539b SHA256 checksum (cisco-endpoint-security-analytics-cesa_400.tgz) b1469e3eeeab2b80eb2d283903d135a76f6c26535e15e3195618e6b7bbe308fd SHA256 checksum (cisco-endpoint-security-analytics-cesa_3110.tgz) 0f01ec948d0090a3fe0c62addd0c57f8375b75d473cb12eb3ffba49978a5e4b6 SHA256 checksum (cisco-endpoint-security-analytics-cesa_316.tgz) 945d66cbd152f0dab1dca4604d29ebc7b27d65048ac8f7f2ee1c3a635d6956a9 SHA256 checksum (cisco-endpoint-security-analytics-cesa_218.tgz) 24fef10b515a2ce30ab712a6fd6ca123ab601cb2f505d521a7db9970de4ea324
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Cisco Endpoint Security Analytics (CESA)

Splunk Cloud
Use and Cisco TAC support of this App and related Add-On require a purchase of Cisco Endpoint Security Analytics (CESA) endpoint license beginning v2.1.4. Please see the Cisco Supplemental End User License (SEULA) below for details. Under the SEULA, free use is permitted for: a) one 90-day trial/proof of value installation; b) on-going use for installations with 50 or fewer Cisco AnyConnect clients.

The Cisco Endpoint Security Analytics (CESA) App for Splunk allows IT administrators to analyze and correlate user and endpoint behavior in Splunk Enterprise. This app allows for visualization of data and pre-built reports for AnyConnect NVM as part of the Cisco Endpoint Security Analytics for Splunk solution (CESA). The solution provides greater visibility into endpoint behaviors from additional context such as user, device, application, location and destination for flows both on and off premise. It is used in conjunction with the Cisco Endpoint Security Analytics (CESA) Add-On for Splunk - https://splunkbase.splunk.com/app/4221/.

For more information visit the Cisco Endpoint Security Analytics (CESA) home page - https://www.cisco.com/go/cesa
Instant Demo ➜ https://cs.co/cesa-instant-demo
Proof of Value ➜ https://cs.co/cesa-pov


For more information about this solution refer to the Cisco Endpoint Security Analytics for Splunk (CESA) home page.


Cisco Endpoint Security Analytics for Splunk (CESA) consists of 3 components:

  • The Splunk App - 2992 with pre-designed Dashboards to visualize and view the data.
  • The Splunk Add-on - 4221 which provides data indexing and formatting inside Splunk Enterprise.
  • The CESA Collector Component which is responsible for collecting and translating all IPFIX (nvzFlow) data from the endpoints and forwarding it to the Splunk Add-on. This is a manually installed component that requires 64-bit Linux (see NVM COLLECTOR COMPONENT INSTALLATION section for more information).


Below is a high level overview of a deployment in its simplest form.
This would be an all-in-one configuration running on 64-bit Linux.
This configuration is how most demonstrations will be setup and is also useful in a small production deployment.

Below is a more comprehensive set of options that are available for deployment.
Typically a production setup will be distributed and have several Splunk Enterprise nodes.


The Application should be installed on the Search Head or Indexer, either through the UI via “Manage Apps” or by extracting the archive into /opt/splunk/etc/apps folder.

The Splunk Add-on should be installed following the Splunk Best Practices Instructions for Add-ons

Please restart the Spunk Server after installation of both components is completed.
You can confirm that both components are properly installed by viewing them in "Manage Apps"

After completing this step, refer to the NVM collector installation section below. The collector must be running before data will be available to the Splunk components.

The default configuration receives three data feeds for Splunk, Per Flow Data, Endpoint System Data and Endpoint Interface Data, on UDP ports 20519, 20520 and 20521 respectively. This can be changed in the Application Input settings in Splunk if for some reason you needed to change the collector configuration as described below.
The Add-On maps these to Splunk sourcetypes cisco:nvm:flowdata, cisco:nvm:sysdata and cisco:nvm:ifdata.

NOTE: Because sourcetypes have changed older data generated from version 1.x will not map to the UI dashboards.


The NVM collector runs on 64-bit Linux. CentOS, Ubuntu and Docker configuration scripts are included. The CentOS install scripts and configuration files can also be used in Fedora and Redhat distributions.

In a typical distrubuted Splunk Enterprise deployment, the collector should be run on either a standalone 64-bit Linux system or a Splunk Forwarder node running on 64-bit Linux.

NOTE: The solution can also be run on a single 64-bit Linux system that includes the NVM collector and Splunk Enterprise components for use in a small deployment or for demonstration purposes.

In order to install the collector you will need to copy the application in the acnvmcollector.zip file, located in the [YOUR_SPLUNK_SERVER]/$APP_DIR$/appserver/addon/ directory to the system you plan to install it on.

Extract the files on the system where you plan to install the collector on and execute the install.sh script with super user privileges. It is recommended to read the $PLATFORM$_README file in the .zip bundle before executing the install.sh script. The $PLATFORM$_README file provides information on the relevant configuration settings that need to be verified and modified (if necessary) before the install.sh script is executed. At a minimum, you will need to configure the address of the Splunk instance you will be forwarding data to. Failing to properly configure the system can cause the collector to operate incorrectly.

NOTE: Ensure that network and host firewalls are properly configured to allow the UDP traffic for the source and destination addresses and ports

A single NVM collector instance can handle a minimum of 5000 flows per second on a properly sized system.

The collector needs to be configured and running before the Splunk App can be used.
By default, the collector receives flows from AnyConnect NVM endpoints on UDP port 2055.
Additionally, the collector produces three data feeds for Splunk, Per Flow Data, Endpoint System Data and Endpoint Interface Data, on UDP ports 20519, 20520 and 20521 respectively.

The receive and data feed ports can be changed by altering the acnvm.conf file and restarting the collector instance. Make sure that any host/network firewalls between endpoints and the collector or between the collector and Splunk system(s) are open for the configured UDP ports and addresses. Also ensure that your AnyConnect NVM configuration matches your collector configuration. Refer to the AnyConnect Administration Guide for more information.

Once all components are installed and running, refer to the Help files section from within the Splunk application for detailed information about the pre-configured reports, data model and information elements that are created by the solution.

You may want to restart one of your AnyConnect endpoints and validate that data is being sent to the solution.

Some additional information is available at this Cisco Community Site that you might find useful.


Recommended hardware requirements for a standalone NVM Collector instance running on 64-bit Linux:
NVM Collector multiprocess mode enabled (on by default)

  • Upto 1000 endpoints / server instance:

    • CPU cores: 6 cores / 2.2 GHz (x86 64-bit)
    • RAM size: 8 GB
    • Combined IOPS: 800 IOPS
    • Disk sub-system: Any (minimum 10k RPM)
    • Total Disk Capacity: 50 GB
  • 1000-5000 endpoints / server instance:

    • CPU cores: 8 cores / 2.4 GHz (x86 64-bit)
    • RAM size: 16 GB
    • Combined IOPS: 1000 IOPS
    • Disk sub-system: Any (minimum 10k RPM)
    • Total Disk Capacity: 50 GB
  • 7500-10,000 endpoints / server instance:

    • CPU cores: 12 cores / 2.6 GHz (x86 64-bit)
    • RAM size: 24 GB
    • Combined IOPS: 1200 IOPS
    • Disk sub-system: Any (minimum 10k RPM)
    • Total Disk Capacity: 50 GB


Splunk Developers who are interested in learning more about the AnyConnect NVM protocol and overall solution can go to the Cisco DevNet site for more information.


This app is written and maintained by Cisco (nvzFlow at cisco dot com). Be sure to read the above sections for initial assistance with setup and configuration. See Supplemental End User License as well as the Cisco Endpoint Security Analytics for Splunk home page for more information.

Release Notes

Version 4.0.6
April 1, 2022

Updated App for Splunk Cloud Compliance
Updated default query caching times in savedsearches.conf
*Updated event time to use fss time with default max look ahead configured

Version 4.0.5
Dec. 10, 2021

*Fixed inputlookup error on asset inventory analytics page

Version 4.0.2
Oct. 11, 2021

Updated cloud compliance tags in SimpleXML
Fixed bug in Destination Addresses
Third party links now open in new tabs
Added new screens to navigation

Version 4.0.1
Aug. 24, 2021

*Fixed a query bug with unresolved DNS entries that were supposed to show the domain address in place of "Unknown"

Version 4.0.0
July 20, 2021

Updated dashboards to include process path and parameter visualizations
Changed the default DNS values from "Unknown" to the Ip Address of the destination host
*Removed redundant documentation that can be found on the Cisco AnyConnect reference site

Version 3.1.10
March 19, 2021

Fixed bug in Users Disabling Endpoints Analytic
Fixed Process Listing drill down

Version 3.1.6
Oct. 23, 2020

Synced versioning with the TA app
Removed embedded binary for the NVM collector which only resides in the TA

Version 2.1.8
May 27, 2020

Version 2.1.8
Modified the app setup page to include config options for the crons in savedsearches.conf
Defaulted crons to 5 min refresh rates
Changed Process Listing metric to show log vs linear scale, making it easier to identify less common anomalies
Added monitoring frequency filter to the Security Evasion metric

If you are having Docker related issues - email nvzFlow@cisco.com for instructions on how to address it. An update will be posted soon.

2.x supports a new look and feel in addition to several new reports with a focus on Split Tunneling (remote workers) and Split Networking (office workers using insecure wifi and secure wifi at the same time) monitoring. The new dashboards are organized into several use cases identified below. It's important to note that many of the dashboards help identify potential threats and aid in the investigative process, however that does not necessarily indicate an attack or compromise occurred.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.