Author: IronNet Cybersecurity Inc.
IronDefense is a Network Detection & Response (NDR) platform that improves visibility across the threat landscape and amplifies detection efficacy within your network environment, allowing your SOC team to be more efficient and effective with existing cyber defense tools, resources, and analyst capacity. IronDefense works closely with IronNet’s IronDome platform delivers the unique ability to automate real-time knowledge sharing and collaboration between and beyond sectors for faster threat detection.
The IronDefense Splunk App gives your SOC team:
- Enhanced visibility: Real-time insights across industry threatscapes, human insights to detected threats, and higher-order analysis of anomalies correlated across groups of peers via IronDome Collective Defense integration.
- Faster detection: Advanced network behavioral analysis that leverages proven AI/ML and analytics used to defend highly secure networks, allowing the ability to scale up analysis to the largest enterprises.
- Increased efficiency: Experienced insights — a “second pair of eyes” — from some of the nation’s top defenders, applied via IronDefense’s Expert System to supplement limited cyber staff and to enable faster, more effective prioritization and mitigation/response.
For more information about IronNet's IronDefense NDR platform, visit: https://www.ironnet.com/irondefense
For more information about IronNet's IronDome Collective Defense capability, visit: https://www.ironnet.com/irondome
The IronNet App for Splunk supports the following Splunk Enterprise platforms:
Under the ironnet_splunk/config directory you will find a config.xml file. Settings in this file control advanced features of the IronNet App for Splunk and are unlikely to require changing for most users.
Should changes be necessary, a restart of Splunk after changes are made is recommended.
Logs for the application can be found in $SPLUNK_HOME/var/log/ironnet_splunk/ironnet_splunk.log.
IMPORTANT: Please refer to the migration guide available in the IronNet Partner Portal when updating from an older version.
- Added capability to view event context for a selected alert.
- Added capability to view IronDome information for a selected alert.
- Passwords are now saved in the ironnet_splunk app directory. Please remove and recreate any existing inputs to prevent authentication issues.
- Bug fixes
*** CHANGELOG ***
- Added support to connect to IronDefense through a proxy.
- Reduced the the alert summary table width to fit all columns in the browser window.
- Various bug fixes.
*** CHANGELOG ***
- The Alert Summary Table now loads 5x faster and uses less memory.
- Alerts in the Alert Summary Table can now be filtered by Environment, Category, Behavior, Risk Score, Severity, and Status.
- IronDome notification participant tags are now displayed in the the "IronDome Participants" column on the IronDome Dashboard. (Requires IronDefense 3.3.7)
- Minor improvements and bug fixes.
*** CHANGELOG ***
- New feature to update/rate alerts directly in the App dashboard
- Minor bug fixes and UI improvements
*** NOTES ***
- This version of IronDefense App for Splunk will not be able to display historical events ingested with previous versions.
- After upgrading, you MUST recreate all IronDefense input configurations or modify the configurations to populate "IronAPI Host" and "IronAPI Port". The default value of "IronAPI Host" should be equal to "OpenAPI Host" and the default value of "IronAPI Port" is "6942".
- Updated to support Splunk Cloud
- Updated for Splunk Cloud
- Minor UI improvements
- Supports ingest of event entity attributes, which are also displayed on the events table. (Requires IronDefense 3.3.0)
- App will now notify users when the connection to OpenAPI has been lost.
- Adds a malicious notification count to the IronDome dashboard.
- You can now pivot to the TIR in IronVue from the Top Malicious Domains and IPs tables on the IronDome dashboard.
- Adds the ability to filter out notification types on the IronDome dashboard.
- Other improvements and bug fixes.
NOTE: If you are upgrading from a previous version, bump the server or restart Splunk to complete the installation process.
- Introduces a new feature to ingest IronDome notifications. (Requires IronDefense 3.2.5 and must be enabled on the input configuration page)
- Adds a new dashboard to view IronDome notifications.
- Fixed issue where new input configurations cannot be created.
- Event data sources are now displayed in the IronDefense dashboard under the "Raw Data Formats" columns. (Must have IronDefense v3.2.3 or greater)
- Minor bug fixes
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.