Many organizations is IDS/IPS devices and software as their first line of defense against attackers. This app provides Splunk dashboards, forms, and reports which can be used to explore your IDS events across your different sourcetypes.
To do this, the app relies on the Splunk Common Information Model (CIM) for IDS attack events. This means that the app can report on any authentication data, as long as it has been on-boarded properly, and is available through the Intrusion Detection data model, including network, host, wireless, and application products.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it.
As mentioned above, the app uses the CIM for authentication events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
Provides a starting point for exploring your IDS events. Most panels will drill-down to other pages in the application.
A view based on the source of IDS events.
IDS events where attacks are launched against the same destination.
Panels which focus on events which all are from the same identified with the same signature.
A view focusing on attacks which fall into the same category (as defined in the events).
A form for finding events based on various field values.
Information about the sourcetypes which are present in the accelerated data.
This app has been tested with Splunk versions 6.6. This app should be installed on the same search head on which the Authentication data model has been accelerated.
This app depends on data models included in the Splunk Common Information Model Add-on, specifically the "Authentication" data model. Please review the information on installing and using the Splunk Common Information Model Add-on and information on configuring the acceleration on the data model.
The Splunk Common Information Model Add-on can be downloaded from Splunkbase.
This app has been tested with versions 4.9 of the CIM add-on.
In order to make the app respond and load quickly, accelerated data models are used to provide summary data. For this data to be available, the
Intrusion Detection data model must be accelerated. Information on how to enable acceleration for the
Intrusion Detection data model can be found here. The data model must be accelerated for the length of time for which you would like to see reporting.
This app should be installed on a search head where the
Intrusion Detection data model has been accelerated. More information on installing or upgrading Splunk apps can be found here.
Intrusion Detectiondata model (skip if you are installing on an ES search head).
Support for this app is provided on a best-effort basis. We have released this app for free, and want to help solve issues, and add features, but we also have day-jobs. The Github repo to report issues can be found here.
Need help? Use the Splunk community resources! I can be found on many of them:
This app was created by David Shpritz of Aplura, LLC.
Removed stray stanza in app.conf
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.