Author | BlueCat |
---|---|
App Version | 1.3.0 |
Vendor Products | BlueCat DNS Edge |
Has index-time operations | false |
Create an index | false |
Implements summarization | false |
The BlueCat DNS Edge for Splunk app provides basic visualizations and alerts for BlueCat DNS Edge API data. This app is intended to work with data provided by the BlueCat DNS Edge Technical Add-on for Splunk modular input (link). This app provides a simple search interface and alert framework for DNS administrators and security professionals to review, monitor, and alert on policy events from their BlueCat DNS Edge service points.
No scripts or binaries included.
Version 1.3.0 of BlueCat DNS Edge for Splunk is compatible with:
Splunk Enterprise versions | 7.0 |
---|---|
CIM | 4.9.1 |
Platforms | Platform independent |
Vendor Products | BlueCat DNS Edge |
Lookup file changes | Initial lookup creation |
BlueCat DNS Edge for Splunk includes the following new features:
Version 1.3.0 of BlueCat DNS Edge for Splunk fixes the following issues:
Version 1.3.0 of BlueCat DNS Edge for Splunk has the following known issues:
Version 1.3.0 of BlueCat DNS Edge for Splunk incorporates the following third-party software or libraries.
BlueCat DNS Edge for Splunk has been tested on standalone Splunk instances that meet the minimum reference hardware specifications. Impact of search queries varies depending on amount of policy events being collected and time range searched over.
Questions and answers
General Splunk troubleshooting advice can be found on answers.splunk.com
Support
Please contact edge-splunk@bluecatnetworks.com for support.
BlueCat DNS Edge for Splunk can be installed on any server that meets the Splunk reference hardware specifications.
BlueCat DNS Edge for Splunk does not require any additional software.
Because this app runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download BlueCat DNS Edge for Splunk from Splunkbase
BlueCat DNS Edge for Splunk is only required on Splunk Search Heads and should be installed alongside the BlueCat DNS Edge Technical Add-on for Splunk. BlueCat DNS Edge for Splunk relies on data collected by the BlueCat DNS Edge Technical Add-on for Splunk. Install the TA as per the included instructions, configure inputs, and verify data is flowing into Splunk successfully before using this app.
To install and configure this app on your Splunk Search Head, follow these steps:
Return to the Splunk Home page and select "BlueCat DNS Edge for Splunk". On this page you can review Policy Event details. The "Policies" dropdown will not work until there is Policy Detail data and a lookup has been generated. To generate a Policy Details lookup table quickly, simply visit the "Policy Details" page. On this page you can review details about individual policies.
On the Policy Alerts page, users can select policy events they wish to be alerted about. Select a policy, select whether to enable or disable the policy, and click Submit. To modify the settings for this alert, navigate to Settings > Searches, Reports, and Alerts > BlueCat DNS Edge - Policy Alerts. There users can configure alert actions (email, ticket, scripts, etc.) and modify the alert schedule.
This app is used to analyze data collected with the BlueCat DNS Edge Technical Add-on for Splunk. Knowledge objects for BlueCat DNS Edge data are defined in the technical add-on which should also be installed on the saerch head.
BlueCat DNS Edge for Splunk contains 2 lookup files.
Lookupname
bluecat_dns_edge_policies - A table of policies defined on BlueCat DNS Edge service points.
bluecat_dns_edge_policy_alerts - A table of policies defining which will actively be alerted on by Splunk.
After selecting which policies to alert on, make sure to enable the saved search BlueCat DNS Edge - Policy Alerts in the Searches, Reports, and Alerts menu.
Verify the lookup table bluecat_dns_edge_policy_alerts.csv has active alerts (the "Alerts" column will say "Active" for a given policy) - | inputlookup bluecat_dns_edge_policy_alerts
Verify the Saved Search "BlueCat DNS Edge - Policy Alerts" is enabled
Verify email settings are configured on this Splunk server and the "BlueCat DNS Edge - Policy Alerts" search is configured with email as an alert action
Simply follow the same steps listed in "Installation Steps" but make sure the checkbox for "upgrade" is selected.
Search for DNS policy events on the "Policy Events" dashboard (e.g. DNS events from specific sources)
Receive email alerts for specific policy event triggers (e.g. blacklisted domains).
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.