IMPORTANT: PREREQUISITES
At a minimum, you should have data from the following security sources collected by your Splunk environment:
The following free Splunk Add-ons must be installed before you can start using InfoSec App:
The following Data Models must be accelerated:
All data used by InfoSec app must be Common Information Model (CIM)-compliant. The easiest way to accomplish that is to use CIM-compliant Splunk Add-ons for your security data sources
WHERE TO INSTALL THE APP
The app can be installed on a standalone Splunk server, a Search Head or a Search Head Cluster. In a distributed environment do not install the app on Indexers; the app should only be installed on Search Head(s).
INFOSEC APP DOCUMENTATION
- Officially supported as a Splunk built app
- Basic data quality checks and warnings added to Security Posture and Health dashboards
- Added detailed CIM data summary report to Health dashboard
- Switched to 'Change' CIM data model from deprecated 'Change Analysis' model
- Added links to InfoSec App documentation
- Added city and source information in Scanning Activity report on IDS/IPS dashboard
- Cosmetic changes to dashboards
- Bug fixes
- VPN Access dashboard is added under Search > Experimental Dashboards (requires CIM compliant VPN data mapped to VPN dataset of Network Sessions data model and Sankey diagram visualization)
- Calculations of event counts on maps are fixed
- Display limit of 10,000 events introduced in investigation dashboards for all events with host/user
- Updated Health dashboard to list optional Sankey diagram visualization, optional VPN data
- Shortened main menu item names to accommodate lower resolution displays
- Reports are adjusted to better reflect fields extracted and not extracted by current Windows add-on
- Time axis is fixed for 360 reports on Security Posture dashboard
- Miscellaneous cosmetic fixes
- Added infosec_hosts and infosec_user lookups; the lookups provide additional user and host information on investigation dashboards
- Search > Lookups menu item is added and links to users and hosts lookups (requires Lookup Editor app: https://splunkbase.splunk.com/app/1724/)
- Network Traffic dashboard is split into Firewall and Network Traffic dashboards
- Pannel showing installed required add-ons is added to Health and Stats dashboard
- Over 15 pannels are added to dashboards under Continuous Monitoring and Advanced Threats
- Web CIM data model must be accelerated to display next gen firewall and/or web proxy data in Top Blocked Traffic Categories panel
- InfoSec Stats dashboard renamed to Health and Stats; the dashboard now shows count of events for each data model used by the app
- New app menu item Search > Experimental Dashboards
- New experimental Endpoints dashboard under Search > Experimental Dashboards(requires endpoint data to be sent to Splunk)
- Existing experimental Cloud Security dashboard is linked under Search > Experimental Dashboards (requires AWS data to be sent to Splunk)
- Intrusion Detection (IDS/IPS) dashboard: can now filter by allowed/blocked intrusion attempts
- Network Traffic dashboard > Network Communication Map: can now filter properly if network traffic app name has backslashes
- Several dashboards have references to advanced functionality available in Splunk Enterprise Security
- Additional Resources dashboard: added security journey stages, reference to Splunk Enterprise Security
- Bug fixes
Version 1.3.2 - February 1, 2019
Bug fixes:
- search for malware indicator on Security Posture dashboard;
- drilldowns on Compliance dashboard;
- app package manifest schema changed to v1.0.0 for compatibility with older Splunk Cloud versions
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.