Detection and Response

The ServiceNow Security Operations add-on allows Splunk to create security related incidents and events in ServiceNow. It features: On demand single ServiceNow event or incident creation from Splunk Event Scheduled Alert to create single and multiple ServiceNow events and incidents

The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes.

The CrowdStrike App leverages Splunk's ability to provide rich visualizations and drill-downs to enable customers to visualize the data that the CrowdStrike OAuth2 based Technical Add-Ons provide. Details about detections, detection events, incidents, policy and group creations/modifications/deletions and Intelligence Indicator information (for intel customers)

The Splunk App for CarbonBlack and Bit9 Security Platform enables users to take advantage of the powerful visualization and analysis capabilities within Splunk to enhance actionable intelligence faster during investigations and audits

The Palo Alto Networks Add-on for Splunk has been deprecated and will soon be archived. View Details page for more information.

Darktrace is a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Its technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. Breakthrough innovations from its R&D Centers have resulted in over 145 patent applications filed. Darktrace employs over 2,200 people around the world and protects c.8,800 organizations globally from advanced cyber-threats.

If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used.

The ExtraHop Add-On for Splunk enables you to export ExtraHop Reveal(x) network detection and response metrics and detections as Splunk events. You can export metrics about any devices, device groups, applications, and networks from from Reveal(x).

Customers interested in integrating Proofpoint Protection Server (PPS) logs with Splunk can utilize this custom-built add-on. This technology add-on focuses on normalizing the filter logs based on the Splunk Common Information Model (CIM) for email.

Cyberattacks can come from many different vectors, but they most commonly arrive via email. By using email to conduct phishing, business email compromise (BEC) attacks, brand impersonation and more, attackers leverage an organization’s weakest security link — its people — to wreak havoc. As a result, email is the No. 1 attack vector for security teams to secure.

This app integrates with an instance of Mimecast to perform generic, investigative, and containment actions

This App integrates with Proofpoint to implement ingestion and investigative actions

To provide the best experience for Splunk users who want to monitor their infrastructure, Splunk is refocusing engineering efforts on our IT Essentials Work and IT Service Intelligence (ITSI) offerings. As a result, on April 30, 2021, we announced plans to stop selling the Splunk App for AWS . We also announced an End of Life plan for Splunk App for AWS at that time. To provide complete functional equivalence and to make sure that our IT Essentials Work and ITSI users have enough time to plan a migration to the new Splunk App for Content Packs, including the Content Pack for Amazon Web Services Dashboards and Reports, we have decided to extend the End of Life date for Splunk App for AWS to 15th July 2022. You should use the Content Pack for Amazon Web Services Dashboards and Reports for IT monitoring use cases. If you use the Splunk App for AWS for security dashboards, please plan for migrating to the Splunk App for AWS Security Dashboards (https://splunkbase.splunk.com/app/6311/). Read this article for more information: https://community.splunk.com/t5/Product-News-Announcements/Splunk-App-for-AWS-Extending-the-End-of-Life-EOL-and-End-of/ba-p/574671

The Splunk Add-on for Google Cloud Platform allows a Splunk software administrator to collect google cloud platform events, logs, performance metrics and billing data using Google Cloud Platform API. After the Splunk platform indexes the events, you can analyze the data using the prebuilt panels included with the add-on. You can then directly analyze the data or use it as a contextual data feed to correlate with other Google Cloud-related data in the Splunk platform.

The Microsoft Azure App for Splunk contains dashboards for data collected from:

This app integrates with AWS Elastic Compute Cloud (EC2) to perform virtualization actions

Developed by Ping Identity, the PingFederate App for Splunk gathers and presents transaction metrics from PingFederate via a series of customized reports and graphical illustrations. The application enables identity and access management (IAM) administrators, architects, and security managers to easily obtain custom reporting for all PingFederate log data, view each authentication event per app and authentication source, and analyze that event data over time. The customized reports display key events across account management, Identity Provider, Service Provider and OAuth Authorization Server transactions.

This app (also known as SA-ldapsearch) provides support functions to the Content Pack for Windows Dashboards and Reports (https://docs.splunk.com/Documentation/CPWindowsDash/latest/CP/About), Content Pack for Microsoft Exchange (https://docs.splunk.com/Documentation/CPExchange/latest/CP/About) that enable you to extract information from an Active Directory database. For instance, you can search Active Directory for records, presenting the records as events, or augment existing events with information from Active Directory based on information within the events.

Using Okta Identity Cloud REST APIs the Okta Identity Cloud Add-on for splunk allows a Splunk® administrator to collect data from the Okta Identity Cloud. The Add-on collects data related to: • Event log information • User information • Group and Group Membership Information • Application and Application Assignment information

This app integrates with Amazon Web Services Identity Access Management (AWS IAM) to support various containment, corrective and investigate actions