Cisco/OpenDNS Umbrella/Investigate: so many apps, ...

woodcock · ‎06-02-2022

Here is what is on Splunkbase (maybe others, too):
Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub)
Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/
Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/
(https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-cred...
Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/

There is clearly a great deal of duplication and I am VERY confused about what is what and which to use.
There are at least 2 things to be done:
1: Data Input: Pull in security events.
2: Ad-Hoc Lookup: Enrich Splunk events with threat detail.

I am hoping for 2 kinds of help:
1: A suggestion on which apps to use.
2: Step-by-step details on how to set each up.

Golgie · ‎11-03-2022

Hey, did you ever set investigate up?

I have umbrella logs going to our s3 buckit and pulling that data in with the cisco cloud security umbrella addon.

Not really sure if I need to fully setup cisco cloud security app. This is the app found in the github presentation. Thanks.

Cisco/OpenDNS Umbrella/Investigate: so many apps, so many options ... What is best?

modular input

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?