Cisco/OpenDNS Umbrella/Investigate: so many apps, ...

woodcock · ‎06-02-2022

Here is what is on Splunkbase (maybe others, too):
Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub)
Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/
Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/
(https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-cred...
Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/

There is clearly a great deal of duplication and I am VERY confused about what is what and which to use.
There are at least 2 things to be done:
1: Data Input: Pull in security events.
2: Ad-Hoc Lookup: Enrich Splunk events with threat detail.

I am hoping for 2 kinds of help:
1: A suggestion on which apps to use.
2: Step-by-step details on how to set each up.

Golgie · ‎11-03-2022

Hey, did you ever set investigate up?

I have umbrella logs going to our s3 buckit and pulling that data in with the cisco cloud security umbrella addon.

Not really sure if I need to fully setup cisco cloud security app. This is the app found in the github presentation. Thanks.

Cisco/OpenDNS Umbrella/Investigate: so many apps, so many options ... What is best?

modular input

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation