Cisco/OpenDNS Umbrella/Investigate: so many apps, ...

woodcock · ‎06-02-2022

Here is what is on Splunkbase (maybe others, too):
Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub)
Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/
Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/
(https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-cred...
Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/

There is clearly a great deal of duplication and I am VERY confused about what is what and which to use.
There are at least 2 things to be done:
1: Data Input: Pull in security events.
2: Ad-Hoc Lookup: Enrich Splunk events with threat detail.

I am hoping for 2 kinds of help:
1: A suggestion on which apps to use.
2: Step-by-step details on how to set each up.

Golgie · ‎11-03-2022

Hey, did you ever set investigate up?

I have umbrella logs going to our s3 buckit and pulling that data in with the cisco cloud security umbrella addon.

Not really sure if I need to fully setup cisco cloud security app. This is the app found in the github presentation. Thanks.

Cisco/OpenDNS Umbrella/Investigate: so many apps, so many options ... What is best?

modular input

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!