Installation

Splunk addons, listing

HathMH
Path Finder

First, new to splunk, learning as I go. Oh, BTW, I'm the splunk 'person' now in my org.

Trying to figure out how to get MS Azure Gov into splunk securely. Yay! In preparation for this, I have decided to see about the MS Security Graph app and where it should be installed.

Ok, so today I learned that "Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required" and " you can install any add-on to all tiers of your Splunk platform architecture – search tier, indexer tier, forwarder tier – without any negative impact." Which I got those from the splunk doc site: Where to install Splunk add-ons - Splunk Documentation

Our architecture looks ad-hoc more than anything. We have apps on a search head but not on others, we have apps on 1 or 2 indexers but not the rest. That's just the apps from splunkbase. So now I have this task to create a spreadsheet of which instances have what apps so that I may streamline and make it so across the board.

Question 1: Is it truly best to install an app on all instances, across all tiers? Example, a forensic investigator tool that really only interacts with the splunk portal for (a search head), does it really need to be on forwarders and the indexers?

Question 2: Is there a way to export the list of apps installed on a splunk instance. This is so i can make an easy spreadsheet of what server has what app and then start the task of ensuring that app is spread across the board.

Question 3a: Do I really need all of the MS add-ons? Microsoft Graph Security API add-on for Splunk, Microsoft Sysmon Add-on, Splunk Add-on for Microsoft Windows, Splunk Add-on for PowerShell, TA-microsoft-sysmon_inputs?

Question 3b: I don't really see others that I would have thought would be good like Splunk Add-on for Microsoft Security (by Splunk), Splunk Add-on for Microsoft Office 365 (by splunk), and others. Would it be beneficial to have those?

Question 4: Anyone have experience, do's and don'ts for the Microsoft Graph Security API add-on for Splunk? I have been told this is the app to install and configure to ensure Azure Gov data is brought into splunk securely.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, let's clarify some terminology that may be causing some confusion.  Splunk has "apps" and "add-ons", although "add-ons" are often referred to as "apps" (confused, yet?).   What distinguishes the two is the UI.  Apps have a user interface (dashboard(s)) whereas add-ons do not.  An add-on is used to onboard data, transform it, or enhance it.

In that context, it makes sense to install an add-on on all instance levels since all levels may use the add-on.  It does NOT, however, make sense to install an app on all instance types since no one should be signing in to the indexers and (universal) forwarders don't have a user interface.   Heavy Forwarders are an exception since they have a user interface and often are used to gather data from APIs or SQL databases.

To get a list of apps, run this query from your Monitoring Console:

| rest /servicesNS/-/-/apps/local 
| search * 
| fields title splunk_server
| stats values(title) as title by splunk_server

You probably don't need all of the MS add-ons.  Install the one(s) needed for the data you need to onboard.

I've never used the MS Security Graph app so I can't offer any advice about it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...