First, new to splunk, learning as I go. Oh, BTW, I'm the splunk 'person' now in my org.
Trying to figure out how to get MS Azure Gov into splunk securely. Yay! In preparation for this, I have decided to see about the MS Security Graph app and where it should be installed.
Ok, so today I learned that "Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required" and " you can install any add-on to all tiers of your Splunk platform architecture – search tier, indexer tier, forwarder tier – without any negative impact." Which I got those from the splunk doc site: Where to install Splunk add-ons - Splunk Documentation
Our architecture looks ad-hoc more than anything. We have apps on a search head but not on others, we have apps on 1 or 2 indexers but not the rest. That's just the apps from splunkbase. So now I have this task to create a spreadsheet of which instances have what apps so that I may streamline and make it so across the board.
Question 1: Is it truly best to install an app on all instances, across all tiers? Example, a forensic investigator tool that really only interacts with the splunk portal for (a search head), does it really need to be on forwarders and the indexers?
Question 2: Is there a way to export the list of apps installed on a splunk instance. This is so i can make an easy spreadsheet of what server has what app and then start the task of ensuring that app is spread across the board.
Question 3a: Do I really need all of the MS add-ons? Microsoft Graph Security API add-on for Splunk, Microsoft Sysmon Add-on, Splunk Add-on for Microsoft Windows, Splunk Add-on for PowerShell, TA-microsoft-sysmon_inputs?
Question 3b: I don't really see others that I would have thought would be good like Splunk Add-on for Microsoft Security (by Splunk), Splunk Add-on for Microsoft Office 365 (by splunk), and others. Would it be beneficial to have those?
Question 4: Anyone have experience, do's and don'ts for the Microsoft Graph Security API add-on for Splunk? I have been told this is the app to install and configure to ensure Azure Gov data is brought into splunk securely.
First, let's clarify some terminology that may be causing some confusion. Splunk has "apps" and "add-ons", although "add-ons" are often referred to as "apps" (confused, yet?). What distinguishes the two is the UI. Apps have a user interface (dashboard(s)) whereas add-ons do not. An add-on is used to onboard data, transform it, or enhance it.
In that context, it makes sense to install an add-on on all instance levels since all levels may use the add-on. It does NOT, however, make sense to install an app on all instance types since no one should be signing in to the indexers and (universal) forwarders don't have a user interface. Heavy Forwarders are an exception since they have a user interface and often are used to gather data from APIs or SQL databases.
To get a list of apps, run this query from your Monitoring Console:
| rest /servicesNS/-/-/apps/local
| search *
| fields title splunk_server
| stats values(title) as title by splunk_server
You probably don't need all of the MS add-ons. Install the one(s) needed for the data you need to onboard.
I've never used the MS Security Graph app so I can't offer any advice about it.