- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk addons, listing
First, new to splunk, learning as I go. Oh, BTW, I'm the splunk 'person' now in my org.
Trying to figure out how to get MS Azure Gov into splunk securely. Yay! In preparation for this, I have decided to see about the MS Security Graph app and where it should be installed.
Ok, so today I learned that "Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required" and " you can install any add-on to all tiers of your Splunk platform architecture – search tier, indexer tier, forwarder tier – without any negative impact." Which I got those from the splunk doc site: Where to install Splunk add-ons - Splunk Documentation
Our architecture looks ad-hoc more than anything. We have apps on a search head but not on others, we have apps on 1 or 2 indexers but not the rest. That's just the apps from splunkbase. So now I have this task to create a spreadsheet of which instances have what apps so that I may streamline and make it so across the board.
Question 1: Is it truly best to install an app on all instances, across all tiers? Example, a forensic investigator tool that really only interacts with the splunk portal for (a search head), does it really need to be on forwarders and the indexers?
Question 2: Is there a way to export the list of apps installed on a splunk instance. This is so i can make an easy spreadsheet of what server has what app and then start the task of ensuring that app is spread across the board.
Question 3a: Do I really need all of the MS add-ons? Microsoft Graph Security API add-on for Splunk, Microsoft Sysmon Add-on, Splunk Add-on for Microsoft Windows, Splunk Add-on for PowerShell, TA-microsoft-sysmon_inputs?
Question 3b: I don't really see others that I would have thought would be good like Splunk Add-on for Microsoft Security (by Splunk), Splunk Add-on for Microsoft Office 365 (by splunk), and others. Would it be beneficial to have those?
Question 4: Anyone have experience, do's and don'ts for the Microsoft Graph Security API add-on for Splunk? I have been told this is the app to install and configure to ensure Azure Gov data is brought into splunk securely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, let's clarify some terminology that may be causing some confusion. Splunk has "apps" and "add-ons", although "add-ons" are often referred to as "apps" (confused, yet?). What distinguishes the two is the UI. Apps have a user interface (dashboard(s)) whereas add-ons do not. An add-on is used to onboard data, transform it, or enhance it.
In that context, it makes sense to install an add-on on all instance levels since all levels may use the add-on. It does NOT, however, make sense to install an app on all instance types since no one should be signing in to the indexers and (universal) forwarders don't have a user interface. Heavy Forwarders are an exception since they have a user interface and often are used to gather data from APIs or SQL databases.
To get a list of apps, run this query from your Monitoring Console:
| rest /servicesNS/-/-/apps/local
| search *
| fields title splunk_server
| stats values(title) as title by splunk_serverYou probably don't need all of the MS add-ons. Install the one(s) needed for the data you need to onboard.
I've never used the MS Security Graph app so I can't offer any advice about it.
If this reply helps you, Karma would be appreciated.
