Security

Splunk integration- Do I need to create an add on?

GuyCo
Observer

Hi to all. I'm working at a startup company providing security solutions.

I started research on how to integrate with Splunk, Splunk ES.

for now, we choose to use the HEC method for delivering the data into Splunk cloud.

I wanted to ask some questions. 

  1. do i need to create an add-on? 
  2. to integrate with Splunk SE what are the actions, I need to do?

I understand this is the flow of actions - 

  • load data using the HEC,
  • parse data normalizing them,
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

I'll  be happy if someone will be able to elaborate more about each topic and tell me if something is missing.

 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @GuyCo,

I supposed, in my previous answer, that the use of HEC is mandatory, but I hint to check if you can use Universal Forwarders that are more efficient and sure.

Anyway, you have to use Add-Ons to parse data.

usually Add-Ons are installed from Splunkbase so you'll haven't any conpliance problem, is instead you will use custom Add-Ons, they will be checked by Splunk.

About integration with ES, the steps are the ones I described in my previous answer:

  • parse data normalizing them (using the Add-On),
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi  @GuyCo ,

No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation.

ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons.

The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons.

In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...