Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk integration- Do I need to create an add on?

GuyCo
Observer
‎09-14-2022 01:06 AM

Hi to all. I'm working at a startup company providing security solutions.

I started research on how to integrate with Splunk, Splunk ES.

for now, we choose to use the HEC method for delivering the data into Splunk cloud.

I wanted to ask some questions. 

  1. do i need to create an add-on? 
  2. to integrate with Splunk SE what are the actions, I need to do?

I understand this is the flow of actions - 

  • load data using the HEC,
  • parse data normalizing them,
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

I'll  be happy if someone will be able to elaborate more about each topic and tell me if something is missing.

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:13 AM

Hi @GuyCo,

I supposed, in my previous answer, that the use of HEC is mandatory, but I hint to check if you can use Universal Forwarders that are more efficient and sure.

Anyway, you have to use Add-Ons to parse data.

usually Add-Ons are installed from Splunkbase so you'll haven't any conpliance problem, is instead you will use custom Add-Ons, they will be checked by Splunk.

About integration with ES, the steps are the ones I described in my previous answer:

  • parse data normalizing them (using the Add-On),
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:46 AM

Hi  @GuyCo ,

No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation.

ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons.

The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons.

In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...