Welcome to the InfoSec app for Splunk!¶
The InfoSec App for Splunk is a free app for the Splunk platform which can be downloaded and installed into your Splunk environment. It is available from Splunkbase.
The InfoSec App for Splunk should not to be confused with Enterprise Security, Splunk’s premium security solution. Although both solutions are security solutions, the features and capabilities of Enterprise Security are significantly deeper than what is available within the InfoSec app.
InfoSec app for Splunk is an entry, or starter level security solution powered by the Splunk platform. It is designed to address the most common security use cases, including continuous monitoring and security investigations. The InfoSec app also includes a number of advanced threat detection use cases that can be further expanded using security resources available for Splunk like the Security Essentials app for Splunk from Splunkbase. The Security Essentials app includes hundreds of additional security controls that can be easily integrated into the InfoSec app. Splunk’s Machine Learning Toolkit can be used to enable advanced ML based correlation searches within the InfoSec app to detect and alert on threats.
The Splunkbase library has 1000+ apps and add-ons from Splunk, our partners, and our community. They can be directly downloaded, installed and configured within your Splunk environment. Splunk Apps provide solutions for many common use cases. They provide specialised insight into your data and systems with pre-configured dashboards, reports, data inputs, and saved searches which can supplement or be integrated with the InfoSec app.
Please visit Splunkbase to see what is available.
Cyber Security is a journey, not a destination. The InfoSec app configuration steps and integrations with Security Essentials, the Common Information Model, and other Splunk apps and add-ons, are foundational steps towards the adoption of Splunk’s Premium security platform, including Enterprise Security and Phantom.
App Goals¶
The InfoSec app for Splunk aims to achieve the following:
- Provide an entry level security solution to new and existing Splunk customers that are not yet ready or able to invest in Splunk’s Enterprise Security platform.
- Make it easy to direct Splunk’s powerful features towards security.
- Provide a single pane view of your security events and posture.
- Allow the user to easily investigate security alerts and incidents.
- Provide a base security platform that can be customised and expanded to meet your security needs using the additional apps and add-ons from Splunkbase.
Before we start¶
This documentation is not designed to replace formal training or Splunk’s own documentation. It focusses on the introductory steps and knowledge required to get the InfoSec app up and running in a short amount of time. It assumes the user is fairly new to Splunk and may not have yet grasped many of Splunk’s fundamental concepts. Consider this documentation as a fast-start guide to getting the InfoSec app up and running within your environment. This documentation will introduce you to key Splunk concepts, lightly touching on each. Links will be provided to Splunk’s documentation so you can delve further into Splunk’s capabilities, as required. Although this document focuses on the InfoSec App for Splunk, the topics covered may be applied to other apps and configurations within Splunk.