In this blog post, I'll be going over aggregating all of the various security addons for Splunk into the Cisco Security Suite. This will a very short port since most of the work has already been done in our previous Spunk posts.
Some of the prerequisites before we start configuring are to install the following free apps on your Splunk instance:
- Cisco Security Suite - https://splunkbase.splunk.com/app/525/
- Cisco ESA Add-On - https://splunkbase.splunk.com/app/1761/
Note: I currently do not have an ESA in my lab but I found that the WSA dashboards don't render correctly if the event types and sources from the ESA add-on aren't created so even though we're not configuring anything with the ESA Add-on, it still needs to be there for some of the dashboards to work correctly.
After you have installed both, click on the Cisco Security Suite on the lefthand panel of your Splunk Dashboard. It will take you to a page stating that the app needs to be configured. Continue on to the app setup page.
On the next page, choose the ISE, WSA, Sourcefire, and whatever other add-ons you want to see on this app. Im my case, I'll probably add ASA later so I chose that.
After you save it, you'll be taken to the Cisco Security Suite Overview dashboard:
As you can see, this dashboard has dropdowns all along the top to view Web Security, Firepower, ISE, etc. It has the dashboards from the individual apps along with a few more and gives you the ability to search between the apps as you can see below.