VPN | Splunk-Cyences-App-for-Splunk

Cisco Anyconnect Data

The Cisco Endpoint Security Analytics (CESA) Add-on and App are both required for Splunk administrators to analyze and correlate user and endpoint behavior in the Cyences app.

Splunkbase Download Add-on: https://splunkbase.splunk.com/app/4221

Splunkbase Download App: https://splunkbase.splunk.com/app/2992

Installation and Configuration Guide: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

Note: Configure the index value for VPN Data under the Data Source Macros section in Cyences’ Configuration page.

Fortinet FortiGate Data

If your organization uses FortiGate VPN, then the required data can be collected via Fortigate’s logs. Refer to the Data Onboarding > Network Devices > Fortinet FortiGate section for more information regarding the data collection process.

GlobalProtect (Palo Alto) VPN Data

If your organization is using GlobalProtect VPN, then the required data can be collected via Palo Alto’s logs. Refer to the Data Onboarding > Network Devices > Palo Alto Firewall Logs section for more information regarding the data collection process.

OpenVPN Data from pfsense Firewall

The Technology Add-on for pfSense is required for field extractions.

Splunkbase Download Add-on: https://splunkbase.splunk.com/app/1527

Note: :

Create an index named pfsense or update the cs_pfsense macro definition from Splunk UI (Settings > Advanced Search > Search macros) or update the cs_vpn_indexes macro definition from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup > VPN).
Create props.conf in local folder of TA-pfsense add-on and add following configuration in it to properly work field extractions.
```
[pfsense]
SEDCMD-event_cleaner3 = 
```

Sophos Firewall VPN Data

If your organization is using Sophos Firewall as VPN, then the required data can be collected via sophos firewall’s logs. Refer to the Data Onboarding > Network Devices > Sophos Firewall Logs section for more information regarding the data collection process.