Cisco Anyconnect Data
The Cisco Endpoint Security Analytics (CESA) Add-on and App are both required for Splunk administrators to analyze and correlate user and endpoint behavior in the Cyences app.
Splunkbase Download Add-on: https://splunkbase.splunk.com/app/4221
Splunkbase Download App: https://splunkbase.splunk.com/app/2992
Installation and Configuration Guide: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html
Note: Configure the index value for VPN Data under the Data Source Macros section in Cyences’ Configuration page.
Fortinet FortiGate Data
If your organization uses FortiGate VPN, then the required data can be collected via Fortigate’s logs. Refer to the Data Onboarding > Network Devices > Fortinet FortiGate section for more information regarding the data collection process.
GlobalProtect (Palo Alto) VPN Data
If your organization is using GlobalProtect VPN, then the required data can be collected via Palo Alto’s logs. Refer to the Data Onboarding > Network Devices > Palo Alto Firewall Logs section for more information regarding the data collection process.
OpenVPN Data from pfsense Firewall
The Technology Add-on for pfSense is required for field extractions.
Splunkbase Download Add-on: https://splunkbase.splunk.com/app/1527
Note: :
- Create an index named pfsense or update the cs_pfsense macro definition from Splunk UI (Settings > Advanced Search > Search macros) or update the cs_vpn_indexes macro definition from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup > VPN).
- Create props.conf in
local folder
ofTA-pfsense
add-on and add following configuration in it to properly work field extractions.[pfsense] SEDCMD-event_cleaner3 =
Sophos Firewall VPN Data
If your organization is using Sophos Firewall as VPN, then the required data can be collected via sophos firewall’s logs. Refer to the Data Onboarding > Network Devices > Sophos Firewall Logs section for more information regarding the data collection process.