Cisco Anyconnect Data
The Cisco Endpoint Security Analytics (CESA) Add-on and App are both required for Splunk administrators to analyze and correlate user and endpoint behavior in the Cyences app.
App Installation
| App | Search Head | Indexer | Heavy Forwarder | UF / Deployment Server | Additional Details |
|---|---|---|---|---|---|
| Cisco Endpoint Security Analytics (CESA) Add-On for Splunk | Required | - | Required | - | Installation and Configuration Guide |
| Cisco Endpoint Security Analytics (CESA) | Required | - | - | - | - |
Note : Create an index VPN Data or update the macro definition in Cyences app configuration page (Cyences Settings > Cyences App Configuration).
Fortinet FortiGate Data
If your organization uses FortiGate VPN, then the required data can be collected via Fortigate’s logs. Refer to the Data Onboarding > Network Devices > Fortinet FortiGate section for more information regarding the data collection process.
GlobalProtect (Palo Alto) VPN Data
If your organization is using GlobalProtect VPN, then the required data can be collected via Palo Alto’s logs. Refer to the Data Onboarding > Network Devices > Palo Alto Firewall Logs section for more information regarding the data collection process.
OpenVPN Data from pfsense Firewall
The Technology Add-on for pfSense is required for field extractions.
Splunkbase Download Add-on: https://splunkbase.splunk.com/app/1527
Note: :
- Create an index named pfsense or update the cs_pfsense macro definition from Splunk UI (Settings > Advanced Search > Search macros) or update the cs_vpn_indexes macro definition from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup > VPN).
- Create props.conf in
local folderofTA-pfsenseadd-on and add following configuration in it to properly work field extractions.[pfsense] SEDCMD-event_cleaner3 =
Sophos Firewall VPN Data
If your organization is using Sophos Firewall as VPN, then the required data can be collected via sophos firewall’s logs. Refer to the Data Onboarding > Network Devices > Sophos Firewall Logs section for more information regarding the data collection process.
Estimated Data Size
TODO