-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
layout: default | ||
title: F5 BIGIP | ||
permalink: /data_onboarding/network_devices/f5_bigip/ | ||
nav_order: 6 | ||
parent: Network Devices | ||
grand_parent: Data Onboarding | ||
--- | ||
|
||
## **F5 BIGIP Data** | ||
|
||
The **Splunk Add-on for F5 BIG-IP** addon is required to collect the F5 BIGIP ASM logs. | ||
|
||
Splunkbase Download: | ||
[https://splunkbase.splunk.com/app/2680/](https://splunkbase.splunk.com/app/2680/) | ||
|
||
Installation Guide: | ||
[https://splunkbase.splunk.com/app/2680/#/details](https://splunkbase.splunk.com/app/2680/#/details) | ||
|
||
|
||
## How to Install and Configure the Palo Alto Add-on: | ||
This comment has been minimized.
Sorry, something went wrong. |
||
|
||
1. Install the Add-on on the Heavy Forwarder. | ||
|
||
2. Configure the Add-on on the Heavy Forwarder. | ||
* Getting data into Splunk [https://splunk.paloaltonetworks.com/getting-data-in.html](https://splunk.paloaltonetworks.com/getting-data-in.html). | ||
* Create an index named **f5** or update the macro definition in Cyences' configuration page. | ||
|
||
3. Install the Add-on on the Search Head. | ||
|
||
## Estimated Data Size | ||
|
||
[comment]: <> (TODO_LATER: add estimated data size) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -34,7 +34,6 @@ There are dependent apps which also need to be installed on the Search Head alon | |
|--------|--------|-------------| | ||
This comment has been minimized.
Sorry, something went wrong.
VatsalJagani
Collaborator
|
||
| ES Content Update App | [https://splunkbase.splunk.com/app/3449](https://splunkbase.splunk.com/app/3449) | For some lookups | ||
This comment has been minimized.
Sorry, something went wrong.
VatsalJagani
Collaborator
|
||
| Splunk Common Information Model (CIM) | [https://splunkbase.splunk.com/app/1621/](https://splunkbase.splunk.com/app/1621/) | For data models | ||
| Splunk Add-on for RWI - Executive Dashboard | [https://splunkbase.splunk.com/app/5063/](https://splunkbase.splunk.com/app/5063/) | For field extraction (VPN data) | ||
| Flow Map Viz | [https://splunkbase.splunk.com/app/4657](https://splunkbase.splunk.com/app/4657) | For internal network traffic visualization | | ||
|
||
* Note - Additional add-ons are necessary depending on the data present in your Splunk environment. For example, if there is Windows data present, then you need to install and configure the Splunk Add-on for Windows. Please visit the Data Onboarding section for more information. | ||
This comment has been minimized.
Sorry, something went wrong.
VatsalJagani
Collaborator
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,19 +25,19 @@ has_children: true | |
* Added new dashboard named **F5 BIGIP ASM**. | ||
* Added new alert named **F5 BIGIP - Not Blocked Attacks**. | ||
|
||
* Added new alerts for the Sophos Firewall: | ||
* Added new alerts for the **Sophos Firewall**: | ||
* Sophos Firewall - Lost Connection to Sophos Central | ||
* Sophos Firewall - VPN Tunnel Down | ||
* Sophos Firewall - Gateway Down | ||
* Sophos Firewall - Advanced Threat Detected | ||
|
||
* Added new alerts for the MSSQL and Oracle databases: | ||
* Added new alerts for **MSSQL** Database and **Oracle** Database: | ||
* MSSQL - Database Changes | ||
* MSSQL - Role Changes | ||
* Oracle - Database Changes | ||
* Oracle - Role Changes | ||
|
||
* Added new alerts for the Defender ATP: | ||
* Added new alerts for the **Defender ATP**: | ||
* Defender ATP - System is Offboarded | ||
* Defender ATP - System is not Connected since a Week | ||
|
||
|
@@ -49,10 +49,6 @@ has_children: true | |
* Authentication - Successful VPN Login Outside Home Country | ||
* Linux - Change in Sudo Access of Local Linux Account | ||
|
||
* Removed the following other app dependent macros and defined related macro in app itself: | ||
* Added **cs_drop_dm_object_name** macro to replace the **drop_dm_object_name** macro. | ||
* Added **cs_cim_authentication_indexes** macro to replace the **cim_Authentication_indexes** macro. | ||
|
||
* Removed **Google Workspace - Suspicious File Shared by External User on Google Drive** alert and related panel from **Google Workspace** dashboard as it contains static lookup causing many false positives. | ||
|
||
* Removed the [Splunk Add-on for RWI - Executive Dashboard](https://splunkbase.splunk.com/app/5063/) app dependency. | ||
|
@@ -89,11 +85,17 @@ has_children: true | |
* Fixed the typo in the macro name from **cs_authentication_vpn_login_attemps_outside_working_hour_filter** to **cs_authentication_vpn_login_attempts_outside_working_hour_filter** | ||
|
||
|
||
* ### For Splunk Admins | ||
This comment has been minimized.
Sorry, something went wrong.
VatsalJagani
Collaborator
|
||
|
||
* Removed the following other app dependent macros and defined related macro in app itself: | ||
* Added **cs_drop_dm_object_name** macro to replace the **drop_dm_object_name** macro. | ||
* Added **cs_cim_authentication_indexes** macro to replace the **cim_Authentication_indexes** macro. | ||
|
||
|
||
## Upgrade Guide from 4.9.0 to 5.0.0 | ||
|
||
* After upgrade, only SOC related alerts will be received to existing configured critical emails. To make more changes, configure the SOC and Compliance teams related configs under **Cyences Settings > Cyences App Configuration > Cyences Alerts Configuration** section. | ||
|
||
* In order to use the sophos firewall alerts, onboard the **sophos_events** data from [Sophos Central Addon for Splunk](https://splunkbase.splunk.com/app/6186/). | ||
* In order to use the sophos firewall alerts, onboard the **sophos_events** data from [Sophos Central Addon for Splunk](https://splunkbase.splunk.com/app/6186/). For more details, refer [Sophos Firewall Data Onboarding]({{ site.baseurl }}/data_onboarding/network_devices/sophos_firewall) | ||
|
||
|
This seems incorrect