You are currently in preview mode for new Splunkbase! To return to the original Splunkbase, click here.



Collect data across multiple security layers and manage threats quickly. Provide comprehensive protection for your organization.

Endpoint Detection

Pull in endpoint detections to jump start your detection and response workflows.

IT Operations
Cybereason For Splunk

By Cybereason

The Cybereason App for Splunk enables you to gain deep insight & visibility into your endpoints, detect advanced attacks based on AI hunting, and take response actions within Splunk. The Cybereason AI Hunting Engine automatically asks a complex set of questions of data collected from all of your endpoints at a rate of 8 million calculations per second, 24 hours a day, 7 days a week. This means the solution is continuously hunting on your behalf by asking the same sorts of questions advanced security analysts would ask as they hunt for threats inside an environment. The difference, however, is that the Cybereason malicious activity models run constantly, and continually adapt and evolve according to the data the solution receives and analyzes. Learn More:


Network Detection

Track lateral movement or monitor agentless endpoints, like internet of things or operational technology devices.

IT Operations
Palo Alto Networks App for Splunk

By Palo Alto Networks

Palo Alto Networks and Splunk have partnered to deliver an advanced security reporting and analysis tool. The collaboration delivers operational reporting, configurable dashboard views, and adaptive response across Palo Alto Networks family of next-generation firewalls, advanced endpoint security, and threat intelligence cloud. Palo Alto Networks App for Splunk leverages the data visibility provided by the Palo Alto Networks security platform with Splunk's extensive investigation and visualization capabilities to deliver advanced security reporting and analysis. This app enables security analysts, administrators, and architects to correlate application and user activities across all network and security infrastructures from a real-time and historical perspective. Complicated incident analysis that previously consumed days of manual and error-prone data mining can now be automated, saving not only manpower but also enabling key enterprise security resources to focus on critical, time-sensitive investigations.


Security, Fraud & Compliance
Darktrace App for Splunk

By Andrew Woodford

Darktrace is the world’s leading machine learning company for cyber security, having developed AI algorithms that mimic the human immune system to defend enterprise networks of all types and sizes. Created by mathematicians from the University of Cambridge, Darktrace’s Enterprise Immune System™ is the first non-consumer application of machine learning to work at scale, across all network types. Installed as a self-configuring cyber defense platform, Darktrace® continuously learns what is ‘normal’ for all devices and users, updating its understanding as the environment changes.  Darktrace Connector for Splunk® Enterprise is designed to interface with a Darktrace appliance to display information about anomalous activity within the enterprise. The app takes JSON Syslog input from a Darktrace appliance to display varying severities of security incidents on Splunk and link them to more detailed reports on the Darktrace Threat Visualizer™, allowing for seamless integration between Darktrace and Splunk.


Security, Fraud & Compliance
Cisco StealthWatch Add-On

By Nadhem AlFardan

If you have Cisco StealthWatch and Splunk, then a CIM-compatible add-on would be required to properly parse the data. The Intrusion_Detection data model is used. This add-on considers the following key-value log format setting on Stealthwatch SMC: ======================= Lancope|Stealthwatch|Notification: alarm_desc="{alarm_type_description}" details="{details}" dest={target_ip} src={source_ip} start={start_active_time} end={end_active_time} category={alarm_category_name} Alarm_ID={alarm_id} Source_HG={source_host_group_names} Target_HG={target_host_group_names} Source_HostSnapshot={source_url} Target_HostSnapshot={target_url} dest_port={port} transport={protocol} FC_Name={device_name} FC_IP={device_ip} Domain={domain_id} signature={alarm_type_name} vendor_severity={alarm_severity_name} severity_id={alarm_severity_id} alarm_type={alarm_type_id} ======================= Set the sourcetype to cisco:stealthwatch:alert


Email Security

See and contain email threats at patient zero before the next user is compromised.

IT Operations
Mimecast for Splunk

By Mimecast Services Ltd

Email continues to be the most widely used attack vector. Data sourced from email activity and attacks is extremely high value for security operations teams, the Mimecast and Splunk integration provides security teams the data they need to identify incidents and attacks and inform how they need to respond, enhancing the benefits of the Splunk Enterprise investment and ultimately reducing the risk the organization faces. About Mimecast For organizations concerned about cyber risk and struggling to attract and retain sufficient cybersecurity expertise and budget, Mimecast delivers a comprehensive, integrated solution that solves the #1 cybersecurity attack vector – email,   Mimecast’s Email Security 3.0 solution framework reduces the time, cost and complexity of achieving more complete cybersecurity, compliance and resilience through additional modules, all while connecting seamlessly with other security and technology investments to provide a coherent security architecture. Installation Guide:


Server/Cloud Workload Monitoring

Keep an eye on containers and serverless functions in your cloud infrastructure.

IT Operations
Microsoft Azure App for Splunk

By Splunk Works

The Microsoft Azure App for Splunk contains dashboards for data collected from: Microsoft Azure Add-on for Splunk Splunk Add-on for Microsoft Cloud Services Check out the Help dashboards for ingestion options for Azure data, and onboarding guides for app registrations and permission requirements. Dashboards Include: - Subscriptions - Resources - Virtual Machines - Azure Metrics - Storage Accounts - Security Monitoring - Billing Activity (beta) - Onboarding Guides It is anticipated that future versions may include additional dashboards and data from other Microsoft Azure services. Want to contribute? Help bug fix and suggest enhancements to make this app better! Email:



Link attacks to users and proactively block attacks from potentially compromised accounts.

IT Operations
Okta Identity Cloud Add-on for Splunk

By Okta Inc

Using Okta Identity Cloud REST APIs the Okta Identity Cloud Add-on for splunk allows a Splunk® administrator to collect data from the Okta Identity Cloud. The Add-on collects data related to: • Event log information • User information • Group and Group Membership Information • Application and Application Assignment information Using Okta Identity Cloud REST APIs this Add-on supports adaptive response actions and custom alerts that enable taking the following actions from Splunk: • Adding and removing Okta users from groups in Okta • Performing account lifecycle actions (e.g. suspend, deactivate, expire) on Users in Okta This Add-on provides inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.