How to Install and Configure Infosec Multicloud

The Infosec App for Splunk is your starter security pack. It's designed to address the most common security use cases, including continuous monitoring and security investigations. The new Infosec Multicloud App for Splunk is designed by our field team to help customers that have a cloud environment. In addition to views of security posture across cloud providers, the app includes a billing dashboard for a high level overview of costs spread across your various cloud providers. This article details the steps needed to install and configure the Infosec Multicloud app for Splunk.

^{Security Posture dashboard offers an overview of alerts across multicloud environments.}

^{Continuous monitoring provides visibility into changes made to objects in cloud environments.}

^{Billing dashboard offers comprehensive cost breakout by CSP, including drilldowns to view by service, region, and ability to split by department by using lookups to enrich native CSP data.}

How to Install and Configure Infosec Multicloud App for Splunk 

Installing and configuring the Infosec Multicloud App for Splunk is similar to the steps for the Infosec App. Installing is as simple as downloading off of Splunkbase. The app can be installed on a standalone Splunk server, a Search Head, or a Search Head Cluster. In a distributed environment, this app should be installed only on the Search Head(s) and not Indexers. For Splunk Cloud environments, the app is self-serviceable meaning the app can be deployed to your environment using the Splunk Web UI. To ensure the app can populate correctly there are a certain number of prerequisites, including data sources, Splunk Add-ons, and Data Model acceleration. 

At a minimum, you should have data from one or more cloud service providers (e.g. Amazon Web Services, Azure, GCP, etc) flowing into Splunk. Data must be ingested using the various Splunk Add-ons to ensure that your cloud data is Common Information Model (CIM) compliant. The Splunk Data Manager may be utilized to bring in data, however as it does not provide CIM mapping, the various Add-ons mentioned beforehand must still be installed. If your data is not CIM compliant, the panels will not populate. Since the panels use various data models in their search, it is recommended to ingest data that populates these data models (listed below). Review Splunk add-on documentation to learn more about what inputs populate which data models. For example, view the “Source types for the Splunk Add-on for AWS” page to find which AWS-specific source types map to which data model.

The following free Splunk Add-ons must be installed before you can start using Infosec Multicloud:

• Splunk Common Information Model (CIM)
  
• Punchcard visualization
• Force Directed visualization
• Sankey Diagram visualization
• Treemap - Custom Visualization

Lastly, the following Data Models must be accelerated:

• Alerts
• Authentication
• Change
• Intrusion Detection
• Network Sessions
• Network Traffic
• Endpoint
• Web

Some of the panels within Infosec Multicloud utilize the infosec-cloud-indexes macro in the search. The default value of this macro is: index="*". You are recommended to modify this macro to better match your Splunk configuration.

How to Install/Configure the Billing Dashboard

The Splunk Multicloud Billing Dashboard is populated with billing data from your various cloud providers that you have ingested into Splunk. To populate the Billing Dashboard, you need to bring in your cloud data using Splunk best practices: using the Splunk Add-ons!

Onboarding Billing Data: AWS 

For AWS billing data, it is recommended to utilize the Splunk Add-on for Amazon Web Services. The Splunk Add-on for AWS collects Billing Metrics through CloudWatch and Billing Reports by collecting them from an S3 bucket. You will need to enable AWS to produce Billing Metrics in CloudWatch by turning on Receive Billing Alerts in the Preferences section of the Billing and Cost Management console. In the Add-on, configure your account in the Configurations tab, then navigate to the Inputs tab and configure the Billing inputs.

Onboarding Billing Data: Azure 

To bring in Azure Billing data, the Splunk Add-on for Microsoft Azure is recommended. You will need to configure an Active Directory Application in Azure AD to export billing data using the following instructions in the Microsoft documentation. Afterward, you can configure your account credentials and then start adding in inputs. The billing dashboard uses data from the Azure Billing and Consumption inputs.

Onboarding Billing Data: GCP 

To bring in GCP Billing data, the Splunk Add-on for Google Cloud Platform is recommended. You will need to create a Google Cloud Service account for each project to gather data from Google Cloud Billing. Afterward, within the Add-on, you will need to configure the Google Cloud BigQuery Billing Input with the respective information. 

The Billing dashboard uses a lookup to add department contextual information. To use this lookup, Department_Lookup.csv must be filled in. You must populate this lookup with your various departments and their correlating account_id information. This information is utilized in the "Costs By Department" panel.

Get started with the Infosec Multicloud App for Splunk today. If you are new to Splunk, explore a Security product tour and consider a free trial to learn more.

Additional Resources 

• Source types for the Splunk Add-on for AWS
• Source types for the Splunk Add-on for Amazon Kinesis Firehose
• Source types for the Splunk Add-on for Microsoft Cloud Services
• Source types for the Splunk Add-on for Microsoft Office 365 
• Source types for the Splunk Add-on for Google Cloud Platform
• Source types for the Splunk Add-on for Google Workspace