Splunk for OT Security App (DA-ESS-OTSecurity) Installation¶
The Splunk for OT Security Solution is packaged as a Splunk App and is available on Splunkbase to Splunk Enterprise Security customers. If you are not an Enterprise Security customer and would like to trial the OT Security Solution, please contact your Splunk sales representative or send an email to otsecurity@splunk.com
Download and install the most recent release of the Splunk OT Security Add-on from Splunkbase HERE
Single Instance Splunk Deployments¶
Install the app on the instance of Splunk Enterprise with Splunk Enterpise Security already installed and configured. Correlation rules are disabled by default and will need to be enabled based on your particular use cases.
Distributed Splunk Deployments¶
Install the app on the search head only. The app is safe to install in large size clusters and will not impact indexers as search and correlation rules are disabled by default. As correlation rules are enabled, this may impact indexer performance, especially if multiple correlation rules are enabled all at once. It is recommended that rules be enabled as needed and then incrementally to minimize any negative effects on indexer performance.
The app also contains templates for lookup tables. The lookup files related to assets and identities are essential for dashboards and reports to populate correctly.
Search Head Clusters¶
Splunk for OT Security can be installed in an SHC by following the standard installation instructions for the app.
ES Specific Considerations¶
The Splunk OT Security Solution is a companion app to Splunk Enterprise Security and must be installed alongside Enterprise Security in both ES Search Head and ES Search head clusters.
Note on Potential Performance and Other Impacts:
If you save and enable searches included with the app in your environment, you could see changes in the performance of your Splunk deployment.
As is true for all searches in Splunk, the amount of data that you search affects the search performance you see in your deployment. For example, if you search Windows logs for two HMIs or Process Historian Servers, even the most intensive searches in this app add no discernible load to your indexers. If you instead search domain controller logs with hundreds of thousands of users included, you will see an additional load.
The searches included with the app are scheduled to run regularly and leverage acceleration and efficient search techniques wherever possible. In addition, the searches have been vetted by performance experts at Splunk to ensure they are as performant as possible. If you are concerned about resource constraints, schedule any searches you save to run during off-peak times.
You can also configure these searches to run against cached or summary index data. If you have a large-scale deployment, use the lookup cache for "first time seen" searches and select the "High Scale / High Cardinality" option for time series analysis searches.