About the ES solution architecture

Splunk Enterprise Security is a Splunk app that contains a collection of add-ons. In combination, these add-ons provide the dashboards, searches, and tools that summarize the security posture of the enterprise, allowing users to monitor and act on security incidents and intelligence. During the setup process, ES inherits knowledge objects provided by the add-ons included in the Splunk Enterprise Security package.

There are three types of add-ons for Enterprise Security: domain add-ons (DAs), supporting add-ons (SAs), and technology add-ons (TAs). This type division is a naming convention, not a strict technical differentiation. The naming convention indicates the primary contributions of that add-on to the overall solution.

  • DAs typically contain dashboards and other views, along with search objects that populate them.
  • SAs can contain a variety of files but typically do not contain data inputs.
  • TAs often contain data inputs, as well as files that help normalize and prepare that data for display in Enterprise Security.

This image represents Splunk Enterprise Security as a stacked list of file types. In order from top to bottom, the file types are data models, dashboards and views, correlation searches, saved searches and macros, lookups, adaptive response actions, tags and event types, props and transforms, indexes, and inputs. Along the side, brackets indicate the range of file types typically included in each type of add-on. SAs typically include all file types except inputs. DAs typically include dashboards and views, correlation searches, saved searches and macros, and lookups. TAs typically include lookups, adaptive response actions, tags and event types, props and transforms, indexes, and inputs.

Enterprise Security depends on all three types of add-ons for all functionality to be fully available.

Domain add-ons

A domain add-on (DA) provides views into the security domains. The DAs included with Splunk Enterprise Security contain search knowledge for investigation and summarization of security-relevant data. Each domain includes summary dashboards that give an overview of security metrics, along with search views to drill down to more detailed information. These views act as interactive starting points to investigate and explore the data to discover abnormal behavior.

Supporting add-ons

A supporting add-on (SA) provides the intermediary knowledge and normalization layer of the Enterprise Security solution architecture. SAs contain a variety of file types to support other parts of the architecture and frameworks. In Enterprise Security, the SA layer contains the schemas used to map data sources into the Common Information Model for analysis through data models. SAs also host the information about assets and identities along with the searches to correlate that data and provide alerts and other events to the domains.

Technology add-ons

A technology add-on (TA) collects and formats incoming data for use in Enterprise Security and other apps. TAs can also provide adaptive response actions for the Adaptive Response framework. TAs are the most common type of add-on and are often referred to as add-ons, without a specific reference to an add-on type.

A TA provides a layer of abstraction that forms the link between data from specific technologies, such as McAfee data or Juniper firewall logs, and the higher-level configurations in Enterprise Security. TAs also contain search-time knowledge mappings that assign fields and tags to the data to be used by the search layer.

For a list of the add-ons included with ES, see Technology-specific add-ons provided with Enterprise Security.