Integrate Splunk with Microsoft Defender for IoT
This article describes how to integrate Splunk with Microsoft Defender for IoT, in order to view both Splunk and Defender for IoT information in a single place.
Viewing both Defender for IoT and Splunk information together provides SOC analysts with multidimensional visibility into the specialized OT protocols and IIoT devices deployed in industrial environments, along with ICS-aware behavioral analytics to rapidly detect suspicious or anomalous behavior.
If you're integrating with Splunk, we recommend that you use Splunk's own OT Security Add-on for Splunk. For more information, see:
- The Splunk documentation on installing add-ins
- The Splunk documentation on the OT Security Add-on for Splunk
The OT Security Add-on for Splunk is supported for both cloud and on-premises integrations.
Cloud-based integrations
Tip
Cloud-based security integrations provide several benefits over on-premises solutions, such as centralized, simpler sensor management and centralized security monitoring.
Other benefits include real-time monitoring, efficient resource use, increased scalability and robustness, improved protection against security threats, simplified maintenance and updates, and seamless integration with third-party solutions.
To integrate a cloud-connected sensor with Splunk, we recommend that you use the OT Security Add-on for Splunk.
On-premises integrations
If you're working with an air-gapped, locally managed sensor, you might also want to configure your sensor to send syslog files directly to Splunk, or use Defender for IoT's built-in API.
For more information, see:
On-premises integration (legacy)
This section describes how to integrate Defender for IoT and Splunk using the legacy, CyberX ICS Threat Monitoring for Splunk application.
Important
The legacy CyberX ICS Threat Monitoring for Splunk application is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions.
For customers using the legacy CyberX ICS Threat Monitoring for Splunk application, we recommend using one of the following methods instead:
- Use the OT Security Add-on for Splunk
- Configure your OT sensor to forward syslog events
- Use Defender for IoT APIs
Microsoft Defender for IoT was formally known as CyberX. References to CyberX refer to Defender for IoT.
Prerequisites
Before you begin, make sure that you have the following prerequisites:
| Prerequisites | Description |
|---|---|
| Version requirements | The following versions are required for the application to run: - Defender for IoT version 2.4 and above. - Splunkbase version 11 and above. - Splunk Enterprise version 7.2 and above. |
| Permission requirements | Make sure you have: - Access to a Defender for IoT OT sensor as an Admin user. - Splunk user with an Admin level user role. |
Note
The Splunk application can be installed locally ('Splunk Enterprise') or run on a cloud ('Splunk Cloud'). The Splunk integration along with Defender for IoT supports 'Splunk Enterprise' only.
Download the Defender for IoT application in Splunk
To access the Defender for IoT application within Splunk, you need to download the application from the Splunkbase application store.
To access the Defender for IoT application in Splunk:
Navigate to the Splunkbase application store.
Search for
CyberX ICS Threat Monitoring for Splunk.Select the CyberX ICS Threat Monitoring for Splunk application.
Select the LOGIN TO DOWNLOAD BUTTON.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for