You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/tutorial-splunk.md
+17-15Lines changed: 17 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Integrate Splunk with Microsoft Defender for IoT
3
3
description: This article describes how to integrate Splunk with Microsoft Defender for IoT for multidimensional visibility across OT protocols and IIoT devices.
4
4
ms.topic: how-to
5
-
ms.date: 09/06/2023
5
+
ms.date: 12/21/2023
6
6
ms.custom: how-to
7
7
---
8
8
@@ -12,6 +12,13 @@ This article describes how to integrate Splunk with Microsoft Defender for IoT,
12
12
13
13
Viewing both Defender for IoT and Splunk information together provides SOC analysts with multidimensional visibility into the specialized OT protocols and IIoT devices deployed in industrial environments, along with ICS-aware behavioral analytics to rapidly detect suspicious or anomalous behavior.
14
14
15
+
If you're integrating with Splunk, we recommend that you use Splunk's own [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151). For more information, see:
16
+
17
+
-[The Splunk documentation on installing add-ins](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall)
18
+
-[The Splunk documentation on the OT Security Add-on for Splunk](https://splunk.github.io/ot-security-solution/integrationguide/)
19
+
20
+
The OT Security Add-on for Splunk is supported for both cloud and on-premises integrations.
21
+
15
22
## Cloud-based integrations
16
23
17
24
> [!TIP]
@@ -20,34 +27,29 @@ Viewing both Defender for IoT and Splunk information together provides SOC analy
20
27
> Other benefits include real-time monitoring, efficient resource use, increased scalability and robustness, improved protection against security threats, simplified maintenance and updates, and seamless integration with third-party solutions.
21
28
>
22
29
23
-
If you're integrating a cloud-connected OT sensor with Splunk, we recommend that you use Splunk's own [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151). For more information, see:
24
-
25
-
-[The Splunk documentation on installing add-ins](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall)
26
-
-[The Splunk documentation on the OT Security Add-on for Splunk](https://splunk.github.io/ot-security-solution/integrationguide/)
27
-
30
+
To integrate a cloud-connected sensor with Splunk, we recommend that you use the [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151).
28
31
29
32
## On-premises integrations
30
33
31
-
If you're working with an air-gapped, locally managed OT sensor, you need an on-premises solution to view Defender for IoT and Splunk information in the same place.
32
-
33
-
In such cases, we recommend that you configure your OT sensor to send syslog files directly to Splunk, or use Defender for IoT's built-in API.
34
+
If you're working with an air-gapped, locally managed sensor, you might also want to configure your sensor to send syslog files directly to Splunk, or use Defender for IoT's built-in API.
34
35
35
36
For more information, see:
36
37
37
38
-[Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md)
38
39
-[Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)
39
40
40
-
41
-
42
41
## On-premises integration (legacy)
43
42
44
-
This section describes how to integrate Defender for IoT and Splunk using the legacy, on-premises integration.
43
+
This section describes how to integrate Defender for IoT and Splunk using the legacy, [CyberX ICS Threat Monitoring for Splunk](https://splunkbase.splunk.com/app/4313) application.
45
44
46
45
> [!IMPORTANT]
47
-
> The legacy Splunk integration is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions. For customers using the legacy integration, we recommend moving to one of the following methods:
46
+
> The legacy **CyberX ICS Threat Monitoring for Splunk** application is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions.
47
+
>
48
+
> For customers using the legacy CyberX ICS Threat Monitoring for Splunk application, we recommend using one of the following methods instead:
48
49
>
49
-
> - If you're integrating your security solution with cloud-based systems, we recommend that you use the [OT Security Add-on for Splunk](#cloud-based-integrations).
50
-
> - For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events, or use Defender for IoT APIs](#on-premises-integrations).
50
+
> - Use the [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151)
51
+
> - Configure your OT sensor to [forward syslog events](how-to-forward-alert-information-to-partners.md)
52
+
> - Use [Defender for IoT APIs](references-work-with-defender-for-iot-apis.md)
51
53
52
54
Microsoft Defender for IoT was formally known as [CyberX](https://blogs.microsoft.com/blog/2020/06/22/microsoft-acquires-cyberx-to-accelerate-and-secure-customers-iot-deployments/). References to CyberX refer to Defender for IoT.
0 commit comments