Installing and configuring the Infosec Multicloud App is similar to the steps for the Infosec App. The app can be installed on a standalone Splunk server, a Search Head or a Search Head Cluster. In a distributed environment, this app should be installed only on the Search Head(s) and not on Indexers. In order to ensure the app is able to populate correctly there are a certain number of prerequisites; including data sources, Splunk Add-ons and Data Model acceleration.
At a minimum, you should have data coming from one or more cloud service providers (e.g. Amazon Web Services, Azure, GCP). This data must be ingested using the various Splunk Add-ons in order to ensure that your cloud data is Common Information Model (CIM) compliant. If your data is not CIM compliant, the panels will not populate.
The following free Splunk Add-ons must be installed before you can start using Infosec Multicloud:
Lastly, the following Data Models must be accelerated:
Updated to be cloud compatible
Infosec Multicloud v1.1.0 includes a cloud billing dashboard. In order to populate this dashboard:
1) Billing data must be ingested (using Splunk supported add-ons)
2) Treemap visualization must be installed
3) Department_Lookup.csv lookup must be filled in. You will need to populate this lookup with your various departments and its correlating account_id information. This information is utilized in the "Costs By Department" panel.
Initial release of Infosec Multicloud
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.