Home > Data Protection > Data Protection (general) > Advanced Anomaly Detection with Data Protection Advisor > Integrate and configure Data Protection Advisor with Splunk
High-level procedure to integrate Data Protection Advisor with Splunk
From the Data Protection Advisor UI, navigate to “Policies” and select “CREATE POLICY” to create an analysis policy with analysis rules and policy-based actions as shown in Figure 45.
In the policy-based actions, select “EDIT POLICY-BASED ACTIONS” and enable the event log action “Write an event to the Windows Event Log” as shown in Figure 46.
In the Analysis Rules, select “ADD/REMOVE RULES” to add the analysis rules as shown in Figure 47.
As an example, a sample analysis policy “Cyber Threat Anomaly Detection” is created with analysis rules and policy-based action as shown in Figure 48 and Figure 49.
Note: When creating an analysis policy, it is recommended to start with one rule and build the policy. If enabled simultaneously, you may be flooded with alerts.
Apply the analysis policy to groups, objects, and child objects respectively. In this example as shown in Figure 50, the analysis policy is applied to object “PowerProtect Data Manager Software”
A receiver is the Splunk instance that receives data from the forwarder. To enable the receiver, from the Splunk web UI, navigate to “Settings” and select “Forwarding and Receiving” as shown in Figure 51.
As shown in Figure 52, in the “Receive data” section, click “Add new” next to the “Configure receiving” option.
Enter the port as “9997” in the “Listen on this port” section as shown in Figure 53. The conventional receiver port configured on indexers is port 9997.
Figure 54 shows successful receiving port configuration from the Splunk UI.
Download the Splunk universal forwarder from splunk.com and copy it to the Data Protection Advisor application server. On the Data Protection Advisor application server, execute the MSI file to start the installation.
Check the box to accept the “License Agreement” and choose the option “An on-premises Splunk Enterprise instance”. Click “Customize Options” as shown in Figure 55.
As shown in Figure 56, click “Next” after verifying the installation directory.
On the Certificate Information page, click “Next” as a best practice as shown in Figure 57.
As shown in Figure 58, run the Universal Forwarder as the “Local System” user and click Next.
From the “Windows Event Logs”, select “Application Logs” as shown in Figure 59.
As shown in Figure 60, enter the credentials for the administrator account.
In the Deployment Server page, select Next as shown in Figure 61.
In the Receiving Indexer pane, enter a hostname or IP address and the receiving port as shown in Figure 62 for the receiving indexer that you want the universal forwarder to send data to and click Next.
Click Install to proceed with the installation as shown in Figure 63.
The installer runs and displays the Installation Completed dialog box as shown in Figure 64. The universal forwarder automatically starts.
From the Splunk web UI, Select the option “Search & Reporting” as shown in Figure 65.
In the “New Search” section, enter the keywords to search and select the respective time range you want to perform this search.
For example, all the Cyber threat events are categorized with event code 4096 in the Windows application logs.
When searching with “EventCode=4096” all the respective events are generated as shown in Figure 66.