Installing Splunk Enterprise Security Premier
- Review the following compatibility and regional availability matrices of each of the following products included in Splunk Premier, where applicable:
- Splunk Enterprise Security with Splunk Enterprise: For more information, see Splunk products version compatibility matrix.
- Splunk Threat Intelligence Management: For more information, see Threat Intelligence Management (Cloud) compatibility and regional availability.
- Splunk AI Assistant for Security: For more information, see Splunk AI Assistant for Security compatibility and regional availability.
- Splunk SOAR: For more information, see Version compatibility for Splunk SOAR.
- Splunk User Entity and Behavior Analytics (UEBA): For more information, see UEBA compatibility.
- Follow these planning steps prior to installing Splunk Enterprise Security:
- Download the Splunk Enterprise Security Essentials app version 8.3 or higher from Splunkbase. For more information, see Download Splunk Enterprise Security.
- Ensure that you have installed Splunk Platform version 10 or higher. For more information on platform considerations to install Splunk Enterprise Security, see Splunk Enterprise platform considerations.
- Plan the mapping of data sources to comply with Splunk Common Information Model (CIM), collect asset and identity information, optimize the volume, type, the number of data sources based on your overall Splunk platform architecture, and plan the number and placement of forwarders, estimated load, and impact on network resources. For more information on data source planning, see Data source planning for Splunk Enterprise Security.
- Review the minimum software and hardware requirements for a single instance deployment of Splunk Enterprise Security. For more information, see Minimum specifications for a production deployment However, if you want to scale your deployment, review the hardware, indexer, log size, and search head considerations, For more information, see Considerations for scaling deployments.
- Review additional deployment requirements to install Splunk Enterprise Security in a single instance and distributed search environment. For more information, see Deploy Splunk Enterprise Security in a single instance and distributed search environment.
- If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the
deploymentclient.conffile that contains references to the deployment server and restart Splunk services. If you do not do this, the installation won't be completed. - Your user account must have the admin role and the
edit_local_appscapability. The admin role is assigned that capability by default. - Approximately 3 GB of free space is required in the
/tmp/directory for the installation or upgrade to complete. When installing or upgrading an app through either the CLI or Splunk Web UI, the/tmp/directory is used during the process. - Optimize the performance of Splunk Enterprise Security prior to deploying the app by reviewing some guidelines and constraints. For more information, see Performance reference for Splunk Enterprise Security.
- Review the requirements to install Splunk UEBA. For more information, see Installing UEBA for Splunk Enterprise Security.
- Follow these planning steps prior to installing Splunk SOAR:
- Ensure that your user account has the
adminrole and theedit_local_appscapability. The admin role is assigned that capability by default. - Review the available on-prem installation options for Splunk SOAR. For more information, see How can Splunk SOAR (On-premises) be installed?
- Download and register Splunk SOAR. For more information, see Get Splunk SOAR (On-premises).
- Review the minimum software and hardware requirements for your intended deployment of Splunk SOAR (On-premises), such as a single instance deployment, a single instance deployment with external supporting services, or a clustered deployment. If you are planing to deploy using Splunk SOAR (Cloud), hardware and software requirements are managed for you by Splunk. For more information, see General system requirements.
- Review the list of ports that must be open to inbound traffic and internet endpoints which must be accessible to use Splunk SOAR (On-premises). Use these tables to design the firewall rules for your deployment. For more information, see Splunk SOAR (On-premises) ports and endpoints.
- Review the licensing for pairing Splunk SOAR with Splunk Enterprise Security. For more information, see Licensing.
- Review the pre-pairing requirements for pairing Splunk SOAR with Splunk Enterprise Security. For more information, see Prepare to pair.
- Ensure that your user account has the
Note: Contact Splunk Support if you want to upgrade to Splunk Enterprise Security Premier from Splunk Enterprise Security Essentials.
If you have Splunk Enterprise Security installed, you can upgrade to a higher version. To upgrade to Splunk Enterprise Security version 8.3 or higher, see the product documentation:
Note: This topic focuses on the on-premises installation process of Splunk Enterprise Security Premier. If you are in a Splunk cloud environment, Splunk Support manages the installation process. If you are in an on-premises environment, you must be an experienced user capable of installing, configuring, and administering Splunk software to follow the installation process. If you need training on the Splunk platform and Splunk Enterprise Security, see Education Courses for Enterprise Security Customers.
Install Splunk Enterprise Security
- Create a backup copy of the pre-upgrade version of Splunk Enterprise Security on your system as a precaution. For more information, see Back up and restore Splunk Enterprise Security in a search head cluster environment.
- Install Splunk Enterprise Security on a single search head or a search head cluster environment. For more information, see Install Splunk Enterprise Security and see Installing Enterprise Security in a search head cluster environment.
- Download and deploy technology add-ons on the forwarders based on your configuration. For more information, see Deploy technology add-ons to Splunk Enterprise Security.
- Install and configure the Splunk App for Stream on the Splunk Enterprise Security search head to capture and analyze network traffic data. For more information, see Integrate Splunk Stream with Splunk Enterprise Security.
- Configure and deploy custom indexes for event storage. For more information, see Configure and deploy indexes for Splunk Enterprise Security.
- Assign users, roles, and capabilities for Splunk Enterprise Security. For more information, see Users and roles for Splunk Enterprise Security and Capability reference for Splunk Enterprise Security. You can also manage custom roles and capabilities in Splunk Enterprise Security. For more information, see Add custom roles and manage capabilities in Splunk Enterprise Security.
- Configure data models to populate dashboards and views and provide detection results. For more information, see Configure data models for Splunk Enterprise Security.
Configure Threat Intelligence Management
- Determine if Threat Intelligence Management (Cloud) complies with your organizational standards. For more information, see Determining if Threat Intelligence Management (Cloud) complies with your organization’s standards.
- Get started with Threat Intelligence Management by configuring data source integrations and threat lists. For more information, see Overview of threat intelligence in Splunk Enterprise Security.
Configure Splunk AI Assistant for Security
- Choose whether you want to opt out of data sharing for the AI Assistant. See Opt out of data sharing for the AI Assistant in Splunk Enterprise Security
- Select between Frontier or Splunk-hosted models for the AI Assistant to use based on your organization's compliance requirements. For more information, see Choose which models the AI Assistant uses in Splunk Enterprise Security.
Install Splunk SOAR
- Install Splunk SOAR (On-premises). For more information, see Install Splunk SOAR (On-premises) as an unprivileged user. Based on your installation, perform the appropriate step in the following list:
-
Create a Splunk SOAR (On-premises) cluster using an unprivileged installation. For more information, see Create a Splunk SOAR (On-premises) cluster using an unprivileged installation
-
Create a Splunk SOAR (On-premises) cluster in Amazon Web Services. For more information, see Create a Splunk SOAR (On-premises) cluster in Amazon Web Services
-
Convert an existing Splunk SOAR (On-premises) instance into a cluster. For more information, see Convert an existing Splunk SOAR (On-premises) instance into a cluster
- Pair Splunk Enterprise Security with Splunk SOAR. For more information, see Pair Splunk Enterprise Security with Splunk SOAR.
Install Splunk UEBA
- Install Splunk UEBA on Splunk Enterprise Security. For more information, see Installing UEBA for Splunk Enterprise Security.
- Review the configuration checklist to set up UEBA. For more information, see Configuration checklist for UEBA in Splunk Enterprise Security.
- Configure the asset and identity data for UEBA in Splunk Enterprise Security to link detections to the correct users and devices. For more information, see Configure asset and identity data for UEBA in Splunk Enterprise Security.