Overview

Details

The ObserveIT (Proofpoint) On-Prem Technology Add-On for Splunk provides security analysts and investigation teams with powerful user activity meta-data and smart user behavior alerts. By correlating this powerful user context with other data sources in Splunk, a complete picture of users’ activity will emerge, allowing for creation of smarter alerts and quicker threat elimination.

Data collected by ObserveIT On-Prem TA can be searched using the Search App or ObserveIT (Proofpoint) On-Prem App for Splunk.

INSTALLATION AND CONFIGURATION

Refer to the http://files.observeit.com/docs/Splunk-ObserveIT-User-Guide.pdf">User Guide or follow instructions below.

REQUIREMENTS

Hardware Requirements:
Refer to http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements">System Requirements document
Software Requirements:
- ObserveIT version 7.5.1 and up
- Splunk Enterprise v8.0+ or Splunk Cloud
- Splunk KV store should be enabled

LIMITATIONS

Add-on installation on SHC is not supported
Starting with version 2.3.x the addon requires SSL validation.
"Disable SSL validation=true" defined in previous versions will be ignored and CA certificate chain will be required if OIT server certificate is signed by the organization's CA

INSTALLATION INSTRUCTIONS

Installing on stand-alone Splunk instance
Refer to http://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall">Splunk Documentation for instructions
Installing TA-ObserveIT in a distributed Splunk Enterprise deployment
Install the TA on a non-clustered search head or a heavy forwarder.

CONFIGURATION

Open TA-ObserveIT app
Optional: If proxy is required for connecting to ObserveIT API - navigate to
Configuration -> Proxy tab and configure proxy before defining inputs.
Navigate to "Inputs" tab and click "Create New Input"

Fill in the fields

Name                  Descriptive name
Interval              API polling interval in seconds
Index                 Destination index. Either select index name from a 
                      drop-down list or type index name. Make sure the index 
                      exists at your deployment's indexing tier before saving
                      input configuration.
Reports API URL       ObserveIT API URL.Non-secure connections are not 
                      supported. 
                      e.g.: https://_MACHINE_NAME_/v2/apis/report;realm=observeit/reports
Client ID             ObserveIT API token. To obtain the token: 
                      1. Navigate to https://_MACHINE_NAME_/v2/apps/portal/home.html
                      2. Press on 'Credentials' tab
                      3. Press on 'Create App' button
                      4. Press on the create application name
                      5. Press on Generate Token button
                      6. Look for "access_token" in JWN Token area
Client Secret         Client secret for Client ID above
Historical Data ...   To include existing events on your system, select the time period 
                      you want to go back to. 
                      Select None, if you want only new events to be loaded
Collected reports     Reports data to collect. Can "User Activity", "Alerts", etc... 
CA Certificate Chain  CA certificate (mandatory). You must provide the path to CA certificate 
                      chain file, relative to $SPLUNK_HOME. Default CA certificates will be 
                      used if no file name provided. 
                      Example: cer\itmdemo-sales-demo-ca.cer

TROUBLESHOOTING

Search ta_observeit_observeit_api.log for non-INFO messages:
index=_internal sourcetype="ta:observeit:log" NOT "INFO"

SUPPORT

For support configuring or using the ObserveIT Add-On for Splunk, please
contact us at oit-support@proofpoint.com. Support is provided during weekday
business hours (US, West Coast)

For help using the ObserveIT platform, please contact the ObserveIT support
organization. https://www.observeit.com/support/

LICENSE

TA-ObserveIT is provided under Apache License version 2.0

CREDITS

The TA was created using Splunk Add-on Builder App. http://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Thirdpartysoftwarecredits">Third-party software credits

Release Notes

Version 3.2.0

Feb. 6, 2025

Added support for report types:
– Audit Configuration
– Audit Logins
– Audit Saved sessions
– Audit Session Playback
– System Events
– User DBA Activity
– User Messaging Actions Activity
– User Session

Rebuilt with recent AOB version

Version 3.0.0

July 11, 2024

Checkpoints migrated to KV store
Splunk Cloud installations are now supported

Version 2.3.4

May 6, 2024

Version 2.3.3

Jan. 17, 2024

Added option to specify CA certificate.
CA certificate chain must be supplied if OIT server certificate is signed by customer's own CA
SSL validation is now mandatory. After upgrade to v2.3.x "SSL validation=false" setting defined in previous versions will be ignored and data will not be collected unless a CA certificate is supplied

Version 2.2.1

Nov. 17, 2021

python3-only version

2,669

Downloads

Share Subscribe

Version

Built by

ObserveIT Ltd

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate

App Contents: Inputs