icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

SentinelOne Terms of Service

Splunk Websites Terms and Conditions of Use

Thank You

Downloading SentinelOne App For Splunk
SHA256 checksum (sentinelone-app-for-splunk_526.tgz) 31e1b72f109a1b6c48a73131eb447af3ef1ff98e381d6c9ea4dd1595a4d25e36 SHA256 checksum (sentinelone-app-for-splunk_525.tgz) 4929f7f0914f469a01796b361ab53037ed728e88312cf0d42e7368b8c986d61b SHA256 checksum (sentinelone-app-for-splunk_524.tgz) f6f4d10bfeb47689744ed81f2b53b5fd576b767dfe7babcdf299aea782b91745 SHA256 checksum (sentinelone-app-for-splunk_523.tgz) 0b412d541794747d09618f48637518087faa66dbe1efe19f4c8314e948731372 SHA256 checksum (sentinelone-app-for-splunk_522.tgz) 33875a0d468d0aea9241b4aec4b936114a41de90b9b0023cb942130f3d18158f SHA256 checksum (sentinelone-app-for-splunk_521.tgz) d0fa7c31fde72e6e6fdcfab1c6bef18137c7dfbb0138493468ea7ae4af01c9e7 SHA256 checksum (sentinelone-app-for-splunk_520.tgz) 08894a70023443c699a2857eeb5828b528b78e4f9377075e1ee6b7922e5fee96 SHA256 checksum (sentinelone-app-for-splunk_5110.tgz) cda2bd1d666c24a587f6ef97260dff9e4b774abac3319d95d3c47ff3a35eda9c SHA256 checksum (sentinelone-app-for-splunk_519.tgz) 271a26c87bf8a5401961dddcc85abcf20706ecae6599db90fee022140b5379b8 SHA256 checksum (sentinelone-app-for-splunk_518.tgz) 73e789e5de0ed3f0a995604d3a0b01fd34e0c3ec224596a41481018ad2a1a92c SHA256 checksum (sentinelone-app-for-splunk_517.tgz) 41b3b417bf37d598db3c545b5204119c19d818f8ca029aa81d0fbc9adc3b658b SHA256 checksum (sentinelone-app-for-splunk_516.tgz) ba027de9e38582badf36e82c7551ac6c046c8b45b5ef4db662b5af0f1393372c SHA256 checksum (sentinelone-app-for-splunk_515.tgz) b31c655ca6feffa09c2bc955d9e2fc64257901e55387e3ba847c10720a7f7860 SHA256 checksum (sentinelone-app-for-splunk_514.tgz) 2017f9110a0ebe50ae198d50d8ec6701f2160c5470a54ec9e456b42b1430de0f SHA256 checksum (sentinelone-app-for-splunk_513.tgz) 0c31d83735131edd8f69a591fccf6e35e4f1713df6e6cfad709eb1402585c069 SHA256 checksum (sentinelone-app-for-splunk_512.tgz) 145ccf76eda9eb5ffde8f25bb3ed37b9f87a0c3192fc61eb5ae656a83b1e1b3f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

SentinelOne App For Splunk

Splunk Cloud
Overview
Details
The SentinelOne App For Splunk allows a SentinelOne administrator or analyst to interact with the SentinelOne product.

SentinelOne Documentation

Allows a SentinelOne administrator or analyst interact with the SentinelOne product.
Version 5.2.6
Build 20250303
Splunk Enterprise Versions 9.4, 9.3, 9.2
Platforms Splunk Enterprise, Splunk Cloud
Splunkbase Url https://splunkbase.splunk.com/app/5433
Author Aplura, LLC

License

Apache License, Version 2.0 https://www.apache.org/licenses/LICENSE-2.0.txt

Copyright 2020-2024, Sentinel Labs, Inc.

Initial Application Configuration

SentinelOne is configured from the Application Configuration menu option under the Administration menu.

Macros

SentinelOne includes the following macros that control dashboard searches.

  • None

Sourcetype Definitions

sourcetype SentinelOne API Description
sentinelone:channel:agents web/api/v2.1/agents S1 Agent information
sentinelone:channel:activities web/api/v2.1/activities S1 Console Activities
sentinelone:channel:threats:event web/api/v2.1/threats/\<threat_id>/explore/events Get all threat events
sentinelone:channel:applications web/api/v2.1/installed-applications Get Application Inventory
sentinelone:channel:threats web/api/v2.1/threats Get the S1 Threats
sentinelone_app_for_splunk:error:event Internal Error Logging Errors that occur during threat event processing.
sentinelone_app_for_splunk:error Internal Error Logging Errors that occur during processing.
sentinelone:error Internal Error Logging Deprecated
sentinelone:channel:groups web/api/v2.1/groups Get S1 Groups
sentinelone:channel:applications:cve web/api/v2.1/installed-applications/cves Get known CVEs for applications that are installed on endpoints with Application Risk-enabled Agents
sentinelone:channel:application_management:risks web/api/v2.1/application-management/risks Get Application risks
sentinelone:channel:application_management:inventory web/api/v2.1/application-management/inventory Get Application Inventory

Dashboards

SentinelOne includes the following dashboards.
- Application Configuration
- Allows the Splunk admin to configure the inputs for ingestion.
- Application Health Overview (under the Administration menu option)
- Use this page to get health and status information about any alerts, events, or API errors. View total_failures, messages, and severity level for each instance.
- Network
- This dashboard shows Agent information by over time, as well as group information.
- Threats
- This dashboard gives an overview of threats information in the console.
- Manage Agents Overview
- This dashboard provides the ability to manage Sentinel agents.
- Manage Threats Overview
- This dashboard provides the ability to manage incidents/threats.

Saved Searches

SentinelOne includes the following saved searches. These searches need to be run in order to populate the management host and site name dropdowns on the dashboards. Fields from these lookups are also used in the dashboard panels.

  • sentinelone_groups_lookup_generation
  • Search for populating the groups lookup with site id and site name
  • This should be enabled prior to enabling the inputs

  • It may need to be run on a one-time basis over "all time" to do the initial import of groups.

  • sentinelone_lookup_generation

  • Search for populating the agents lookup
  • This should be enabled prior to enabling the inputs

  • It may need to be run on a one-time basis over "all time" to do the initial import of agents.

  • sentinelone_activity_types_lookup_generation

  • Queries the API for current list of Activity Types.
  • Best guess is made for unknown values.
  • Re-populates the sentinelone_activity_types with the latest information.
  • Must be enabled after install.

SentinelOne Inputs

SentinelOne includes the following channels for the SentinelOne inputs. Make sure the interval schedules are reviewed prior to enablement.

These inputs use cron schedules, documentation can be found here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*",
  ",", "/", and "-" to specify wildcards, separate values, specify ranges
  of values, and step values.
* The cron implementation for data inputs does not currently support names
  of months or days.
  • Applications
  • Interval : Recommended at no more than once per hour. ``0 * * * * ``
  • Groups
  • Interval : Recommended at no more than once per day. ``0 0 * * *``
  • Threats
  • Interval : Environment dependant. Smaller environments may be able to support every 1 minute ``* * * * *``.
  • Agents
  • Interval : Recommended at no more than once per day ``0 0 * * *``
  • Activities
  • Interval : Environment dependant. Smaller environments may be able to support every 1 minute ``* * * * *``.
  • Risks:
  • Interval : Environment dependant. Smaller environments may be able to support every 1 minute ``* * * * *``.

About Lockfile Usage

The lock files were introduced to address a specific issue in Splunk Cloud environments where modular inputs were not completing before the next execution interval, causing data to never fully process. In multi-process environments like Splunk Cloud, modular inputs could start a new run on a different search head before the previous one finished, leading to duplication of efforts, incomplete data ingestion, and missed checkpoints. The lock file mechanism was added to prevent multiple instances of the same modular input from running simultaneously, ensuring that one input completes and writes out the checkpoint before another starts. This avoids the overload caused by pulling large amounts of data, especially in environments with high volumes of threats or agents.

In case of 'Splunk Victoria', this is the type of environment we would need to have the lock files.

However, in all other environments where our App is NOT installed on a Search Head cluster, the API will continue to pull and complete when finished before reaching out to the API on the next interval without the need of lock files. So decide accordingly while configuring the inputs in the application configuration page.

Note: If the user enables the lockfile checkbox, they must provide the duration of the lockfile in seconds. The valid range for the lockfile duration is between 300 and 3600 seconds, inclusive. If you need the lockfile but require a custom duration, you can provide any value by updating the configuration. Alternatively, feel free to modify the inputs.conf file to change the duration value.

Input Field Filtering

SentinelOne includes the ability to include or exclude fields that should be included when retrieving SentinelOne Inputs. Field filtering is configured under the Application Configuration dashboard on the Fields tab. You may specify fields that should be included for a channel or fields that should be excluded for a channel. If no filtering is defined for a channel all fields will be included by default.

If filtering nested JSON fields you should specify the field name with a "." between each key (e.g. activeDirectory.computerMemberOf). This will match the example below.

{"activeDirectory": {"computerMemberOf": "CN=global"}}

A wild card is supported for arrays of information. (activeDirectory.*.computerMemberOf). This will match the example JSON below.

{"activeDirectory": [{"computerMemberOf": "CN=global"}, {"computerMemberOf": "CN=global"}]}

Adaptive Alert Actions

SentinelOne includes the following adaptive alert actions.

  • Network Control
  • Allows the Splunk admin to manage the network status for an agent.
  • Action
    • Connect or disconnect
  • Management Host
    • Connect or disconnect
  • Site ID
    • Site Id field
  • Agent ID
    • Agent Id field
  • Threat Control
  • Allows the Splunk admin to configure the incident status and analyst verdict for a threat.
  • Incident Status
    • Unresolved, In Progress, or Resolved
    • In order to set the incident status to resolved a verdict must be specified
  • Analyst Verdict
    • Undefined, True Positive, Suspicious, False Positive
  • Management Host
    • Connect or disconnect
  • Site ID
    • Site Id field
  • Threat ID
    • Threat Id field

Custom Commands

SentinelOne includes the following custom commands.

  • sentineloneagentaction
  • Allows the Splunk admin to manage the network status for an agent.
  • action_type
    • Connect or disconnect
  • management
    • Connect or disconnect
  • site_id
    • Site Id field (defaults to siteId)
  • agent_id
    • Agent Id field (defaults to id)
  • Sample Usage
    • index=sentinelone sourcetype="sentinelone:channel:agents" | fields id siteId | eval siteId=siteId."", management="testhost.sentinelone.net" | stats values(*) as * by id | sentineloneagentaction action_type=connect
  • sentinelonethreataction
  • Allows the Splunk admin to configure the incident status and analyst verdict for a threat.
  • status
    • Incident status
    • Unresolved, In Progress, or Resolved
    • In order to set the incident status to resolved a verdict must be specified
  • verdict
    • Undefined, True Positive, Suspicious, False Positive
  • management
    • Connect or disconnect
  • site_id
    • Site Id field (defaults to siteId)
  • threat_id
    • Threat Id field (defaults to id)
  • Sample Usage
    • index=sentinelone sourcetype="sentinelone:channel:threats" | fields id siteId | eval siteId=siteId."", management="testhost.sentinelone.net" | stats values(*) as * by id | sentinelonethreataction status=resolved verdict=false_positive
  • sentineloneapi
  • Allows the SentinelOne API to be quried for specific actions
  • management
    • The Management host to use (from search results)
  • Current Features
    • activity_types: pulls the activity types from the configured APIs.
  • Sample Usage
    • | rest "/servicesNS/-/sentinelone_app_for_splunk/configs/conf-authhosts" splunk_server=local | fields + url | rename url as management | sentineloneapi activity_types

Monitoring Console Health Checks

SentinelOne includes the following health checks in the Monitoring Console health check list(default/checklist.conf).

  • SentinelOne_HealthCheck
  • Provides basic Yes/No if there is SentinelOne data present.

Legacy Data

This extension introduces new sourcetypes that are more inline with best practices. If the extension is being upgraded from an existing version of the SentinelOne app, these instructions can be followed to allow "overlap" of the data sources. Each of the different sourcetypes will follow the same procedure to enable searching on the old data, concurrent with the new data.

The steps are as follows, and should be done in local/eventtypes.conf:

  1. Update and enable the legacy index event type sentinelone_legacy_index with the index that contains the legacy data.

Agents

  • Update and enable the sentinelone_legacy_agents event type.

  • Add sentinelone_legacy_agents to the sentinelone_agents event type

  • eventtype IN (sentinelone_updated_agents, sentinelone_legacy_agents)

Threats

  • Update and enable the sentinelone_legacy_threats event type.

  • Add sentinelone_legacy_threats to the sentinelone_threats event type

  • eventtype IN (sentinelone_updated_threats, sentinelone_legacy_threats)

Activities

  • Update and enable the sentinelone_legacy_activities event type.

  • Add sentinelone_legacy_activities to the sentinelone_activities event type

  • eventtype IN (sentinelone_updated_activities, sentinelone_legacy_activities)

Groups

  • Update and enable the sentinelone_legacy_groups event type.

  • Add sentinelone_legacy_groups to the sentinelone_groups event type

  • eventtype IN (sentinelone_updated_groups, sentinelone_legacy_groups)

Lookups

The SentinelOne contains the following lookup files.
Transform Filename Description
sentinelone_activity_types sentinelone_activity_types_5.2.0.csv Describes SentinelOne Activity Types

Scripts and binaries
Diag.py This is to assist in diag creation for support.
cim_actions.py Splunk Alert Actions Support script
s1_client.py Class to allow access to S1 in support of Mod inputs and Alert actions
s1_upgrader.py Modular input run on startup to check and upgrade the app.
sentinelone.py Modular Input script file.
AlertAction.py Helper file for Alert Actions
ModularInput.py Helper file for Modular Inputs
Utilities.py Helper file for Utilities
version.py Technical Version of the app.
sentinelone-network-control.py This is the script for the Network Control adaptive alert action.
sentinelone-threat-control.py This is the script for the Threat Control adaptive alert action.
sentinelone_cmd_agent_action.py This is the script for the Agent Control custom command.
sentinelone_cmd_threat_action.py This is the script for the Threat Control custom command.
s1_alert_action.py Class with base Alert Action object
s1_command.py Class with base Search Command object
s1_utilities.py Class with specific S1 related utilities
app_properties.py Dynamically generated to help with multiple classes and loggers
_paths.py Global import to target lib folder.

Event Generator

SentinelOne does not include an event generator.

Acceleration

  • Summary Indexing: No

  • Data Model Acceleration: No

  • Report Acceleration: No

Indexed Fields

There is one indexed field:

  • siteName

Upgrader

SentinelOne includes an updater to assist in upgrades to the app. It is a modular input with stanza s1_upgrader://DF945543-967A-4488-975E-757F4D5E2B41.

Known Issues

Versions prior to 5.2.0 have the following known issues:

  • Due to Changes in S1 API parameter enforcement, enhancing inputs with "Threat Events" may cause errors.
  • Affected S1 Management Consoles: W#91 or newer,

WORKAROUND: This is a code update. In the file s1_client.py, find the line

resp = self.s1_mgmt.threat_explore.get_events(threat_id)

Update this line to read:

resp = self.s1_mgmt.threat_explore.get_events(threat_id, limit=1000)

This will resolve the error, and allow threat event ingest.

Version 5.2.6 of SentinelOne has the following known issues:

  • If the mgmt_sdk log outputs at any level, the search command will fail with Error in command: Invalid message received from external search command during search, see search.log.

  • This is only at the final phase of execution. The command most likely functions correctly prior to that.

Installation

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all the Splunk Enterprise system requirements apply.

Download

Download SentinelOne at https://splunkbase.splunk.com/app/5433.

Deployment Guide

Note: Do not install Add-Ons and Apps on the same system.

Release Notes

Version 5.2.6

  • Changes
  • Implemented automatic input restarts if the data ingestion process is delayed or gets stuck for more than 25 hours.

Release Notes

Version 5.2.6
March 4, 2025
  • Changes
  • Implemented automatic input restarts if the data ingestion process is delayed or gets stuck for more than 25 hours. This ensures the system remains responsive by automatically restarting the input.
Version 5.2.5
Feb. 5, 2025
  • Changes
  • Removed the system status check API call from the Modular inputs.
  • Updated Python dependencies to the latest versions: Splunk SDK to 2.1.0 and six to 1.17.0.
  • Updated the 'Manage Threats' table query to facilitate updates to the Management, ComputerName and Username field values.
Version 5.2.4
Oct. 25, 2024
  • Bug Fix
  • Fixed the threat and agent actions.
  • Changes
  • Updated lock file mechanism, now this is user configurable.
Version 5.2.3
Sept. 10, 2024
  • Bug Fix
  • The Index dropdowns will support more than 30 indexes.
  • Fixed incorrect JS import on certain dashboards.
  • Changes
  • Updated lock timeout to 1h (3600 seconds)
  • Updated retry options
Version 5.2.2
June 14, 2024

Version 5.2.2

  • Bug Fix
  • The Index dropdowns will support more than 30 indexes.
Version 5.2.1
April 16, 2024

Version 5.2.1

  • Improvements
  • The "Applications" input for S1 Cloud Management Consoles will consume the inventory of applications.
    • There is no change for On-Prem S1 Management Consoles.
  • New Feature
  • The "Risk" input will allow for CVE based inventory of Applications.
    • This will not work on On-Prem S1 Management Consoles.
  • Bug Fix
  • For extremely large threat events, with storyline events enabled, the input may cause a concurrency issue when running in Splunk Cloud stacks.
    • A "lock file" has been implemented to alleviate the concurrency issues.
  • A max of 1000 threat events will be pulled for any given threat.
Version 5.2.0
Jan. 18, 2024

Release Notes

  • Improvements
    -- Modular Inputs have been changed to cron intervals.
    -- CIM 5.1 review
    -- Applications input uses a new S1 API endpoint to reduce load on ingest.
    -- Threats are now enhanced with STAR Details (if applicable)
  • Splunk Cloud
    -- Updated lookups to versioned, to allow lookups to be updated in Splunk Cloud
    -- Retry on Errors
  • New Features
    -- Command sentineloneapi allows a user to query for updated API calls
    -- Saved Search sentinelone_activity_types_lookup_generation

Known Issues

Versions prior to 5.2.0 have the following known issues:

  • Due to Changes in S1 API parameter enforcement, enhancing inputs with "Threat Events" may cause errors.
  • Affected S1 Management Consoles: W#91 or newer,

WORKAROUND: This is a code update. In the file s1_client.py, find the line

resp = self.s1_mgmt.threat_explore.get_events(threat_id)

Update this line to read:

resp = self.s1_mgmt.threat_explore.get_events(threat_id, limit=1000)
Version 5.1.10
Aug. 28, 2023
  • Make the option Verify SSL enabled by default
Version 5.1.9
Dec. 15, 2022
  • Updated Field Options dropdown to not discard already configured values
Version 5.1.8
Oct. 20, 2022

Version 5.1.8

  • Updated base index configuration section on Application Configuration setup page.
    • Upgrade Note: Original configuration values will work, but should be re-configured to support the new UI component.
  • Fixed: For certain inputs, adding a filtering field configuration caused only a single event to be returned. This has been rectified to return all items.
Version 5.1.7
Sept. 21, 2022
  • Updated the Filtering of nested json fields
Version 5.1.6
July 11, 2022

Added field filtering to data ingestion
Version 5.1.5
May 13, 2022
  • Added apl_logging configuration file to drive the logging tab for the TA/IA add ons.
Version 5.1.4
May 9, 2022
  • updated Manage Agents to use correct agent id field, and better verbiage on errors.
  • increased base limit of api pulls to 1000 (200 for groups API)
  • added a Logging tab to enable log levels on configured items via UI.
  • removed guid from Modular Input logging file name.
Version 5.1.3
Jan. 25, 2022
  • updated app.conf for simple trigger reloads
  • updated Application Configuration Page to correctly update API token
  • updated Application Configuration Page to simplify base index configuration
  • updated Diag collection to account for non-standard Splunk install locations
Version 5.1.2
Aug. 31, 2021

Updated proxy setting configurations to support multiple proxy types. Updated dashboards for jQuery 3.5 compatibility requirements.
10,336
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
SentinelOne Singularity
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions App Contents: Inputs, Alert Actions
Compatibility
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 9.4, 9.3, 9.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 5.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent CIM Versions: 5.x, 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 Platform: Platform Independent CIM Versions: 4.x
Licensing
SentinelOne Terms of Service
Category & Contents
Categories: IT Operations, Security, Fraud & Compliance
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2025 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.