Version: Next

Splunk Enterprise Security (ES)

NetFlow Optimizer (NFO) enhances Splunk Enterprise Security (ES) by providing enriched, high-fidelity flow data that is fully compatible with the Splunk Common Information Model (CIM).

1. Requirements

To integrate NFO with Splunk Enterprise Security, you must install the Technology Add-on (TA) for NetFlow on your Splunk environment.

Download: TA-netflow on Splunkbase
Role: The TA ensures that enriched flow data is correctly mapped to the Network Traffic and Intrusion Detection CIM data models used by Enterprise Security.

2. The Power of Enriched Data

Standard flow data often provides only raw IP addresses, making security investigations difficult. When NFO processes your flow data before it reaches Splunk ES, it attaches critical context:

Identity Enrichment: DNS names, VM names, and User IDs.
Geographic Context: Source and Destination country/location.
Reputation Data: Identification of communication with known malicious actors.

3. Enhancing ES Dashboards

By using NFO-enriched data, your security team can utilize standard Splunk ES features with much higher visibility:

Incident Review: Accelerate triage by seeing hostnames and user identities directly in the notable event details.
Traffic Search: Run more effective investigative searches using contextual fields rather than just IP ranges.
Protocol Analysis: Use NFO’s deep packet inspection (DPI) summaries to identify non-compliant protocol usage within the ES "Network Traffic" dashboards.

4. Verification

To verify the integration, ensure that data is appearing in the CIM-compliant data models:

| datamodel Network_Traffic search 
| head 10

Confirm that fields such as src_category, dest_hostname, and user are being populated by the NFO output.

Splunk Enterprise Security (ES)

1. Requirements​

2. The Power of Enriched Data​

3. Enhancing ES Dashboards​

4. Verification​

1. Requirements

2. The Power of Enriched Data

3. Enhancing ES Dashboards

4. Verification