Have you been worried about whether your deployment is secure? Are you tired of keeping track of all security vulnerabilities and vendor-provided patches to ensure that your exposure to such vulnerabilities is minimized? What about making sure that the certificates for your hundreds of forwarders, indexers, search heads and other Splunk connectors are not expired?
You’re not alone!
Based on a recent study we did with Splunk admins, it turns out that ~55% of an admin's efforts are spent on platform management tasks (e.g., certification updates, version upgrades, app, and tech add-on updates, etc), which were considered “low-value” tasks. Admins were able to allocate about 5% of their time to high-value tasks, such as business use-case creation.
At Splunk, our admins manage Splunk deployments for around 3,000 customers in the cloud, and we also support around 11,000 customers who self-manage their deployments. Our customers range from those with a single, standalone instance, to a fully distributed system with ~500 Indexers, ~10K search heads (SH), ~300K forwarders, and ~40 search head clusters (SHCs). Over time we have collected, tried, and tested configurations that are secure and optimal for a variety of specific deployment types. As the complexity within our customer environments grows, our optimization also evolves.
Splunk Assist allows us to bring all of that goodness to our self-managed customers so that you too can benefit from our experiences with Splunk Cloud Platform. Based on our initial estimates, the insights and recommendations in Assist will not only help enhance the security of the deployment but may also help reduce admins’ efforts spent on platform management tasks by 25%.
What is Splunk Assist, and Why Do I Need It?
Splunk Assist is a cloud-connected service for Splunk® Enterprise that puts your telemetry data to work. Assist provides you with a single place to monitor your deployment and see recommendations to improve your security posture.
In this screenshot we see an overview of indicators that show that some of the Splunk tiers are at risk.
The primary objective of Assist is to keep your deployment secure and in prime condition. Assist does this by providing the following:
- Active monitoring: No need to hunt for critical security gaps
- Actionable insights: No need to look for docs and tutorials to fix issues as you go
- Powered by the cloud: Continuous improvements at your doorstep mean no need to keep up with version upgrades and security patch upgrade
- Security first: Data isolation and authentication best practices
How Do I Set Up Assist?
Assist is only available in Splunk Enterprise 9.0 or above versions. Once you install or upgrade to Splunk Enterprise 9.0 or above (download Splunk Enterprise) there are three easy steps to enable Splunk Assist for your deployment (see How to configure Splunk Assist for more details):
- Enable support usage data (SUD): SUD is needed for Assist to collect telemetry data to provide custom insights (for information on how Splunk uses usage data and how to opt in to sharing that data for use by Splunk Assist see Share performance and usage data in the admin manual).
- Update network settings: Open port 443 and allow outbound traffic to *.scs.splunk.com
- Configure the Cloud Monitoring Console (CMC), if you have not already (multi-instance deployment setup steps)
Ok, So What Will I Get After I Set Up Splunk Assist?
Splunk Assist is generally available (GA) now, it shipped with Splunk Enterprise 9.0 in June 2022. With our first version we have released the following:
With Certificate Assist you can identify and mitigate certificate expiry issues. Remember those hundreds and thousands of forwarders that you have to manage and track certs for? No more! Assist will not only keep track of the expiry date for you but will also warn you and tell you exactly which node has the expired certifications. It will display a ranked order list of certification issues based on the closest expiration date. The benefit of Certificate Assist is that you proactively avoid the pain of losing connectivity when certificates expire.
The certificate assist overview page lists warnings of certification expiries with suggested actions to take.
Do you wonder if your setup is the most secure it could be? Do you worry about when the newest vulnerability patch will come out, or when you should run another security check across all your nodes? Instead of fretting, open up Splunk Assist at least once a day to see for yourself how Assist is keeping your environment safe! Check out the “security score” to see any configurations that need changing, copy-paste the automation/help text to fix the vulnerability, and you are good to go.
Config Assist displays a ranked (critical, warning, and conforming) list of over five security postures across seven *.conf files, along with actionable recommendations to fix those settings.
Here we see that of the 60 indicators in this deployment, 6 are critical and 6 have been issued a warning.
Now, you can sleep in peace…well, until the next vulnerability, or when your cat takes over your bed.
More than half of our self-managed customers have about 50 apps installed and deployed on their Splunk deployment. Some of those apps are very active, but others may have been inactive for a while and as a result never upgraded. Has that ever happened to you? It sure did for more than 50% of our customers
App Assist will list a ranked order of currently deployed apps (from Splunkbase) based on version gap and nodes they are installed on. Older versions of apps will be at the top and instructions to download the latest version will be at your fingertips.
App Assist shows a list of the apps that need to be updated.
What Can I Expect in the Future?
We thought you’d never ask! We have big plans for Splunk Assist: we’ve already received so much positive feedback from our preview customers, and we’re committed to investing in this capability. A few of the areas that we will focus on and prioritize include the following:
- Continue to add more insights, such as search performance and health metrics
- Machine learning-based recommendations on most commonly used use-cases or source types
- Ability to not only display recommendations, but put them to action via integration with customers' own IT automation workflow
Stay tuned for more, and let us know any ideas you might have at email@example.com. You can also learn more in our documentation.