peax - Splunkbase Apps Releases

Splunk Add-on for Tomcat - v3.3.1 [New App Release]

Splunk LLC — Tue, 21 Apr 2026 12:35:23 +0000

Platform: Splunk

Release Notes:

patched log4j

Description:
The Splunk Add-on for Tomcat allows a Splunk software administrator to pull Tomcat logs from a local Tomcat server and Tomcat performance data from local and remote Tomcat servers. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence. Documentation can be found at https://docs.splunk.com/Documentation/AddOns/released/Tomcat/About

CyberArk Audit for Splunk (for Linux 64-bit) - v2.0.35 [Version Update]

CyberArk Software Ltd — Tue, 21 Apr 2026 12:29:18 +0000

Platform: Splunk

Release Notes:

Version 2.0 introduces a completely redesigned architecture for better scalability and manageability:

Multi-Integration Support: Configure multiple CyberArk environments in a single Splunk instance
Enhanced UI Dashboard: New web-based configuration interface for easy setup
Improved Checkpointing: More reliable state management using KV Store
Automatic Migration: Seamless upgrade path from version 1.x with automatic configuration migration
Better Error Handling: Enhanced logging and recovery mechanisms

Short Description:
This add-on will collect audit data from the CyberArk services.

Description:
CyberArk Audit for Splunk is a Splunk Add-on that automatically collects and indexes audit logs from your CyberArk services. This integration enables security teams and compliance officers to monitor, investigate, and analyze activities across CyberArk services. Once configured, it runs autonomously- collecting events, maintaining state, and recovering gracefully from interruptions without manual intervention.

Threat Hunting Essentials - v1.2.15 [Version Update]

Cyber Essentials Avertpoint — Tue, 21 Apr 2026 11:30:41 +0000

Platform: Splunk

Short Description:
Free Cyber Threat Hunting App to hunt APT, Threat Actors, Malware tools, exploits

Description:
Free Cyber Threat Hunting App to hunt APT, Threat Actors, Malware tools, exploits, etc. For Premium Version - Contact sales https://www.avertpoint.com/contactus.html It is a must-have app, which hunts for presence of advanced persistent threats (APTs), threat actors, state-sponsored attackers, malware, and exploits in your organization's assets. All detected malware, exploits, and threat actors are mapped to the MITRE ATT&CK framework, providing deep insight into potential risks. Threat Hunting Essentials detects a wide range of malware tools used by threat actors, including: 1. Backdoor. 2. Worms. 3. Ransomware. 4. Bots. 5. Trojan horses. 6. Keyloggers. 7. Rootkits. 8. Spyware. 9. Fileless malware. 10. Cryptojacking. 11. Wiper malware. 12. Adware. 14. Viruses 15. P2P-Worm 16. Internet Worms 17. Net-worm 18. Clickjacking 19. Cryptominer 20. Fileless malware You can easily configure the scan interval in the app’s settings. The real-time scan feature continuously monitors for threats in near real-time, as allowed by Splunk. Information Use: Your email address is used to improve detection logic based on your feedback. Additionally, we may notify you about app upgrades, updates, or changes to features, user agreements, or the privacy policy.

SpyCloud Application for Splunk - v3.2.0 [New App Release]

CW Walker — Tue, 21 Apr 2026 10:24:38 +0000

Platform: Splunk

Release Notes:

sightings added to all tabled
Maintenance update

Description:
SpyCloud is the market leader in protecting enterprises and their customers from online fraud, account takeover, and follow-on attacks like ransomware. We provide an early warning of compromised credentials and malware-infected users, so you can take action before the criminals do. This application provides visualizations that allow the end user to view the SpyCloud data that is loaded by the SpyCloud Add-On for Splunk . Visualizations include a high level dashboard, a breakdown of breach records by the customer’s watchlist assets (domain, email and IP addresses,) and a summary of infected user data, including the ability to drill down into a specific machine infection to see all details for a given malware infection including sites visited, along with credential information. Note: This Application can display information loaded by the SpyCloud Add-On for Splunk found here: https://splunkbase.splunk.com/app/6373/

Ensign ElasticSearch Data Integrator - v1.2.1 [Version Update]

Muhammad Rafdi Aufar Ahmad — Tue, 21 Apr 2026 10:14:14 +0000

Platform: Splunk

Release Notes:

Here is the summary of the key upgrades and new features:

1. Elasticsearch Cluster Topology Support (New)

The most significant enhancement is the flexibility to connect to an Elasticsearch Cluster architecture rather than just a standalone node:

Multi-Node Connection: The es_host parameter now accepts comma-separated hostnames (e.g., node1.es.local, node2.es.local).
Round-robin Load Balancing: The add-on performs round-robin load balancing across all configured nodes.
Node Sniffing (Auto-Discovery): A new enable_sniffing toggle allowing the client to automatically discover and connect to all available nodes in the cluster via the ES _nodes API.
Reliability & Timeout Controls: Automatic connection failure retries, supported by configurable parameters (max_retries, retry_on_timeout, and connection_timeout).

2. Cluster Health Monitoring (Preflight Health Check)

Before fetching data, the add-on now performs a preflight health check against the Elasticsearch cluster (_cluster/health API):

It automatically logs the cluster's health status (Green, Yellow, or Red).
Handled as a non-blocking check: Even if a Red cluster status triggers a Warning log, data collection will still proceed on a best-effort basis.

3. Core Library Upgrades

The bundled Python libraries have been bumped significantly to patch legacy bugs, avoid vulnerabilities, and officially support the Elasticsearch 8.x ecosystem:

elasticsearch-py upgraded from 8.8.0 to 8.19.3.
elastic-transport upgraded from 8.4.0 to 8.17.1.

4. Security Hardening & Remediations

Multiple layers of security (defense-in-depth) have been added across the v1.2.0 and v1.2.1 releases:

Restricted Web Endpoints (v1.2.1): Modified web.conf to narrow an overly broad data/* REST endpoint exposure down to data/indexes securely, preventing unnecessary internal Splunk data from being exposed to the browser UI.
Secured Internal Splunk REST calls (v1.2.1): Internal communication to the Splunk Daemon now strictly requires SSL verification (verify=True) and enforces an explicit 30s timeout, protecting the session_key authentication token on the loopback interface.
Strict SSL/TLS Validation: Certificate verification now defaults to ENABLED. If left disabled, an active security warning is generated in the _internal logs.
Proxy Credentials Protection: Proxy configurations are scrubbed and removed from the system environment variables (os.environ) in memory immediately after the Elasticsearch client instantiates, limiting exposure.
SSRF (Server-Side Request Forgery) Protection: Strict validation is added to block potentially dangerous es_host inputs such as localhost, 0.0.0.0, 169.254.169.254, and loopback/link-local bounds.
Log Injection Prevention: Sanitization filters were added on stanza names (stripping newlines, tabs, and escape chars) before they are rendered into the event logs.

Let us knows if the features or ideas that need to enhance for future release.

Short Description:
Splunk modular input for ingesting data from Elasticsearch 8.x clusters by leveraging call the ElasticSearch v8.x REST API. Features multi-cluster profiles, DSL query filters, scroll-based pagination with crash recovery, document-level deduplication, SSL/TLS support, and a full GUI configuration experience. Compatible with Elasticsearch 8.x only and DSL based only,

Description:
Ensign ElasticSearch Data Integrator is a Splunk modular input add-on for ingesting data from Elasticsearch 8.x clusters into Splunk via the Elasticsearch 8 REST API. Built on the Splunk UCC Framework, it provides a full GUI-driven configuration experience through Splunk Web — no manual file editing required. Key Features: • Multi-cluster Elasticsearch profile management via Splunk UI • DSL Query-focused data retrieval with configurable time-based fetching • ES Scroll API pagination for efficient large-volume data collection • Crash-resilient scroll recovery with a dedicated checkpoint directory • Document-level deduplication guard (rolling 50,000 IDs per stanza) • SSL/TLS certificate verification support • Custom term filters per data source • Global proxy support with Splunk-native credential encryption • Custom sourcetype override per input stanza IMPORTANT: This add-on is designed exclusively for Elasticsearch 8.x API. It is NOT compatible with Elasticsearch 7.x or earlier versions. Compatibility: • Elasticsearch: 8.x only • Splunk Enterprise: 8.2+ and 9.x (You can try for 10.x, let me know the updates) • Python: 3.x (bundled with Splunk)

Ensign Akamai Web Security Add-on - v1.0.9 [New App Release]

Muhammad Rafdi Aufar Ahmad — Tue, 21 Apr 2026 10:12:36 +0000

Platform: Splunk

Release Notes:

v1.0.9 - Bug Fixes and Security Hardening

Fixed: Server-side REST handler input name validator now allows hyphens (-) in input names, matching the client-side UI validation
Improved: Added detailed error logging for non-200 HTTP responses from Akamai API, including response body for troubleshooting 401/403 errors
Updated: Source format changed to ensign_akamaisiem://{inputName}_{configId} for better identification
Fixed: CHANGELOG.md encoding cleaned to pure ASCII (removed mojibake characters)
Removed: Edgegrid test files from production package
Security: Full sanitization audit completed, all client-specific references removed

Short Description:
Captures Akamai security events via SIEM Integration API v1. Built on Splunk UCC with multi-account, multi-proxy, and encrypted credential support.

Description:
Ensign Akamai Web Security Add-on for Splunk An enterprise-grade alternative to the official Akamai SIEM app, rebuilt on the Splunk UCC framework v6.3.0. WHY THIS ADD-ON? The official Akamai app (refer to : https://splunkbase.splunk.com/app/4310) uses legacy way for enabled the input (via Settings => Data Input) and several parsing is not key-value-pair based after coming ingested in Splunk, rather than using spath and makes easier for analyst to choose the fields, this add-ons are one to solve that. This add-on provides: - Full UI-driven configuration based on your usual for inputs based on Add-ons (just directly configured under the add-ons like the other Splunk Supported Add-ons). - Multi-account management with encrypted credential storage via Splunk's native password vault - Multi-proxy support (HTTP, HTTPS, SOCKS4, SOCKS5) with per-input proxy assignment - Offset-based checkpointing for reliable data continuity across restarts. - Custom sourcetype override per input for seamless migration. - Deployment Server compatible. DATA SOURCE: Captures security events from Akamai SIEM Integration API v1, supporting: - App & API Protector - Kona Site Defender - Web Application Protector - Client Reputation - Bot Manager - Account Protector EVENT PROCESSING: - URL-decodes all fields recursively - Parses HTTP headers into structured key-value pairs - Decodes base64-encoded attackData rule fields into structured objects - Drops summary/offset metadata events (nullQueue) Ref: https://techdocs.akamai.com/siem-integration/docs Built by Ensign Infosecurity Indonesia.

Supporting App for Cisco Meeting Server - v0.6.0 [Version Update]

Sideview, LLC - Partner — Tue, 21 Apr 2026 05:46:13 +0000

Platform: Splunk

Release Notes:

Fixed a critical problem where our notion of "call id" and how the cisco_cdr app tied this together, was failing to merge sets of events from different servers into the overall call.

Description:
This is a Supporting App designed to be deployed alongside Sideview's commercial "Cisco CDR Reporting and Analytics" app. It provides the Splunk configuration to ingest the CDR data from Cisco Meeting Server. Additionally it contains various pieces of Splunk configuration and logic that are used by Cisco CDR Reporting and Analytics, to make the CMS CDR work within its user interfaces.

Supporting App for Oracle SBC CDR - v0.8.3 [Version Update]

Sideview LLC — Tue, 21 Apr 2026 04:45:35 +0000

Platform: Splunk

Release Notes:

Fixed a bug that prevented the new homepage from working properly if the cisco_cdr app was not installed. (It would say only "Action Forbidden".)

Description:
This app provides the Splunk configuration to ingest the CDR data from Oracle SBC. It is intended to work for both Oracle Session Router CDR and Oracle SBC CDR, although some unknowns remain as of this writing. It is also designed to work as a Supporting App alongside Sideview's commercial "Cisco CDR Reporting and Analytics" app. When used in conjunction with the Cisco CDR app, the Oracle SBC data can be used in that app alongside the CUCM data.

Supporting App for Expressway CDR - v0.5.2 [Version Update]

Sideview, LLC - Partner — Tue, 21 Apr 2026 04:44:38 +0000

Platform: Splunk

Release Notes:

Fixed a bug that prevented the new homepage from working properly if the cisco_cdr app was not installed. (It would say only "Action Forbidden".)
Fixed a problem in the app's health check that crosschecks indexes specified in the Cisco CDR app (if it's present) with the indexes specified in the SA's own "custom_index" macro.
Fixed a bug in the drilldown for the "Top 20 Calling Parties" chart. Previously the drilldown clicks would take you to all calls to OR from the given number, not just the calls from it.

Short Description:
This app implements various field extraction configuration and Sideview conventions so as to allow syslog-formatted Expressway CDR data to be not only searched in Splunk effectively, but also to be pulled into Sideview's commercial "Cisco CDR Reporting and Analytics" solution on Splunk and investigated and analyzed there.

Description:
This app implements various field extraction configuration and Sideview conventions so as to allow syslog-formatted Expressway CDR data to be not only searched in Splunk effectively, but also to be pulled into Sideview's commercial "Cisco CDR Reporting and Analytics" solution on Splunk and investigated and analyzed there. NOTE that this Supporting App is designed to be always deployed with Sideview's "Supporting Add-on for Expressway CDR" ALSO deployed on the Indexing tier. That "Add-on" component contains crucial index-time configuration to index the CDR into Splunk correctly, and that index-time configuration is NOT duplicated in this app here. Therefore if you intend to set up a standalone deployment you will need both the TA and the SA. These two apps are furthermore designed to work with Sideview's commercial "Cisco CDR Reporting and Analytics" app. When all three components are present and deployed to the right tiers, users can navigate, troubleshoot and build ad-hoc charts and reports around the Expressway data, within the the Cisco CDR app's complex user interfaces.

Supporting App for CUBE - v0.5.2 [Version Update]

Sideview, LLC - Partner — Tue, 21 Apr 2026 03:49:06 +0000

Platform: Splunk

Release Notes:

Created 2 new fields "internal_party_number" and "external_party_number" to better align with the CUCM CDR side.
Fixed a bug that prevented the new homepage from working properly if the cisco_cdr app was not installed. (It would say only "Action Forbidden".)
Fixed a bug in the drilldown for the intraday calling volume chart.

Description:
This app implements various field extraction configuration and Sideview conventions so as to allow CDR and also syslog data from CUBE to be not only searched in Splunk effectively, but also to be pulled into Sideview's commercial "Cisco CDR Reporting and Analytics" solution and investigated and analyzed there. NOTE that this Supporting App is designed to be always deployed with Sideview's "Supporting Add-on for CUBE" ALSO deployed on the Indexing and/or Forwarding tiers. That "Add-on" component contains crucial index-time configuration to index the data into Splunk correctly, and the index-time configuration in that TA is NOT duplicated in this app here. Therefore if you intend to set up a standalone deployment you will need both the TA and the SA. These two apps are furthermore designed to work with Sideview's commercial "Cisco CDR Reporting and Analytics" app. When all three components are present and deployed to the right tiers, users can navigate, troubleshoot and build ad-hoc charts and reports around your CUBE data, within the the Cisco CDR app's complex user interfaces.

Splunk Add-on for AWS Security Hub - v1.0.0 [New App Release]

Splunk LLC — Tue, 21 Apr 2026 00:00:00 +0000

Platform: Splunk

Description:
Use the Splunk Add-on for AWS Security Hub to ingest real-time events from AWS Security Hub and convert them into findings and intermediate findings in Splunk Enterprise Security. Consolidating findings in Splunk Enterprise Security helps to centralize data management across AWS Cloud platforms and services and leverage the threat detection capabilities of Splunk Enterprise Security.

VulnCheck Exploit Intelligence App for Splunk - v1.0.1 [Version Update]

VulnCheck Exploit Intelligence — Mon, 20 Apr 2026 20:05:07 +0000

Platform: Splunk

Release Notes:

Version 1.0.1

Ad hoc Enriched Data Dashboard - New dashboard that displays the latest enriched data from ad hoc enrichment operations.
CVSS Metric V4 - Support for CVSS Version 4 metrics has been added.
The lookup structure has changed in this version, please refer to the UPGRADE section.
Batch Processing - Introduced consistent batch size handling across all enrichment operations
Accelerated Lookup Performance - New vulncheck_enriched_fast lookup with pre-computed fields for faster dashboard queries

Upgrade to v1.0.1

Follow the General upgrade steps section.
Existing data will be migrated to the new lookup structure by a scheduled saved search (runs every 24 hours).
For manual execution, follow the steps below.
Go to Settings > Searches, reports, and alerts. Filter by VulnCheck app.
search vulncheck_exploit_intelligence_enrichment_all_time and click on Run.
Existing data will be migrated to the new lookup structure.

Description:
The VulnCheck Exploit Intelligence App for Splunk empowers security teams to enrich CVE data with real-world exploitation intelligence directly inside Splunk. By integrating VulnCheck's comprehensive APIs, the app delivers enriched vulnerability insights, SBOM-driven risk analytics, and threat actor correlation, enabling customers to prioritize vulnerabilities based on active exploitation and real risk, not just static CVSS scores. *NOTE: This app requires a PAID subscription to VulnCheck Vulnerability & Exploit Intelligence*

PowerConnect for SAP Solutions - v9.1.0 [Version Update]

RHONDOS LLC — Mon, 20 Apr 2026 19:15:46 +0000

Platform: Splunk

Release Notes:

For release notes, please see our documentation.

Description:
PowerConnect Consists of two primary components: An SAP add-on that is installed within your SAP environment and The Splunk app (listed on this page) PowerConnect - SAP Add-On: Sold via RHONDOS, Splunk, and numerous other resell agents. The PowerConnect Add-On is an SAP certified software that installs into NetWeaver ABAP, S/4 HANA, NetWeaver Java, SAP Cloud Platform or TomCat Java based SAP systems and uploads events directly to Splunk Enterprise or Splunk Cloud in real time. PowerConnect - Splunk Application: This Splunk powered application provides functionality for visualizing, monitoring, and managing SAP systems. This application requires data ingestion from SAP which is facilitated by an SAP Netweaver based technology add-on called "PowerConnect for SAP Solutions"

Alpha Level for Linux - v2.2.2 [New App Release]

Aidan McLaughlin — Mon, 20 Apr 2026 18:42:12 +0000

Platform: Splunk

Short Description:
Reduce security alert fatigue by automatically identifying false positives and duplicate alerts using machine learning.

Description:
Alpha Level automatically reduces security alert fatigue by identifying false positive and duplicate alerts, allowing your SOC team to focus on genuine threats. THE PROBLEM Security teams are overwhelmed by alert volume. Studies show up to 80% of security alerts are false positives or duplicates, leading to analyst burnout, missed threats, and wasted resources. HOW IT WORKS Alpha Level uses two ML-powered detection methods: • Regularity Detection - Identifies alerts that exhibit predictable patterns typically associated with benign automated activity. • Duplication Detection - Identifies alerts that are semantically similar to recent alerts, reducing noise from alert storms. KEY FEATURES • Automatic enrichment of Splunk ES notable events • Alpha Score (0-100) indicates likelihood of true positive • Works out of the box with no tuning required • Supports custom alert sources beyond Splunk ES • Simple Overview dashboard for monitoring REQUIREMENTS • Splunk Enterprise 8.2+ • Python for Scientific Computing (PSC) add-on for your platform • Splunk Enterprise Security (optional, recommended) Alpha Level integrates seamlessly with your existing Splunk ES workflow, adding actionable context to every alert.

Splunk AI Assistant - v2.0.0 [Version Update]

Splunk LLC — Mon, 20 Apr 2026 18:20:11 +0000

Platform: Splunk

Short Description:
See what the Splunk AI Assistant can do for you https://youtu.be/ynRBiepXVw4?si=eua38GwP0nwuvk3m

Description:
Splunk AI Assistant is your AI-powered companion for getting answers from your data in Splunk. Whether you're a seasoned Splunk expert or just getting started, the assistant helps you discover, analyze, and act on your data through natural conversation — going far beyond just writing and explaining SPL. https://youtu.be/ynRBiepXVw4?si=eua38GwP0nwuvk3m What Splunk AI Assistant can do for you: With Agent Mode, the assistant can now reason through your requests, take actions on your behalf, and leverage a rich set of tools and skills — all from a single chat window. The assistant decomposes complex questions into parallel steps, exposes its reasoning to build trust, and asks clarifying questions for ambiguous prompts. 🚀 Intelligent SPL Generation, Editing & Optimization: Describe what you want to search in plain English, and the assistant translates it into accurate SPL — or modifies existing queries based on your instructions without rewriting from scratch, while making them faster – leading to quicker insights! 📖SPL Explanation: Understand any SPL search in plain English, complete with a detailed breakdown of its logic and purpose. 🔍Data Discovery: Don't know where your data lives? The assistant scans your environment and identifies the right data sources for your question. ⚡Search Execution & Analysis: The assistant executes searches on your behalf (with your explicit permission) and summarizes results directly in chat — so you get answers, not just queries. 📊Knowledge Object Discovery: Find and reuse existing dashboards, saved searches, reports, and lookups through natural language. The assistant retrieves the best-matching content so you can build on what your team has already created. 📚Knowledge Retrieval: Get answers to questions about Splunk documentation, platform terms, or products. Teach AI (Beta) Administrators can provide custom instructions via a markdown file to teach Splunk AI Assistant about their organization's best practices, data catalog, and custom guardrails. This makes the assistant smarter and more relevant to your environment — and gives admins greater control over how AI operates in their deployment. Context Settings Formerly known as Personalization, Context Settings generate more accurate and contextual results by considering your unique data and environment, while only using non-personal contextual metadata and honoring role-based access controls. Administrators have full visibility into the data collected from their deployment. Model Runtime Choices Splunk AI Assistant leverages models in Azure OpenAI in addition to Splunk-hosted LLMs for the best available response quality. Availability Splunk AI Assistant is available to Splunk Cloud customers in AWS and Azure commercial regions, FedRAMP IL2, and Enterprise customers through Cloud Connected. Agent Mode is available to AWS commercial Splunk Cloud customers with this release. (c) Splunk 2026. All rights reserved.

InSitzes App for Splunk Cloud - v3.0.11 [Version Update]

David Sitzes — Mon, 20 Apr 2026 18:10:28 +0000

Platform: Splunk

Release Notes:

Bug Fixes

Short Description:
Unified Splunk Cloud monitoring with 31 automated health checks, SVC compute attribution (by user, app, search head, and provenance), DDAS & DDAA storage forecasting with optional cost modeling, ingestion anomaly detection, scheduled-search and workload analysis, dashboard refresh tracking, and a guided remediation tab — all in a single React dashboard with PDF export.

Description:
The InSitzes App for Splunk Cloud is a unified monitoring suite that gives administrators actionable insight into ingestion, system performance, workload management, search efficiency, storage, and compute consumption across their Splunk Cloud environment. Rather than hopping between the Cloud Monitoring Console, license pages, and ad-hoc searches, admins get one React-powered dashboard with 12 purpose-built tabs to answer the questions that matter most: Is my environment healthy? Is data flowing reliably? Are searches running efficiently? Where are my SVCs being consumed? How fast is storage growing, and do I have enough capacity to meet demand? The Health tab runs 31 automated checks across 8 categories — System, Ingestion, Data Quality, Search, Compute, Storage, Workload, Forwarding, and Capacity — with weighted severity scoring and a rolled-up environment health score so you know at a glance where to focus. Individual tabs drill into SVC attribution by user, app, search head, provenance and search type; DDAS and DDAA storage utilization and forecasting with an optional Cost Mode; scheduled search skip reasons and wasteful-search detection; WLM filtered, reclassified, and aborted search rates; HEC throughput and SSL connectivity issues; dashboard refresh frequency and chain-search analysis; indexer cache churn and queue health; and license headroom trends. A guided Remediation tab translates every health finding into concrete next steps. All charts render client-side as SVG so dashboards export cleanly to PDF for executive reporting. Ingestion data is read live from _internal license_usage events, eliminating scheduled-lookup maintenance. Pre-built alert saved searches (disabled by default) are included for ingestion anomalies, storage utilization, app updates, large lookup files, and redundant scheduled searches. The app helps teams proactively detect issues, optimize resource usage, and align capacity to real business demand.

InSitzes App for Splunk Enterprise Monitoring - v3.0.11 [Version Update]

David Sitzes — Mon, 20 Apr 2026 18:10:14 +0000

Platform: Splunk

Release Notes:

Bug Fixes

Short Description:
Unified Splunk Enterprise monitoring in one React dashboard: 31 automated health checks, hourly SVC estimation for Splunk Cloud cost modeling, license tracking, ingestion anomaly detection, full-stack CPU/memory/disk visibility, and scheduled-search and workload analysis.

Description:
The InSitzes App for Splunk Enterprise is a unified monitoring suite that gives administrators actionable insight into ingestion, system performance, workload management, search efficiency, and compute consumption across their Splunk Enterprise deployment. Rather than stitching together the Monitoring Console, license pages, introspection data, and ad-hoc searches, admins get one React-powered dashboard with purpose-built tabs to answer the questions that matter most: Is my environment healthy? Is data flowing reliably? Are searches running efficiently? Am I approaching my license quota? And what would my workload cost under Splunk Cloud compute-based licensing? The Health tab runs 31 automated checks across 8 categories — System, Ingestion, Data Quality, Search, Compute, Workload, Forwarding, and Capacity — with weighted severity scoring and a rolled-up environment health score so you know immediately where to focus. Individual tabs drill into CPU, memory, and disk utilization across every server role (search heads, indexers, cluster manager, deployment server, SHC deployer); live license usage with 7-day trend against daily quota; forwarder throughput, HEC health, SSL and deployment-client issues; sourcetype parsing, timestamp, and debug-event quality; scheduled search execution, skip reasons, and wasteful-search detection; WLM filtered, reclassified, and aborted search rates; and dashboard refresh frequency with base vs. chained search analysis. The Compute tab delivers an hourly-computed SVC estimate — via the bundled insitzes_svc_estimation saved search and dynamic role discovery on _introspection data — so Enterprise admins can see exactly what their workload would cost under Splunk Cloud compute-based licensing, broken down by search head, app, search type, user, and provenance, with an optional Cost Mode. Install on your Monitoring Console search head; ingestion data is read live from _internal license_usage events, eliminating scheduled-lookup maintenance. Pre-built alert saved searches (disabled by default) cover ingestion anomalies, app updates, large lookup files, and redundant scheduled searches.

Splunk DB Connect - v4.2.4 [Version Update]

Splunk LLC — Mon, 20 Apr 2026 15:30:13 +0000

Platform: Splunk

Release Notes:

See Release Notes for Splunk DB Connect.

Description:
Warning: You can't upgrade DB Connect directly from versions earlier than 3.18.0 to versions 4.0.0 or later. Make sure to follow upgrade path guide. Splunk DB Connect is a generic SQL database extension for Splunk that enables easy integration of database information with Splunk queries and reports. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, Teradata, InfluxDB and MongoDB Atlas & Standalone. Use Splunk DB Connect's Inputs to import structured data for powerful indexing, analysis, and visualization. Use Outputs to export machine data insights to a legacy database to increase your organization's insight. Use Lookups to add meaningful information to your event data by referencing fields in an external database. Use query commands to build live dashboards mixing structured and unstructured data.

Tenable.sc - v2.5.0 [Version Update]

Splunk LLC — Mon, 20 Apr 2026 08:49:08 +0000

Platform: SOAR

Release Notes:

Added API key authentication support. Users can now authenticate using an access_key and secret_key instead of username/password. API key authentication takes precedence if both methods are configured.

Description:
This app integrates with Tenable's SecurityCenter to provide endpoint-based investigative actions

MS Graph for Office 365 - v4.1.1 [Version Update]

Splunk LLC — Mon, 20 Apr 2026 08:44:50 +0000

Platform: SOAR

Release Notes:

Fixed an OAuth token generation crash by returning a consistent tuple.

Description:
This app connects to Office 365 using the MS Graph API to support investigate and generic actions related to the email messages and calendar events

CCX Extensions for Netskope - v1.0.4 [Version Update]

Henrique Linsmeyer — Mon, 20 Apr 2026 01:49:48 +0000

Platform: Splunk

Release Notes:

This add-on provides additional extraction and CIM compliance for sourcetype:

- netskope:cloud_exchange (new coverage)

Description:
About Us: CyberCX is Australia’s greatest force of cyber security experts. Our highly skilled professional services team operates a 24x7 on-shore security operations centre (SOC) servicing corporate and public sector organisations across Australia and New Zealand, specialising in Security Operations services leveraging Splunk. Description: The CCX Add-on for Netskope Extensions looks to provide additional field extraction and CIM compliance for Netskope log sources captured via the Add-on Netskope Add-on For Splunk. This Technical Add-on does not replace the public Splunk Add-on for Netskope (https://splunkbase.splunk.com/app/3808/) but works as an additonal extension to be deployed on Search Heads (only). Currently this add-on provides additional extraction and CIM compliance for sourcetypes: - netskope:alert - netskope:application - netskope:connection - netskope:incident - netskope:audit - netskope:cloud_exchange Fully compatible with Splunk Enterprise and Splunk Cloud, built by an Ops team for Ops teams. Features: - This TA currently supports logtypes tagged under the following CIM datamodels: Alerts, Authentication, Change, Inventory, Data Loss Prevention (DLP), Malware, Network Traffic, Network Session, and Web.

cve.icu - CVE Intelligence for Splunk - v2.0.3 [Version Update]

Jerry Gamblin — Sun, 19 Apr 2026 21:57:43 +0000

Platform: Splunk

Release Notes:

v2.0.3 — Fix: Risk Priority Dashboard Error

Fix: Removed an invalid lookup join from the Risk Priority dashboard's "High-EPSS CVEs" panel. The query was joining on a cve_id field that doesn't exist in cve_daily_summary.csv, causing the panel to display a lookup error instead of the count.

Also includes the v2.0.2 fix: replaced run_on_startup with tighter cron schedules (every 5-10 minutes) for index-dependent saved searches, so dashboard lookups reliably populate within 10 minutes of a fresh install.

What's New in v2.0 (included in v2.0.3)

Requires Splunk 10.0+ or Splunk Cloud. Users on Splunk 9 should remain on v1.0.6.

New Features

Four Dashboard Studio v2 dashboards: CVE Explorer, Risk Priority, Vulnerability Landscape, and Operational Health
EPSS enrichment: Daily FIRST EPSS scores joined at search time for exploit probability ranking
CISA KEV integration: Known Exploited Vulnerabilities catalog refreshed every 6 hours
SSVC decision data: CISA Stakeholder-Specific Vulnerability Categorization from ADP containers
Risk Priority lookup: Pre-computed table combining CVSS, EPSS, KEV, and SSVC data for fast triage
Zero-configuration start: Input enabled by default, data starts flowing immediately after install
Configurable index macro: All dashboards and saved searches use the cveicu_index macro
CIM Vulnerabilities data model mapping
CI/CD pipeline: GitHub Actions with unit tests, AppInspect validation, and Docker integration tests

Improvements

CVSS v4.0 support in addition to v3.1, v3.0, and v2.0
Multi-value field extractions for CWE IDs, vendors, products, and references
Pre-computed dashboard lookups for instant panel loading
Expanded CWE lookup: 298 unique entries covering CWE Top 25, OWASP Top 10, and more
Cooperative timeout management and memory monitoring (512MB limit)

Breaking Changes from v1.x

Splunk 10+ required for dashboards (Dashboard Studio v2)
Setup page removed: GitHub token configured via REST API
Python 3.11+ required (3.9 dropped)

Migration from v1.x

Upgrade Splunk to 10.0+ first
Install v2.0.3 via Manage Apps
No data migration needed -- same sourcetypes and field extractions
If using a custom index, create local/macros.conf with your cveicu_index definition

Short Description:
Ingest the complete CVE V5 database (327,000+ vulnerabilities) into Splunk in minutes. Features bulk ZIP downloads, hourly delta updates, CVSS/EPSS/KEV/SSVC risk enrichment, and four Dashboard Studio dashboards. Works out of the box with no API keys or setup required.

Description:
The cve.icu add-on ingests the complete CVE V5 database directly into Splunk. Unlike traditional collectors that rely on slow per-CVE API crawling, this add-on streams data from official GitHub release ZIP files, enabling initial ingestion of over 327,000 CVE records in minutes. Hourly delta updates keep the data current with only a few API calls per run -- no GitHub token required. Key Features: Full CVE V5 Schema Support: Parses the modern CVE JSON 5.x schema including cveMetadata, CNA containers, and CISA-ADP enrichment. Extracts CVSS scores across all versions (v2.0, v3.0, v3.1, v4.0), CWE classifications, and affected product/vendor data. Risk Prioritization Beyond CVSS: Integrates three enrichment sources to help security teams identify "patch now" threats: FIRST Exploit Prediction Scoring System (EPSS) scores updated daily, CISA Known Exploited Vulnerabilities (KEV) catalog refreshed every 6 hours, and CISA SSVC (Stakeholder-Specific Vulnerability Categorization) decision data from ADP containers. Four Dashboard Studio Dashboards: CVE Explorer for searching and filtering the full database, Risk Priority for EPSS/KEV/SSVC-ranked threat triage, Vulnerability Landscape for executive-level trend analysis, and Operational Health for monitoring ingestion status and errors. Production-Ready Architecture: Resource-aware modular input with memory monitoring (512MB limit), cooperative timeout management, and KV Store checkpointing with file fallback. Pre-computed lookup CSVs power dashboard KPIs so panels load instantly without running expensive searches. Splunk Cloud compatible and AppInspect validated. Zero-Configuration Start: Works out of the box -- install and data starts flowing. No API keys, no setup pages, no index creation required. Customize the target index via the cveicu_index macro when ready.

Alpha Level Alert Refinery - v2.0.0 [New App Release]

Aidan McLaughlin — Sun, 19 Apr 2026 10:38:58 +0000

Platform: Splunk

Release Notes:

Major upgrade. Replaces S3 transport with managed pull over MGMT port / HEC push. No Python, no modular inputs - the TA is now conf-only. New KV store-backed auto-lookup enriches events with Alpha Level scores. Includes Getting Started and Readiness dashboards. Defaults to index\=main for zero-setup deployment.

Description:
This app, when used in conjunction with the Alpha Level Alert Refinery, automatically enriches Splunk Enterprise Security notable events with Alpha Level scores. Alpha Level pulls events over the management port, scores them externally, and pushes results back via HEC. Each alert receives an Alpha Score and Alpha Determination based on how likely it is to be a True Positive (higher score is more likely). Scores are joined to events automatically via a KV store lookup, so analysts see them directly in Incident Review. The app includes a Readiness dashboard to verify your environment is configured correctly before enabling the integration.

Nucleus User Logs Technology Add-on - v1.0.7 [Version Update]

David Page — Sat, 18 Apr 2026 20:20:40 +0000

Platform: Splunk

Release Notes:

Fixed bug in parameter naming convention.

Enabled modular input so users can configure the TA via UI.

Short Description:
Ingest Nucleus Security audit logs into Splunk for security monitoring, compliance auditing, and user activity analysis. This Technology Add-on provides automated REST API polling with intelligent deduplication and pre-built field extractions for login events, logouts, and role modifications.

Description:
The Nucleus User Logs Technology Add-on (TA-nucleus-logs) enables seamless ingestion of audit logs from the Nucleus Security platform into Splunk Enterprise. Problem Addressed: Organizations using Nucleus Security need to aggregate and analyze user activity, authentication events, and role modifications for security monitoring, compliance auditing, and incident response. Without this integration, security teams must manually access the Nucleus platform to review audit logs, making it difficult to correlate Nucleus user activity with other security events across their environment. Solution Provided: + Automated Data Collection: Continuously polls the Nucleus Security REST API (/nucleus/api/logs endpoint) to retrieve audit logs at configurable intervals + Intelligent Deduplication: Uses checkpoint-based tracking with SHA1 hashing to prevent duplicate events while ensuring no data loss + Pre-configured Field Extractions: Automatically extracts key fields from audit logs including usernames, actions (login, logout, role modifications), outcomes, browser information, and organizational IDs + CIM Compatibility: Normalizes data with consistent field naming (nucleus.user, nucleus.action, nucleus.outcome) to facilitate integration with Splunk Enterprise Security and other analytics apps + Flexible Deployment: Supports multiple Nucleus instances through separate input configurations Use Cases: + Security monitoring and threat detection (failed logins, unusual access patterns) + Compliance reporting (user access auditing, privileged user tracking) + Incident investigation (correlating Nucleus user activity with security events) + User behavior analytics across hybrid environments

Spur Enrichment for Splunk - v1.1.1 [Version Update]

Spur Intelligence Corporation — Sat, 18 Apr 2026 14:12:05 +0000

Platform: Splunk

Release Notes:

This release focuses on making the app a more integrated experience rather

than a collection of search commands.

Opening the app now lands on a new Overview page with copy and paste

examples for every search command, a panel showing which feeds are

currently ingesting, and a breakdown of infrastructure types and anonymous

tunnel operators appearing in your data. It provides a fast way to confirm

the installation is working end to end.

Analysts can right click any IP field in a search result (src_ip,

clientip, dest_ip, and the usual variants) to run "Enrich with Spur

Context API" or "Locate with Spur IP Geo" directly from the field menu,

without writing SPL.

Feed queries are significantly faster. Feed events are now parsed as JSON

at ingest time, and ip, feed_type, infrastructure, and tunnel operators

are promoted to indexed fields. Queries using tstats read these values

directly from the TSIDX, so dashboards that previously scanned millions of

events complete in milliseconds.

Event timestamps are now accurate. Feed events previously carried the

wall clock time from when Splunk ingested them, which made time series

analysis and historical replays unreliable. The _time field now derives

from the feed's own feed_date, so events are placed on the day the feed

actually covers.

Each feed event is stamped with its feed_type, allowing you to filter or

break down events by feed type across all inputs regardless of how those

inputs were named.

The spurfeedingest modular input previously failed silently when the API

token was not configured on the indexer. It now logs a clear error

message, including a reminder that SHC password replication does not

reach indexers. This is a common source of confusion when setup appears

to succeed on a search head but no events are ingested. The modular input

also now logs the active feed type at INFO level so a healthy ingest is

visible in spur.log.

Search Head Cluster configuration is more robust. Completing setup on one

SH member now replicates the configured state to other members

automatically. Brief delays may occur while Splunk Web refreshes its

in memory manifest, and the README documents the remediation options if

that happens.

You can retarget every shipped dashboard and search to a different index

by editing one macro (spur_index, default index\=spur) rather than

modifying dashboards individually. Two helper macros are also included:

spur_enrich(field) for streaming enrichment, and spur_anonymous for

filtering to events with at least one anonymous tunnel.

Description:
Official Spur Splunk Application. Enhance your Splunk experience with the Spur Enrichment for Splunk App. This application integrates with Spur products, providing you with enriched data and insights right in your Splunk environment. Generate events based on IP inputs, enrich existing events with data from the Spur Context API, and insert feed data into a Splunk index with our modular input feature. The Spur Splunk App requires an active Spur subscription and specific user privileges for installation. Once installed, you can utilize our search commands and modular input features to generate and enrich your data. Get the most out of your data with the Spur Splunk App. Download today and start exploring your data in new ways.

Atlas Splunk Assessment - v4.9.0 [Version Update]

Presidio - Key Partner Acct — Fri, 17 Apr 2026 20:37:12 +0000

Platform: Splunk

Release Notes:

## Atlas Splunk Assessment v4.9.0

- Preflight checks added to inform users that they may lack complete permissions and capabilities for a manual assessment run.

- Updated Atlas Assessment dark mode with a gradient.

- When installed in an environment with Atlas, the Side Navigation bar will allow direct links to Atlas.

- Reorganized searches to reduce errors in large environments.

Description:
The Atlas Splunk Assessment (v4) helps Splunk users proactively manage and optimize their environments. This automated tool evaluates your Splunk deployment, identifying potential issues and providing prioritized, actionable recommendations. It demonstrates how the Atlas platform can address areas highlighted in the assessment. Track your progress over time as you implement improvements using the recurring assessment feature. The tool is regularly updated on both Splunkbase and the Atlas platform—check back frequently for the latest version. For suggestions or feedback, contact us at support@kinneygroup.com. To learn more, please check out the full Atlas Splunk Assessment documentation site: https://docs.atlas.kinneygroup.com/docs/using-atlas/assessment

Veritas NetBackup Flex Splunk App - v1.2.0 [Version Update]

Rahul Rokade — Fri, 17 Apr 2026 18:46:33 +0000

Platform: Splunk

Description:
The Veritas NetBackup Flex User Behavior Analytics App shows important events and analytics for Flex Appliance and NetBackup application instances. It assists security operation teams with detecting user based threats by identifying user activities on NetBackup and Flex appliances that are anomalous and risky. Leverage Veritas and Splunk to provide insights on user behavior in the Veritas NetBackup data protection. With Splunk User Behavior Analytics (UBA), security operations can monitor NetBackup user activity logs to detect actions or patterns that indicate account compromise, malicious insiders, or privileged account abuse. With the continuous monitoring of user activity, organizations can improve security and reliability of disaster and cyber recovery. It includes: • User Behavior Analytics (UBA) Focus: Highlighting risky user behaviors, enabling security teams to detect and respond to potential threats based on user activities and behaviors. • Noise Reduction from Non-critical Events: By filtering out non-critical syslog and application events, the plugin minimizes noise and focuses on actionable security alerts, enhancing operational efficiency. • Automated Monitoring and Response: Automatescritical events monitoring and incident response, empowering security teams to identify and mitigate security threats swiftly and effectively. • Ease of Use: Security administrators are relieved from the burden of learning eventwriting or SIEM rule setup processes, as the plugin offers intuitive configuration options for seamless implementation. • Automated APIs Orchestrations: With automated APIs orchestrations, the plugin facilitates centralized security posture management, enabling seamless coordination and control over security operations. •Security Dashboard: Customized widgets facilitate: • Detection of user-based threats arising from stolen credentials, privilege account abuse, or insider threat activities • Swift assessment of the breach’s impact during cyber recovery incidents • Aid in understanding the effects on the data protection infrastructure

Splunk App for SOAR Export - v4.5.1 [Version Update]

Splunk LLC — Fri, 17 Apr 2026 17:53:11 +0000

Platform: Splunk

Release Notes:

\=\=\=\=\=\=\=\=\=\=\=\=\=
Release Notes
=============

See release notes at https://help.splunk.com/en/splunk-soar/splunk-app-for-soar-export/4.5.1/introduction-and-overview/splunk-app-for-soar-export-release-notes

Description:
This is the official Splunk app that integrates Splunk Enterprise or Splunk Cloud with Splunk SOAR. This app, formerly known as the “Phantom App for Splunk,” is responsible for sending data from your Splunk Enterprise/Cloud instances to Splunk SOAR. Once that data is in Splunk SOAR, you can perform automated actions with over 350+ different security tools. Also included with this app is an integration with Splunk Enterprise Security, allowing you to send ES data to SOAR. Splunk SOAR is a Security Automation and Orchestrated Response (SOAR) platform that integrates with your existing security tools in order to provide a layer of “connective tissue” between them. Splunk SOAR streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of products that you use every day. Splunk SOAR doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger. (Formerly known as Phantom App for Splunk) Documentation: https://docs.splunk.com/Documentation/SOARExport/latest/UserGuide/Introduction

Rootly App for Splunk - v1.1.3 [Version Update]

Quentin Rousseau — Fri, 17 Apr 2026 15:35:18 +0000

Platform: Splunk

Release Notes:

Rootly App for Splunk — v1.1.3

Non-admin Splunk users can now trigger the Rootly alert action without hitting a 403 error. The app now reads the integration URL from its config file on disk instead of requiring access to Splunk’s secure password store.
Updating the integration URL no longer requires a Splunk restart — changes take effect on the next config reload.

Description:
The Rootly Splunk App enables faster response times to service disruptions by leveraging the power of Splunk Alerts. Rootly and Splunk customers can: - Start leveraging Splunk Alerts in Rootly with just one click. - Tailor your incident response workflows across Rootly accounts and services using a single Splunk instance. - Minimize information overload and alert noise by grouping and streamlining alerts. With Rootly and Splunk working together, your organization can achieve faster, smarter, and more efficient incident resolution.

Splunk Enterprise Security - v8.4.1 [Version Update]

Splunk LLC — Fri, 17 Apr 2026 14:58:29 +0000

Platform: Splunk

Release Notes:

https://help.splunk.com/en/splunk-enterprise-security-8/release-notes-and-resources/8.4/splunk-enterprise-security-release-notes/release-notes-for-splunk-enterprise-security

Description:
Splunk Enterprise Security (ES) solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of organizations’ security postures with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises or hybrid deployment models. Splunk ES enables you to: - Conquer alert fatigue with high-fidelity Risk-Based Alerting. - Bring visibility across your hybrid environment with multicloud security monitoring. - Conduct flexible investigations for effective threat hunting across security, IT and DevOps data sources. Splunk ES is a premium security solution requiring a paid license.

PingFederate App for Splunk - v2.1.2 [New App Release]

Ping Identity — Thu, 16 Apr 2026 20:18:50 +0000

Platform: Splunk

Release Notes:

Qualification update.

Description:
Developed by Ping Identity, the PingFederate App for Splunk gathers and presents transaction metrics from PingFederate via a series of customized reports and graphical illustrations. The application enables identity and access management (IAM) administrators, architects, and security managers to easily obtain custom reporting for all PingFederate log data, view each authentication event per app and authentication source, and analyze that event data over time. The customized reports display key events across account management, Identity Provider, Service Provider and OAuth Authorization Server transactions.

Menlo Security Technology Add-on - v2.5.2 [Version Update]

Menlo Security — Thu, 16 Apr 2026 07:41:06 +0000

Platform: Splunk

Release Notes:

Fixed a bug where multiple client events were getting merged into a single event.

Description:
This Technology Add-on enables customers to import logs from the Menlo Cloud Security Platform into the Splunk platform, thereby providing real-time visibility into security events.

Splunk ES Content Update - v5.25.1 [Version Update]

Splunk LLC — Wed, 15 Apr 2026 23:57:11 +0000

Platform: Splunk

Release Notes:

GitHub - https://github.com/splunk/security_content/releases/tag/v5.25.1
Splunk Docs - https://help.splunk.com/en/splunk-enterprise-security-8/security-content-update/release-notes/5.25/splunk-security-content-release-notes/whats-new\

Description:
The Splunk ES Content Update (ESCU) app delivers pre-packaged Security Content. ESCU provides regular Security Content updates to help security practitioners address ongoing time-sensitive threats, attack methods, and other security issues. Security Content consists of tactics, techniques, and methodologies that help with detection, investigation, and response. Security Content enables security teams to directly operationalize detection searches, investigative searches, and other supporting details. ESCU can generate Notable/Risk Events in Splunk Enterprise Security. Security Content also contains easy-to-read background information and guidance, for key context on motivations and risks associated with attack techniques, as well as pragmatic advice on how to combat those techniques. The analytic stories and their searches are also available at - https://github.com/splunk/security_content.

Conceal Splunk App - v0.12.0 [Version Update]

Ash Patel — Wed, 15 Apr 2026 22:13:52 +0000

Platform: Splunk

Description:
The Conceal Splunk App provides saved searched, visualizations and configured Alerts for ConcealBrowse event data. Please note, for CIM compliance, this app requires the the Conceal TA Add-on --> https://splunkbase.splunk.com/app/6921

Hydrolix Search - v1.4.0 [Version Update]

Splunk Hydrolix — Wed, 15 Apr 2026 20:52:53 +0000

Platform: Splunk

Release Notes:

Added full Splunk-side streaming support; partial results are now displayed in Splunk as the query continues running
Enabled Hydrolix server-side streaming when connected to a Hydrolix version that supports it; has no effect on older versions

Description:
With Hydrolix Search for Splunk, you can connect Splunk to solutions that use Hydrolix's streaming data lake technology and partner solutions like TrafficPeak based on Hydrolix.

PingAccess App for Splunk - v1.0.6 [New App Release]

Ping Identity — Wed, 15 Apr 2026 20:39:34 +0000

Platform: Splunk

Release Notes:

Qualification update.

Description:
Developed by Ping Identity, the PingAccess App for Splunk gathers and presents transaction metrics from PingAccess through a series of customized reports and graphical illustrations. The application enables identity and access management (IAM) administrators, architects, and security managers to easily obtain custom reporting for all PingAccess log data, view authorization events per app, engine, agent, and type, and analyze that event data over time. The customized reports display number of users seen, number of sessions, rule failures, most popular resources, geo-mapping of IP addresses, and other key events.

Whisper Security App for Splunk - v1.0.0 [New App Release] (Archived)

Ehsan Aslani — Wed, 15 Apr 2026 17:11:47 +0000

Platform: Splunk

Release Notes:

Whisper Security App for Splunk — v1.0.0

First stable release of TA-whisper-security, the Splunk Technology Add-on for Whisper Security's Knowledge Graph API — multi-billion internet infrastructure nodes, tens of billions of relationships, and millions of threat intelligence data.

Highlights

Real-time IOC enrichment via custom search commands and an adaptive response action
Enterprise Security integration with threat intel feeds, risk scoring, CIM field mappings
Attack surface monitoring with DNS baseline tracking, change detection, and multi-tenant support
12 pre-built dashboards covering risk, compliance, geographic threats, and executive reporting
33 correlation searches for infrastructure threat detection (all disabled by default)

Features

Search Commands (5)

Command	Type	Description
`whisperlookup`	Streaming	Enrich events with DNS, hosting, threat intel, and CNAME data from the Knowledge Graph
`whisperquery`	Generating	Run ad-hoc Cypher queries against the Knowledge Graph API
`whisperschema`	Generating	Retrieve graph schema metadata (node types, relationships, properties)
`whisperflush`	Generating	Clear cached enrichment data from KV Store collections
`whisperevict`	Generating	Remove expired cache entries based on TTL

Modular Inputs (5)

Input	Default Interval	Description
Threat Intelligence Feed	6 hours	Collects threat indicators for ES threat intel framework (up to 100K indicators)
Attack Surface Baseline	24 hours	DNS baseline collection for monitored domains
Watchlist Enrichment	4 hours	Enriches watchlist indicators with graph context
Multi-Tenant Monitoring	24 hours	Multi-tenant domain monitoring (up to 10K domains)
API Health Check	5 minutes	API connectivity and quota monitoring

Dashboards (12)

Risk Overview — Aggregated risk scores and trending
Executive Risk Summary — High-level risk posture for leadership
Attack Surface Timeline — Infrastructure change tracking over time
Geographic Threats — Threat visualization by geography
MITRE ATT&CK Coverage — Technique mapping and detection coverage
WHOIS Intelligence — Registrar and ownership analysis
Web Link Trust — Link reputation and trust scoring
SPF Compliance — Email authentication monitoring
DNSSEC Compliance — DNS security validation
Compliance Summary — Consolidated compliance posture
Health & Operations — API health, quota usage, and connectivity status

Enterprise Security Integration

2 threat intelligence collections (IP and domain) compatible with ES threat intel framework
20+ CIM field aliases mapping Whisper fields to Splunk Common Information Model
Risk framework integration across all 33 correlation searches
MITRE ATT&CK annotations on every correlation search (T1583, T1584, T1568, T1599, T1071.004, and more)
1 adaptive response action — "Enrich with Whisper" for automated enrichment in alert workflows

Correlation Searches (33)

All disabled by default. Categories:

DNS & Domain Monitoring (10) — Infrastructure changes, shadow IT, typosquatting, fast flux, CNAME chain analysis
Infrastructure & Hosting (7) — Bulletproof ASN detection, shared hosting with threats, infrastructure pivoting
BGP & Network (3) — Prefix conflicts, BGP hijack detection, ASN migration
Registrar & WHOIS (3) — Registrar changes, contact correlation, privacy proxy alerts
Risk Assessment (3) — Newly registered domain risk, TOR exit node communication, impossible travel
KV Store Population (3) — Automated threat intel collection population
Direct Intelligence (2) — HOSTNAME threat properties, suspicious web link profiles
Cache Management (1) — Automated cache eviction

Data Model

9 source types — whisper:health, whisper:attack_surface, whisper:threat_intel, whisper:watchlist, whisper:change, whisper:enrichment, whisper:spf_compliance, whisper:dnssec_compliance, ta_whisper_security
8 KV Store collections — Enrichment cache, precomputed enrichment, IP/domain threat intel, watchlist, DNS baseline

Short Description:
Real-time IOC enrichment, threat intelligence, and attack surface monitoring powered by a multi-billion-node internet infrastructure knowledge graph. Adds ASN, geo, WHOIS, threat scores, and risk levels to any IP or domain in your Splunk environment.

Description:
Enrich Splunk events with real-time internet infrastructure intelligence from Whisper Security's Knowledge Graph — billions of nodes and tens of billions of edges mapping domains, IPs, ASNs, BGP routes, certificates, and WHOIS data across all countries. What it solves: Security teams lack infrastructure context when triaging alerts. An IP fires an alert — but who owns it? What ASN? Is it on threat feeds? What else is hosted there? Answering these questions requires pivoting across 5+ tools. This add-on brings that context directly into Splunk. Core capabilities: Live enrichment — Pipe any IP or domain through | whisperlookup to instantly add ASN ownership, geolocation, threat scores, risk levels, WHOIS data, CNAME chains, and name server details Graph queries — Run Cypher queries against the full knowledge graph from the Splunk search bar with | whisperquery Threat intelligence — Automated feeds from 40+ sources populate ES-compatible KV Store collections with scored IP and domain indicators Attack surface monitoring — Scheduled inputs track DNS, MX, NS, and WHOIS changes across your domain portfolio with risk-scored change detection 29 correlation searches — Pre-built detections for bulletproof ASN communication, fast-flux DNS, BGP hijacks, typo-squatting, TOR exit traffic, and more — all generating ES risk events 12 dashboards — Executive risk grades (A–F), compliance posture (SPF, DNSSEC, NIS2, NIST), geographic threat maps,, WHOIS intelligence, and attack surface timelines Built by internet infrastructure veterans from RIPE NCC and ICANN. Powered by 46 billion data points from 60+ sources with millisecond-level query response times.

Splunk Add-on for Microsoft Office 365 - v6.0.1 [Version Update]

Splunk LLC — Wed, 15 Apr 2026 15:20:10 +0000

Platform: Splunk

Description:
The Splunk Add-on for Microsoft Office 365 allows a Splunk software administrator to pull service status, service messages, and management activity logs from the Office 365 Management API. You can collect: * Audit logs for Azure Active Directory, Sharepoint Online, and Exchange Online, supported by the Office 365 Management API. * Historical and current service status, and service messages for the corresponding Microsoft Office 365 Management API. * Data Loss Prevention on Microsoft Office 365 Management API. After the Splunk platform indexes the events, you can then directly analyze the data or use it as a contextual data feed to correlate with other data in the Splunk platform

Sophos Central - v1.1.8 [New App Release]

Sophos Integrations — Wed, 15 Apr 2026 14:18:54 +0000

Platform: Splunk

Description:
# Sophos Central Data Ingestor The official Sophos developed and supported application for Sophos Central ##Functionality This app will allow you to select and ingest multiple Sophos Central data sources without the need of an accompanying script. Includes Data from the below endpoints. and conforms to the CIM 4.x data model. * Central Endpoints API * Central Alerts API * Central SIEM Events API ## Requirements Requires a Sophos API Service Principal account for authentication see our getting started guide for details on API credential creation. * Getting Started for Enterprise Customers: https://developer.sophos.com/getting-started-organization * Getting Started for Partners: https://developer.sophos.com/getting-started * Getting Started for Tenants: https://developer.sophos.com/getting-started-tenant * Add-on Installation Guide: https://community.sophos.com/sophos-integrations/w/integrations/109/splunk-add-on-for-sophos-central * Feedback and Support Forum: https://community.sophos.com/sophos-integrations/f/splunk-apps-for-central-and-sophos-firewall Use the accompanying Sophos Dashboard App to get insightful dashboards across Central Data, XG data, or both if using both date sources: https://splunkbase.splunk.com/app/6188/

TrackMe - v2.3.19 [Version Update]

Trackme Limited — Wed, 15 Apr 2026 14:17:14 +0000

Platform: Splunk

Release Notes:

TrackMe 2.3.19 — Entity Labels, CMDB Integration, Variable Delay, Splunk Cloud AI & Support Diagnostics

Entity Labels — lifecycle visibility at a glance: Introducing a lightweight, color-coded labeling system for entities. Labels give teams instant visibility into the lifecycle stage and operational context of every tracked entity — directly in the entity tables, in stateful and notable alert events, and through Virtual Groups that can aggregate entities by label across tenants.
CMDB integration improvements: Stateful and notable alert actions now automatically enrich events with CMDB data at alert time. A new simplified configuration screen replaces the complex UCC-based setup, and CMDB icons now appear correctly in Virtual Groups tables.
Entity Notes enhancements: Notes are now visible as a first-class column in entity tables with a new clone-to-entities action for bulk operations.
Variable delay management improvements: Timezone notice banners in all variable delay and threshold editors, plus fully customizable per-tenant slot templates.
Policy tracker scheduling: SLA, Tags, and Priority policy trackers now default to a 12-hour cadence instead of every 15 minutes, cutting scheduled-search load for these jobs while policy content remains applied; cron remains adjustable per tenant if you need a faster refresh.
Support — generate diagnostics: A self-service Support - generate diags experience (nav under API & tooling and Audit & troubleshoot) lets admins produce a timestamped .tgz for TrackMe support — entity-scoped or global, async job + polling + secure download, optional tenant anonymisation with a separate mapping for support, and RBAC via trackmepoweroperations.
AI Assistant — realtime entity context: Entity-level AI chat now loads the same decision-maker view as /trackme/v2/describe/entity (via load_component_data), so labels, scores, smart status, and other joined fields match the UI instead of a raw KV snapshot.
Splunk Cloud — splunk_hosted LLM (SLIM): The Splunk-hosted AI provider now sends the request_id header required by the SLIM gateway on Splunk Cloud, resolving HTTP 400 Request ID not present in header failures so model discovery, in-app AI Assistant chat, and AI status content in stateful alerts work again for customers using splunk_hosted.
Various bug fixes and improvements: SLA ranking corrections, REST handler hardening, Cribl use case updates, multiple Virtual Groups fixes, quieter routine logging from the trackmestateful command, KV index transforms for unquoted keys, consistent status messaging when impact score is raised manually without anomalies, and ML outliers simulation with auto-correction disabled when training volume is below the native fit minimum.

See: https://docs.trackme-solutions.com/latest/releasenotes.html#version-2-3-19-build-1776258970-15-04-2026

Description:
TrackMe for Splunk provides visibility and operational excellence to monitor at scale your Splunk data sources availability and quality, and many more. With a rich set of features and a powerful workflow, TrackMe empowers you day after day to get the most from your Splunk investments and deliver the five stars quality of service your users deserve. Discover TrackMe: https://trackme-solutions.com/discover Documentation: https://docs.trackme-solutions.com You can subscribe to our newsletter, and receive important communications from us. We will send notifications for instance when publishing new releases, so we can you let you know the cool and powerful things we've been working on! https://trackme-solutions.com/subscribe/ TrackMe has transitioned to a new licensing model. The Free Community Edition has been discontinued. What this means for you: - Existing licensed customers are not impacted. Your current license continues unchanged. - Community users are automatically upgraded to a Foundation Edition trial for 90 days, with full functionality enabled. After the trial period: - TrackMe remains active and fully usable for monitoring - The platform enters read-only mode You can continue to view data, dashboards, alerts, and history Creation of new tenants, trackers, or entities will be disabled To continue using TrackMe with full capabilities after the trial, a Foundation license is required. Buy Foundation Edition: https://trackme-solutions.com/get-foundation/ See all plans: https://trackme-solutions.com/pricing/

CTM360 App for Splunk - v1.2.0 [Version Update]

CTM360 Ltd — Wed, 15 Apr 2026 13:57:31 +0000

Platform: Splunk

Release Notes:

UI enhancement to be compatible with the timestamp selection feature.
Bug fixes.

Description:
The CTM360 App for Splunk allows subscribed users to import their asset inventory, issues, and incidents into Splunk®, and utilize this data to build reports, trigger alerts and identify vulnerabilities, exposures and misconfigurations against your assets. The CTM360 Splunk App and Add-on are designed to work together.

CTM360 Add-on for Splunk - v1.3.0 [Version Update]

CTM360 Ltd — Wed, 15 Apr 2026 13:54:17 +0000

Platform: Splunk

Release Notes:

Added support for selecting preferred timestamp formats in CBS Feeds, HackerView Feeds, and ThreatCover Feeds inputs.
Bug fixes

Description:
The CTM360 Add-on for Splunk allows subscribed users to import their asset inventory, issues, and incidents into Splunk®, and utilize this data to build reports, trigger alerts and identify vulnerabilities, exposures and misconfigurations against your assets. The CTM360 Splunk App and Add-on are designed to work together.

SpoofSentry Add-on for Splunk - v1.0.0 [New App Release]

Team Netallion — Wed, 15 Apr 2026 12:50:58 +0000

Platform: Splunk

Release Notes:

Initial release of SpoofSentry Add-on for Splunk.

3 sourcetypes: spoofsentry:alert, spoofsentry:cef, riskreply:event
JSON field extraction with normalized field aliases
CEF (Common Event Format) parsing
CIM data model tagging (Alerts, Email, Intrusion Detection, Change, Web)
8 pre-built saved searches (threats, DMARC pass rates, spoofing campaigns, lookalikes, takedowns, enforcement)
1 pre-built alert for critical threat detection
Severity and event type lookup tables

Short Description:
Ingest DMARC monitoring, spoofing detection, lookalike domain threats, and takedown events from SpoofSentry with CIM-mapped sourcetypes, pre-built searches, and alerting.

Description:
SpoofSentry Add-on for Splunk ingests and normalizes domain security events from the SpoofSentry DMARC monitoring and domain protection platform. Events are delivered via Splunk HEC and include DMARC authentication failures, spoofing campaign detections, lookalike domain threats, DNS enforcement changes, and automated takedown orchestration lifecycle events. This add-on provides: - Sourcetype definitions for spoofsentry:alert, spoofsentry:cef, and riskreply:event - Automatic JSON field extraction with normalized field aliases (severity, event_type, domain, tenant_id) - CEF (Common Event Format) parsing for legacy SIEM workflows - CIM data model compatibility (Alerts, Email, Intrusion Detection, Change, Web) - 8 pre-built saved searches covering critical threats, DMARC pass rates, spoofing campaigns, lookalike domains, takedown activity, and enforcement changes - 1 pre-built alert for critical threat detection (disabled by default, configurable suppression) - Lookup tables for severity mapping and event type categorization SpoofSentry detects email spoofing, monitors DMARC enforcement, identifies lookalike domains, and orchestrates automated takedowns across Google Web Risk, Netcraft, URLhaus, and registrar abuse channels. This add-on brings those security events into Splunk for centralized analysis, correlation with other security data, and SOC workflow integration.

DASH Lite - Styled App Builder - v1.0.4 [New App Release]

Matheus Silva — Wed, 15 Apr 2026 12:47:12 +0000

Platform: Splunk

Description:
(Free preview of DASH) Design CSS themes for Splunk dashboards with live preview. Includes Cybersecurity use case with 2 dashboards. Upgrade at mb2analytics.com for 3 use cases, 15 dashboards, app export, and Gallery.

CrowdStrike Falcon Spotlight Vulnerability Data - v3.5.0 [Version Update]

CrowdStrike — Wed, 15 Apr 2026 12:41:30 +0000

Platform: Splunk

Release Notes:

New Features

Added Splunk CIM Vulnerabilities data model mapping with field aliases, calculated fields, eventtypes, and tags
Added option to remove the pagination metadata field from events to reduce storage costs

Bug Fixes

Fixed props.conf timestamp extraction for events with fractional seconds, resolving incorrect event time assignment
Fixed saved search date format that displayed day-month instead of month-day

Improvements

Strengthened authentication handling with network failure detection, OAuth2 error diagnostics, and mid-collection token expiry recovery
Improved API resilience with exponential backoff, jitter-based retry desynchronization, and expanded retry coverage for transient server and network errors
Hardened checkpoint integrity with save retries, microsecond precision, and fail-stop behavior to prevent duplicate ingestion
Added API request timeouts to prevent indefinite hangs during network interruptions or unresponsive API endpoints
Added pagination safety cap to prevent runaway collection loops
Enhanced logging with SDK version, redacted proxy URLs, rate limit headers, FQL filters, and checkpoint state transitions for faster troubleshooting
Updated FalconPy SDK to v1.6.0
Updated dashboard queries and props.conf settings to align with current platform standards

Description:
This add-on enables CrowdStrike customers to retrieve vulnerability data from their Falcon Spotlight module. In addition to the the basic vulnerability data the inputs can be configured to also retrieve additional details about the CVE's, remediations and hosts with the observed vulnerability.

aitriage - v1.2.0 [New App Release]

Kadri Kocaer — Wed, 15 Apr 2026 12:41:14 +0000

Platform: Splunk

Release Notes:

Version 1.2.1

Initial public release of TA_triage for Splunk.

What’s included:
- Custom search command: | triage
- Support for model=claude
- Support for model=ollama with configurable ollama_url and ollama_model
- File-based caching with cache, cache_ttl, and cache_key_fields
- Context-aware triage using context_fields
- MITRE mapping, severity scoring, IOC extraction, action recommendations, and false-positive assessment
- Basic dashboard and navigation files
- Clean packaging for Splunkbase upload

Example searches:
index=edr sourcetype=crowdstrike:Detection | triage model=claude context_fields="UserName,CommandLine,Technique"
index=edr sourcetype=crowdstrike:Detection | triage model=ollama ollama_url="http://localhost:11434" ollama_model="mistral"
index=edr sourcetype=crowdstrike:Detection | triage model=claude cache=true cache_ttl=3600 cache_key_fields="alert_name,src_ip"

Notes:
- Claude usage requires valid API connectivity and credentials in the Splunk environment.
- Ollama usage requires a reachable local or remote Ollama endpoint.
- If an external model is unavailable, the command falls back to local heuristic triage output.

Description:
You send each Splunk event to the LLM and receive the following in return: → MITRE ATT&CK technical mapping (like T1059.001) → 1-10 severity score + label → 2-3 sentence AI analysis → Specific action recommendation to the SOC analyst → False positive probability + justification → Kill chain phase → Automatic IOC inference

Red Hat Event Driven Ansible Add-on For Splunk - v1.0.2 [Version Update]

Red Hat — Wed, 15 Apr 2026 12:07:01 +0000

Platform: Splunk

Release Notes:

Add Splunk Enterprise 10.2 compatibility
Add Python 3.13 compatability
Work with Python 3.13 or System's Python3
splunkenv.get_splunkd_access_info() call in newer versions of solnlib requires a session_key parameter
set anyio to a version that still supports Python 3.9. The last such version is anyio\<4.7 (anyio 4.6.x was the last to support 3.9).
set app.conf and globalConfig.json with python.version and supportedPythonVersion": ["python3", "python3.13"]

Description:
Enhance your Splunk instance by connecting it to the power of Ansible automation. This add-on provides a custom alert action that sends critical events from Splunk directly to the Red Hat Ansible Automation Platform. With this integration, you can automatically trigger Ansible rulebooks and playbooks in response to security threats or operational issues. Requirements: - The Red Hat Event-Driven Ansible Add-on for Splunk (this app) - Ansible Automation Platform with an active Event-Driven Ansible Controller to receive events and launch automations. Use Cases: 1. Custom Alert Action triggered by a saved search in Splunk Core and Splunk Enterprise Security (ES). 2. Episode Action called in the Episode Review page of Splunk IT Service Intelligence (ITSI)

AlphaSOC for Splunk - v1.1.0 [Version Update]

AlphaSOC, Inc. — Wed, 15 Apr 2026 09:43:06 +0000

Platform: Splunk

Release Notes:

This release adds an | alphasoc search command for querying raw OCSF telemetry from AlphaSOC’s data lake, making it easier to retrieve and search data directly in Splunk to investigate security issues.

Description:
Security teams use this app to render OCSF security findings generated by the AlphaSOC Analytics Engine across different layers (cloud infrastructure, SaaS applications, identity providers, and endpoint telemetry). Use AlphaSOC for Splunk to instantly uncover network exfiltration and C2 traffic patterns, infected Windows, Linux, and macOS endpoints, compromised cloud workloads, and identities.

EAT - Environment Assessment Tool - v1.0.3 [Version Update]

Segun Bolufemi — Wed, 15 Apr 2026 06:48:58 +0000

Platform: Splunk

Release Notes:

Fix: resolved Splunk Cloud Victoria i18n_register injection breaking JS execution.

JS is now delivered via Blob URL to prevent Splunk Cloud from prepending

incompatible runtime code to the script.

Short Description:
A structured health and security assessment framework for Splunk architects and administrators. Covers 55+ checks across infrastructure, ES/SIEM, CIM compliance, and MITRE ATT&CK coverage. Environment-aware for Commercial, NIPR, SIPR, and JWICS deployments. Fully offline, no dependencies, no network calls, air-gap safe.

Description:
EAT (Environment Assessment Tool) is a comprehensive, offline-capable Splunk health and security assessment framework built for Splunk architects, administrators, and security engineers. The tool walks you through 55+ checks covering every layer of a Splunk environment. cluster health, forwarder coverage, index and storage configuration, ingestion pipeline integrity, data quality, search workload, authentication controls, TLS and certificate posture, Splunk ES and SIEM effectiveness, CIM data model compliance, and MITRE ATT&CK detection coverage. Each check provides the exact SPL query or CLI command to run, specific pass/fail criteria, remediation steps, and a field to record your findings inline. Select your network environment at launch: Commercial, NIPR, SIPR, or JWICS, and the tool filters to only the checks that apply. DoD and classified environments get additional controls around FIPS 140-2, CAC/PKI authentication, offline licensing, telemetry enforcement, and index classification. Each check is tagged Required or Recommended based on the selected environment. Assessments are scored on a weighted A through F scale with per-section breakdowns. A MITRE ATT&CK view shows tactic-level detection coverage across your visible checks. Load a previously saved assessment to compare against a current run and track what improved or regressed between assessments. Results export as a plain-text findings report or print directly to PDF. Progress saves as a JSON file at any point and reloads seamlessly, useful for multi-day assessments or handing off between team members. The tool runs entirely in the browser with no external dependencies, no network calls, and no installation required. It works on air-gapped and classified networks out of the box.

Splunk Cisco App Navigator (SCAN) - v1.0.25 [New App Release]

Amir (AK) Khamis — Tue, 14 Apr 2026 13:33:03 +0000

Platform: Splunk

Release Notes:

Version 1.0.25

Product Catalog

50+ Cisco product cards across Security, Networking, Observability, and Collaboration
Keyword search across 725+ terms with live result counter
Filtering by category, 19 subcategories, platform compatibility, Splunk version, and powering add-on
Product cards display required add-ons, sourcetype counts, integration badges, and direct Splunkbase links
Tooltips with full product description, value proposition, and integration details
One-click copy of customer-ready product summaries to clipboard
Contextual "Explore" dropdown for add-on-only products (Explore Data in Search, Create Dashboard)

Intelligence Badges

SecOps — Products with Splunk Enterprise Security or Security Essentials content
ITOps — Products with ITSI Content Packs or IT Essentials Learn procedures
SOAR — Products with Splunk SOAR connectors
Alert Actions — Products with companion alert action add-ons
SC4S — Products with Splunk Connect for Syslog support
NetFlow — Products with NetFlow/IPFIX collection guidance
Update Available — Detects newer versions on Splunkbase for installed add-ons
Data Flowing — Live 24-hour event count per product's sourcetypes
Legacy Apps Detected — Flags deprecated or superseded add-ons

Integration Guidance Modals

SC4S — Supported sourcetypes, configuration references, and product-specific context
NetFlow / IPFIX — Protocol comparison, required apps, and best practices
Enterprise Security — Required add-ons, CIM mapping details, and deployment notes
SOAR — Connector inventory with Splunkbase links
ITSI — Service monitoring configuration and KPI recommendations
Full-content copy button in every modal for sharing

Magic Eight Audit

Per-product props.conf deep inspection across 8 critical settings: TIME_FORMAT, TIME_PREFIX, SHOULD_LINEMERGE, LINE_BREAKER, TRUNCATE, MAX_TIMESTAMP_LOOKAHEAD, ANNOTATE_PUNCT, LEARN_SOURCETYPE
Indexer tier detection validates add-on deployment across search heads and indexers

Splunkbase Intelligence

Synced lookup of all Cisco-related Splunkbase apps with version, compatibility, CIM compliance, and AppInspect results
Sync Catalog button pulls latest Splunkbase metadata

Reports

Ecosystem Overview — Summary statistics and full product inventory
Catalog Analysis — Products by category, add-on family, sourcetype coverage, and data quality audit
Installation & Deployment — Installed vs. catalog comparison, deployment readiness, and platform compatibility
Splunkbase Intelligence — Ecosystem overview, category breakdown, support distribution, and detailed app listings
Versions & Compliance — Release history, version tracker, CIM compatibility, and AppInspect validation
Data Coverage — Sourcetype cross-reference and coverage matrix
Health & Troubleshooting — Magic Eight Audit and environment health summary

Support

Give Feedback button links directly to GitHub Issues for bug reports and feature requests

Platform Support

Splunk Enterprise 9.x or later
Splunk Cloud
Light and dark theme support with three-state toggle (Light / Dark / Auto)

Short Description:
Unified product catalog and integration guide for 50+ Cisco products in Splunk — find the right add-ons, check compatibility, and streamline deployment across Enterprise and Cloud.

Description:
Splunk Cisco App Navigator (SCAN) is the front door to the Cisco–Splunk ecosystem. It provides a unified product catalog of 50+ Cisco products with interactive cards that show which Splunk add-ons, apps, and integrations are available for each product — along with platform compatibility, sourcetype coverage, deployment guidance, and direct links to Splunkbase and documentation. SCAN solves a persistent problem for Splunk administrators and Cisco engineers: figuring out which Cisco add-ons to install, whether they are compatible with your Splunk version and platform (Enterprise or Cloud), and how they all fit together. Instead of searching Splunkbase and cross-referencing documentation manually, SCAN puts everything in one place. Key capabilities: - Product Catalog — Browse 50+ Cisco products organized by category (Security, Networking, Observability, Collaboration). Each product card shows required add-ons, supported sourcetypes, SC4S support, and links to documentation. - Splunkbase Intelligence — A synced catalog of all Cisco-related Splunkbase apps with version history, compatibility matrices, CIM compliance, and AppInspect results. - Installation Health — Compare what's installed in your environment against the product catalog and Splunkbase to find outdated apps, missing add-ons, and deployment gaps. - Magic Eight Audit — Deep inspection of props.conf settings for any installed Cisco sourcetype, validating TIME_FORMAT, SHOULD_LINEMERGE, LINE_BREAKER, and other critical parsing settings against best practices. - Integration Guidance — Detailed modals for SC4S, NetFlow/IPFIX, Splunk Enterprise Security, SOAR, and ITSI showing exactly which add-ons are needed, how to configure them, and common pitfalls. - Customer-Ready Summaries — One-click copy of product details formatted for sharing with customers, including required apps, Splunkbase links, and recommendations. - Pre-built Reports — Ecosystem overviews, gap analysis, compatibility reports, and more. - Light and Dark Mode — Full support for both Splunk Enterprise themes. SCAN is designed for Splunk administrators, Cisco sales engineers, partner teams, and anyone who needs to navigate the Cisco–Splunk integration landscape quickly and confidently.

Cisco Secure Access App for Splunk - v1.0.55 [New App Release]

Cisco Systems, Inc. — Tue, 14 Apr 2026 09:44:15 +0000

Platform: Splunk

Release Notes:

Added a Secure Access Alert Management Dashboard
Updates to the DLP dashboard
Bug fixes

Description:
The Cisco Secure Access App for Splunk integrates cloud security data with event data from Splunk to drive improved network visibility, faster threat detection, and mitigation response. This App: 1. Provides visualizations using Cloud Security APIs (Secure Access and Umbrella). 2. Gives SOC’s/Threat Hunting teams the ability to learn more about destinations using the Investigate API. 3. Enables SOCs to block destinations using APIs. 4. Provides visibility into Applications used (API). 4. Lets teams manage Cloudlock CASB incidents.

Cisco Secure Access Add-on for Splunk - v1.0.50 [New App Release]

Cisco Systems, Inc. — Tue, 14 Apr 2026 09:43:35 +0000

Platform: Splunk

Release Notes:

Added Secure Access Security Events and Alerts (push)
Reduced Latency for DNS and FW Events (from S3)
Added NTG (Network Connectivity Logs) Event Type Support
A number of bug fixes

Description:
The Cisco Secure Access Add-on for Splunk gives you the ability to get your Cisco Secure Access or Cisco Umbrella logs into Splunk.

Operant AI Add-on - v0.1.0 [New App Release] (Archived)

Sebastian Zumbado — Mon, 13 Apr 2026 21:02:30 +0000

Platform: Splunk

Release Notes:

The first version

Short Description:
Visualization-focused TA provides a way to analyze Operant's detections.

Description:
The Operant AI Add-on delivers a compact Splunk Technology Add-on (TA) that ships a ready-to-use dashboards for visualizing Operant detection telemetry. It gives security and operations teams immediate visibility into detection volume and distribution — no custom searches or dashboard development required, it assumes Operant event data is already indexed in Splunk thanks to the third-party integration.

SMTP - v3.3.4 [Version Update]

Splunk LLC — Mon, 13 Apr 2026 18:41:54 +0000

Platform: SOAR

Release Notes:

Adding should_sanitize_template parameter to allow disabling template sanitization if the template is benign

Description:
This app provides the ability to send email using SMTP

Microsoft 365 App for Splunk - v3.3.2 [Version Update]

Splunk Works — Mon, 13 Apr 2026 18:27:15 +0000

Platform: Splunk

Description:
The Microsoft 365 App for Splunk provides dashboards for Microsoft 365 data retrieved using the following Add-ons: Splunk Add-on for Microsoft Office 365 - https://splunkbase.splunk.com/app/4055/ Splunk Add-on for Microsoft Security - https://splunkbase.splunk.com/app/6207/ Microsoft 365 Reporting Add-on for Splunk - https://splunkbase.splunk.com/app/3720/ Microsoft Teams Add-on for Splunk - https://splunkbase.splunk.com/app/4994/ Dashboards: - Azure Active Directory - Defender 365 - Defender for Endpoint - User Audit dashboard - Exchange - SharePoint - OneDrive - Microsoft Teams - Power BI - Full step-by-step data onboarding guide It is anticipated that future versions may include additional dashboards and data from other Microsoft 365 services.

MITRE ATLAS AI Threat Detection for Splunk - v1.0.1 [Version Update]

Marcus House — Mon, 13 Apr 2026 18:17:15 +0000

Platform: Splunk

Release Notes:

v1.0.1 — Bug Fixes and Package Cleanup

Renamed all 10 saved search stanzas to ATLAS_DETECT_T* naming convention to prevent namespace collision when installed alongside future app that will be released shortly.
Direct Prompt Injection rule (AML.T0051.000) now uses the bundled atlas_injection_keywords.csv lookup for tunable detection alongside inline pattern matching
Fixed app.conf packaging flag
Populated app.manifest with correct category, license (Apache 2.0), author, and deployment metadata
Added Apache 2.0 LICENSE file to package
Updated README with TA note for dual-install environments and link to all GIC apps on Splunkbase

Short Description:
10 free MITRE ATLAS detection rules for AI/LLM threats. Guided setup with auto-discovery and platform-specific configuration for 12 LLM providers. Detects prompt injection, jailbreak, exfiltration, training data poisoning, model reconnaissance, and more.

Description:
MITRE ATLAS is the adversarial threat matrix for AI/ML systems — the AI equivalent of MITRE ATT&CK. As organizations deploy LLMs, RAG pipelines, and ML APIs into production, they create an attack surface that most Splunk deployments have zero detection coverage for. This app provides 10 detection rules for AI and LLM threats, mapped to specific MITRE ATLAS technique IDs. Each rule is a Splunk saved search that monitors your AI/LLM logs for known attack patterns including prompt injection, jailbreak attempts, data exfiltration via inference APIs, training data poisoning, model reconnaissance, and AI abuse. The app includes a guided Setup dashboard that auto-discovers AI/LLM data in your environment, validates required fields, and shows which rules your data supports. A Configuration Guide provides platform-specific instructions for 12 LLM providers including LiteLLM, Azure OpenAI, AWS Bedrock, OpenAI, GCP Vertex AI, Kong AI Gateway, Portkey, Helicone, Cloudflare AI Gateway, Anthropic, self-hosted models (Ollama, vLLM, TGI), and custom API gateways. Rules are organized into two tiers: Tier 1 (Operational) — works with standard telemetry: token counts, API call volumes, storage access logs. Available from most platforms with default logging. Tier 2 (Content Inspection) — requires actual prompt/response text in log events. Requires explicit opt-in on all major platforms. The Configuration Guide explains how to enable this for each provider. Detection Coverage: - AML.T0051.000 Direct Prompt Injection (Tier 2) - AML.T0051.001 Indirect Prompt Injection via Retrieved Content (Tier 2) - AML.T0054 LLM Jailbreak (Tier 2) - AML.T0024 Exfiltration via ML Inference API (Tier 1) - AML.T0020 Training Data Poisoning (Tier 1) - AML.T0047 AI-Enabled Bulk Content Generation (Tier 1) - AML.T0048 External Harms Safety Flag (Tier 1) - AML.T0012 Valid Account Abuse on AI Platform (Tier 1) - AML.T0014 AI Model Reconnaissance (Tier 2) - AML.T0007 AI Artifact Discovery (Tier 1) All rules ship disabled by default. No Python scripts, no external dependencies — pure SPL and CSV lookups. Detection results are written to the summary index for fast dashboard rendering. Built by a Splunk Enterprise Architect with 10+ years of hands-on experience. This app is a standalone community release from GIC Engineering Consultants.

Trend Vision One for Splunk SOAR - v3.1.0 [Version Update]

SOAR Community — Mon, 13 Apr 2026 16:33:21 +0000

Platform: SOAR

Release Notes:

TrendAI logo/description rebranding.
Python version update.

Description:
TrendAI Vision One™ is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—TrendAI Vision One™ prevents the majority of attacks with automated protection

Flashpoint Splunk App - v2.4.0 [Version Update]

Matt Howell — Mon, 13 Apr 2026 13:12:07 +0000

Platform: Splunk

Release Notes:

Enhanced the Matching Configurations tab to support multiple IOC types, each with its own configuration.
Introduced a new workflow action for on-demand Alert investigation to retrieve and view Alert details dynamically.

Description:
Leveraging Flashpoint’s technical data and intelligence reports provides Splunk users with visibility into illicit online communities in order to correlate information related to their infrastructure, therefore, gaining insights in a timely manner and leveraging connections to prioritize their response. The Flashpoint Splunk App and Add-on enables Flashpoint data to be seamlessly integrated into customers’ Splunk instances in order to automatically alert customers when a match has been made between indicators from internal log data and Flashpoint intelligence. Integrated Flashpoint Datasets: Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools. Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats. Flashpoint CVEs Dataset: CVEs: Access to the latest CVEs within Flashpoint collection, including access to MITRE and NVD data, as well as CVEs discussed by threat actors as observed by Flashpoint Intelligence Analysts. Key Features: - Captures, indexes, and correlates in real time Flashpoint technical data within Splunk’s searchable repository - Enables users to generate reports and visualizations, including graphs, alerts, and dashboards - Collect integrated data using Flashpoint’s REST-based API - Includes IOCs such as hashes, URLs, domains, as well as details related to malware families, mapping to the MITRE ATT&CK framework - Access Pre-Built Dashboards with associated Flashpoint data - View new CVEs and see which products they affect, see which CVEs are being discussed by malicious actors and see which CVEs have active exploits About Flashpoint Flashpoint delivers converged intelligence and risk solutions to private and public sector organizations worldwide. As the global leader in Business Risk Intelligence (BRI), Flashpoint provides meaningful intelligence to assist organizations in combating threats and adversaries. Through sophisticated technology, advanced data collections, and human-powered analysis, Flashpoint is the only intelligence firm that can help multiple teams across an organization bolster cybersecurity, confront fraud, detect insider threats, enhance corporate and physical security, improve executive protection, address third-party risk, and support due diligence efforts. For more information, visit https://www.flashpoint-intel.com/ or follow us on Twitter at @FlashpointIntel.

Splunk Connect for Zoom - v1.2.4 [Version Update]

Splunk LLC — Mon, 13 Apr 2026 10:59:54 +0000

Platform: Splunk

Description:
Splunk Connect for Zoom seamlessly integrates your Zoom deployment data into your Splunk platform deployment. Using this integration, you can accept incoming webhooks from Zoom in order to collect a variety of data pertaining to numerous events, such as meetings, and participants. This information can be used to start gathering insights and business centric value instantly. Splunk Connect for Zoom provides a holistic end-to-end solution when used with the Splunk App for Zoom or the Remote Work Insights (RWI) - Executive Dashboard.

Contrast Security ADR for Splunk - v1.2.3 [Version Update]

Thibault Barillon — Mon, 13 Apr 2026 10:57:48 +0000

Platform: Splunk

Release Notes:

Minor update: * Added Splunk 10 compatibility * Added sc_admin role to write permissions for Splunk Cloud

Description:
Contrast Security Application Detection & Response (ADR) for Splunk allows you to secure running applications like never before. Contrast Security ADR for Splunk provides timely actionable attack exploit events across the entire application portfolio. Contrast Security instrumented applications self-report the following about an attack – the attacker’s IP address, authenticated username, method of attack, which applications, servers, frequency, volume, level of compromise, and more. In addition, Contrast Security can block these attacks in real time while also providing specific guidance to engineering teams on where applications were attacked and how threats can be remediated. Finally, Contrast Security's Log Enhancement capability extends this visibility into the inner workings of application and user behavior. Log Enhancers enable users to log anything in an application.

SpyCloud Investigations App for Splunk - v1.0.2 [New App Release]

CW Walker — Mon, 13 Apr 2026 10:24:45 +0000

Platform: Splunk

Release Notes:

Cluster-wide Credential Validation

Added validation logic to ensure INV API credentials are present and consistent across all Search Head Cluster members, prevents inconsistent behavior caused by partial or missing credential configurations.

Redirect Handling

Users are now automatically redirected to the setup/configuration page when required credentials are not detected.

Alerting for Missing Credentials

Introduced alerting mechanism when INV API credentials are absent.

Description:
SpyCloud Investigations App for Splunk enables users to explore criminal activity through the lens of recaptured data and provides access to SpyCloud’s repository of billions of recaptured darknet assets from within your Splunk environment to assist with cybercrime and fraud investigations. The SpyCloud Investigations App enables Splunk users to uncover the the true identities of specific criminals, profile criminal targets, determine the origin of data used in credential stuffing attacks and identify the exposure of public applications to botnet credential stealers, research criminal campaigns (including the breadth and nature of malicious campaigns), and understand user risk from reused credentials to malware infections. The app includes a GUI for ad-hoc searching and downloading of data. Additionally, two custom search commands are included that allow a customer to use SpyCloud’s dataset from within Splunk queries.

XM Cyber Integration - v3.0.2 [Version Update]

XM Cyber — Sun, 12 Apr 2026 06:49:58 +0000

Platform: Splunk

Release Notes:

Release Notes:
- Removed Base URL validation from account configuration.
- Updated Tenant field extraction to include the full Base URL instead of a partial value.

Description:
The XM Cyber Splunk Integration collects and analyzes entities, critical assets, scenario and overall security scores, and the attack techniques that attackers might use to compromise the configured cloud environments. Integrated with Splunk, it provides visibility into potential attack paths, critical vulnerabilities, misconfigurations etc to proactively prevent breaches. The Integration also offers pre-built dashboards for easy analysis. This helps operational teams monitor and troubleshoot issues.

Bitwarden Event Logs - v2.1.1 [Version Update]

Bitwarden Inc — Fri, 10 Apr 2026 15:12:10 +0000

Platform: Splunk

Release Notes:

deps: Update @angular/core to v21.2.4 - SECURITY
Code ownership change and dependency updates

Description:
This app provides insight into activity of your Bitwarden organization such as user's activity (logged in, changed password, 2fa, etc.), cipher activity (created, updated, deleted, shared, etc.), collection activity, organization activity, and more.

LCS Insights - v1.5.1 [New App Release]

Russell Byrne — Fri, 10 Apr 2026 00:08:51 +0000

Platform: Splunk

Release Notes:

Added app icon, added run_on_startup to Alerts, added Unidentified Inventory Details dashboard

Short Description:
Version 1.5.1: Sixteen dashboards: Executive Summary (2), Hardware Strategy (3), Software Strategy (6), Support Strategy (2), Symptom Management (1), Inventory (2)

Description:
This application was created by Cisco CX to help customers visualize technical debt and manage known risk. Version 1.1 introduced a single dashboard called Risk Overview which shows KPIs for Lifecycle risk, Vulnerability risk and Compliance risk. Version 1.2 added Get Well Plan and Hardware End of Life Summary. Version 1.3 added Hardware End of Life Details, Hardware End of Life Planning, and 4 Software Strategy dashboards. Version 1.4 added Software Diversity Outliers, Software Diverse Families and Sparing Policy Alignment dashboards, bringing the total to 12. Version 1.5 added SMARTnet Coverage, Crash Analysis and Hardware Inventory dashboards. Version 1.5.1 added Unidentified Inventory Details, for a total of 16.

Sandfly Security Add-on for Splunk - v5.0.0 [Version Update]

Sandfly Security — Thu, 09 Apr 2026 16:11:24 +0000

Platform: Splunk

Release Notes:

New Features

Refactored the Sandfly Alarms input for ingesting Sandfly results data
- Option to ingest smaller size Summary results for all Alert, Passed, Error result types
- Option to ingest duplicate Alerts when the last seen timestamp is updated
- Option to ingest smaller size Summary results for duplicate Alerts

Other Updates

Modified response processing for Sandfly REST API changes

Description:
Sandfly is an agentless intrusion detection and incident response platform for Linux. Sandfly automatically analyzes Linux hosts for intruders 24 hours a day without loading any software on your endpoints. Additionally, Sandfly can retrieve hardware, operating system and related data for analysis in Splunk. Sandfly works across virtually all Linux distributions immediately without risk to stability or performance. The Sandfly Security Add-on for Splunk is a technology add-on that ingests events from a Sandfly Security server using the Sandfly Security REST API. This add-on (TA-sandfly-security) ingests data into your specified index and sets the correct sourcetype for each event. Events are ingested as JSON formatted events. Review the Details tab for a list of all supported sourcetypes. The Sandfly Agentless Security for Linux App includes dashboards, reports and logic for analyzing data ingested from a Sandfly server such as security alerts, suspicious activity and general software and hardware metrics. Data retrieved by Sandfly can also be used by Splunk users to build anomaly detection models, incident response and insights into software and hardware versions of your Linux fleet.

Splunk Add-on for Apache Web Server - v3.0.0 [New App Release]

Splunk LLC — Thu, 09 Apr 2026 10:56:09 +0000

Platform: Splunk

Release Notes:

Depreciated the support for python3.7 version
Security fixes

Description:
The Splunk Add-on for Apache Web Server allows a Splunk software administrator to collect and analyze data from Apache Web Server using file monitoring. After the Splunk platform indexes the events, you can analyze the data using the prebuilt panels included with the add-on. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Web.

USTA Malware and C2 Intelligence for Splunk - v1.0.3 [Version Update]

PRODAFT Intelligence — Thu, 09 Apr 2026 10:22:39 +0000

Platform: Splunk

Release Notes:

Supporting 10.x

Description:
Introducing the USTA Malware and C2 Intelligence for Splunk app, a powerful integration designed to ingest threat intelligence data from the USTA solution. This app enables organizations to seamlessly import Indicators of Compromise (IOCs), including malware, malicious URLs, and phishing sites, into Splunk. Provided by PRODAFT.

USTA Stolen Credit Cards for Splunk - v1.0.4 [Version Update]

PRODAFT Intelligence — Thu, 09 Apr 2026 09:53:47 +0000

Platform: Splunk

Release Notes:

Supporting the 10.x

Description:
The USTA Stolen Credit Cards for Splunk Add-on enables security teams to monitor and analyze compromised credit card data in real time. It fetches stolen credit card information from USTA's threat intelligence sources and integrates it into Splunk. Provided by PRODAFT.

Splunk Add-on for Microsoft Cloud Services - v6.1.1 [Version Update]

Splunk LLC — Thu, 09 Apr 2026 09:39:35 +0000

Platform: Splunk

Description:
The Splunk Add-on for Microsoft Cloud Services allows a Splunk software administrator to pull activity logs, service status, operational messages, Azure audit, Azure resource data and Azure Storage Table and Blob data from a variety of Microsoft cloud services using Event Hubs, Azure Service Management APIs and Azure Storage API. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance and Splunk IT Service Intelligence.

USTA Account Takeover Prevention for Splunk - v1.0.6 [Version Update]

PRODAFT Intelligence — Thu, 09 Apr 2026 09:15:35 +0000

Platform: Splunk

Description:
USTA is a market-leading threat intelligence solution provided by PRODAFT specifically designed to combat ransomware, online fraud, and account takeover attempts. By collecting compromised credentials from stealer malware, USTA provides real-time insights and actionable intelligence to help organizations detect and mitigate threats, protecting their sensitive accounts and digital assets from malicious activity. This Splunk app integrates with USTA’s threat intelligence API, enabling seamless import of breach alerts directly into Splunk for immediate action. USTA leverages your configured watchlist (domains, email addresses, and IP addresses) to determine which compromised credentials and threat data to collect.

Alert Manager Enterprise - v3.8.1 [Version Update]

Datapunctum AG — Thu, 09 Apr 2026 09:11:46 +0000

Platform: Splunk

Release Notes:

Full Release Notes

Important
Please read the Before Upgrading Guide before installing this version of AME.

Version 3.8.1

Fixed issues:

AME-1613 Correct parsing of list values from savedsearches.conf
AME-1615 Prevent excessive payload logging for internal calls
AME-1622 Correct permissions of setup view to be accessible to ame.admin
AME-1627 Correct filter parsing on observable overview
AME-1631 Implement optimized field select component for observable tab
AME-1635 Add support for float fields in Jira integration
AME-1637 Correct Jira integration to not transition if status matches
AME-1638 Add support for JSON based custom fields in Jira integration
AME-1663 Correct create_notification import order

Version 3.8.0

What's new:

AME-1567: Allow overwrite of email subjects with templating support
AME-1565: Allow selecting a template for manual event creating, supporting all template fields and observable extraction
AME-1564: Allow adding not yet valid licenses
AME-1560: Allow using Microsoft Defender as source for vulnerability data
AME-1555: Allow usage of AME behind path based reverse proxy
AME-1540: Add vulnerability reporting indicator: Percentage of open Notable Realizations
AME-1541: Add vulnerability reporting indicator: Number of Realizations with Event
AME-1542: Add vulnerability reporting indicator: Median Time to CLose Notable Realizations
AME-1543: Add vulnerability reporting indicator: Percentage of Realizations Closed in Days Range
AME-1544: Add vulnerability reporting indicator: Percentage of Realizations Closed After Days

Fixed Issues

AME-1602: Correct checks regarding whether an observable should time out
AME-1601: Correct spurious error log on template key only events
AME-1579: Migrating from jsurl2 to qs, allowing special characters in URL
AME-1572: Correct forwarding location on unfinished migration tasks
AME-1551: Correct deep link to event from notifications

Deprecation notice:

Starting with version 4.0.0, the following features will be deprecated and removed:

“squash” configuration option on notification targets
Removal of CVE Tag view
moved to CVE overview in vulnerability intelligence
requires configuration of NIST API key for fetching CVE information
Windows Plattform Support

Description:
Datapunctum Alert Manager Enterprise helps IT Ops and Security teams manage their alerts within Splunk Enterprise and Splunk Cloud. Add the Alert Manager Enterprise Alert Action to your existing searches and manage your alerts immediately. Get started today with our quickstart guide at https://www.alertmanager.app/docs/ame-quickstart !

LCS Plug-In - v1.1.0 [New App Release]

Israel Fernandez — Thu, 09 Apr 2026 07:24:12 +0000

Platform: Splunk

Release Notes:

Overview

Version 1.1.0 is a major architectural release. The add-on was rebuilt using the
Splunk UCC (Universal Configuration Console) framework, replacing the previous
Add-on Builder structure. This brings a standards-compliant app layout, a
schema-driven UI, and bundled dependencies — alongside several new features and
reliability improvements.

## Breaking Changes

### Migrated from Add-on Builder to UCC Framework

The add-on now follows the UCC framework structure and must be built with
ucc-gen before deployment.

	v1.0.0 (Add-on Builder)	v1.1.0 (UCC)
Modular input script	`lcs_plug_in.py` (root)	`package/bin/input_module_lcs_insights.py`
UI configuration	Manually crafted `.conf` files	`globalConfig.json`
Bundled dependencies	None	`package/lib/requirements.txt`
Build output	n/a	`ucc-gen build` → `output/TA-lcs-plug-in/`

Short Description:
This app integrates Cisco Business Critical Services (BCS) operational data into Splunk, automating the collection of device inventory, configuration best practices, security advisories, and lifecycle alerts. It simplifies API authentication and rate limiting, enabling Cisco Advanced Services customers to monitor and analyze their network operations efficiently.

Description:
This Splunk add-on is designed to collect and ingest operational insights data from Cisco’s Business Critical Services (BCS) API into Splunk. It enables users to automatically fetch a wide range of detailed device, inventory, configuration, risk mitigation, and product alert information from Cisco’s API endpoints and index this data within Splunk for analysis and monitoring. The app addresses the challenge of integrating Cisco BCS operational data into Splunk by providing a modular input that handles authentication, API rate limiting, pagination, and event creation for multiple data sources. This allows customers—particularly those with Cisco Advanced Services—to gain centralized visibility into their Cisco device inventory, configuration best practices, security advisories, hardware and software lifecycle alerts, and other critical operational metrics without manual data collection. By automating the retrieval and indexing of this comprehensive Cisco operational data, the app helps organizations improve their network management, risk assessment, and compliance monitoring capabilities within the Splunk platform.

Webex Add-on for Splunk - v1.4.0 [Version Update]

Yuan Ling — Wed, 08 Apr 2026 18:19:14 +0000

Platform: Splunk

Release Notes:

Added support for search endpoint of Webex Contact Center
Added support for POST method in the Generic Input
Fixed the Invalid Refresh Token bug
Fixed the FQDN region issue for the Webex Detailed Call History Input

Description:
This Add-on allows users to pull data from the Webex REST API to Splunk.

VirusTotal v3 - v3.0.2 [Version Update]

Splunk LLC — Wed, 08 Apr 2026 15:37:57 +0000

Platform: SOAR

Release Notes:

fix detonate_url to send URL as form data instead of JSON
fix polling in detonate actions being broken by response caching

Description:
This app integrates with the VirusTotal cloud to implement investigative and reputation actions using v3 APIs

OT Security Add-on for Splunk - v3.0.1 [Version Update]

Splunk Works — Wed, 08 Apr 2026 12:44:18 +0000

Platform: Splunk

Release Notes:

What’s New:

Modernized Dashboards: Dashboards have been rebuilt using Dashboard Studio to ensure a seamless and consistent experience with ES 8+.
Expanded Compatibility: Now fully compatible with ES versions 8.0.4 through 8.4.
Enhanced Risk Based Alerting (RBA): Existing correlation rules and findings have been updated to align with modern RBA best practices, helping you prioritize critical threats more effectively.
NERC-CIP 015 Support: New dedicated dashboards and reports have been added to help streamline your NERC-CIP 015 compliance efforts.
Refreshed Asset Baselining UI: The configuration baselining interface has been updated, making it easier to track applications, OS, services, network device configurations, and firmware.

Description:
The OT Security Add-on for Splunk enables organizations that operate assets, networks, and facilities across both IT and OT environments to better apply the globally proven SIEM, Splunk Enterprise Security, to improve threat detection, incident investigation, and response. The OT Security Add-on for Splunk expands the capabilities of Splunk’s platform to monitor for threats and attacks, compliance, incident investigation, forensics, and incident response across the broad spectrum of assets and topologies - from email servers to PLCs - that define modern manufacturing, energy, and public sector organizations. Components of this solution include: OT Security Overview Perimeter Monitoring Infrastructure Monitoring Centralized view across partner technologies. NERC CIP Compliance Reporting Correlation Rules including mapping to security frameworks like MITRE ATT&CK for ICS, CIS 20, and others Integration with Enterprise Security Dashboards designed to help you identify misconfigurations and missing data The OT Security Add-on for Splunk REQUIRES Splunk Enterprise Security. For any OT related sales conversations, please contact otsecurity@splunk.com NOTE: Versions 2.3.5 and earlier are only compatible with ES 8.0.3 or earlier, version 3.0.1 is compatible with ES 8.0.4+

Video Experience Observability - v1.0.0 [New App Release]

Kollective Technology — Wed, 08 Apr 2026 12:40:59 +0000

Platform: Splunk

Release Notes:

Release Notes

Version 1.0.0

Initial Release — April 1, 2026

New App

Kollective Video Experience Observability — First release of the Kollective ECDN observability app for Splunk, delivering live event telemetry analytics across eight purpose-built dashboards

Dashboard Tabs

Overview — Max Hourly Reach and Views KPIs; Avg Hourly QoE, QoD, QoV, QoEn radial gauges; stacked hourly distribution charts and distribution heatmap tables for all four quality dimensions
Trends and Analysis — All Metrics Over Time (QoE, QoD, QoV, QoEn) combined line chart and Hourly Reach, Views and Sessions Over Time for longitudinal event comparison
QoE Distribution — QoE Session Distribution Over Time (stacked area), QoE Percentile Trends (Avg, P50, P95, P99), and QoE Distribution Density Heatmap (bands × hours)
QoD Distribution — QoD Session Distribution Over Time (stacked area), QoD Percentile Trends (Avg, P50, P95, P99), and QoD Distribution Density Heatmap (bands × hours)
QoV Distribution — QoV Session Distribution Over Time (stacked area), QoV Percentile Trends (Avg, P50, P95, P99), and QoV Distribution Density Heatmap (bands × hours)
QoEn Distribution — QoEn Session Distribution Over Time (stacked area), QoEn Percentile Trends (Avg, P50, P95, P99), and QoEn Distribution Density Heatmap (bands × hours)
Location Performance — Location Performance Ranking table with Max Hourly Reach, Views, Sessions, and Avg Hourly QoE, QoD, QoV, QoEn per location; ranked by Max Hourly Views
App Performance — Performance by Application table with the same columns, broken down by video application (e.g. Microsoft Teams, Webex, Vimeo, Kaltura)

Key Features

Four-dimensional quality scoring — QoE, QoD, QoV, QoEn on a 0–100 scale with Poor/Fair/Good/Excellent banding (thresholds: Excellent 90+, Good 80–89, Fair 70–79, Poor below 70)
Percentile-level analysis — Avg, P50, P95, P99 trend views across all four quality dimensions to surface tail experiences hidden by averages
Distribution density heatmaps — Quality band session counts by hour for each metric, enabling time-of-day pattern identification
Max Hourly Reach and Views — Audience sizing metrics reported at hourly granularity; Reach counts unique viewers, Views counts total sessions including reconnects
Global Location and Time Range filters — Scoped inputs apply across all dashboard panels simultaneously; default time range is Last 24 Hours
Contextual help text and reading guides — Inline definitions and interpretation guidance on each tab, including metric definitions, how to read percentile charts, and how to interpret distribution heatmaps
Companion app cross-reference — Teams call quality visibility available via the Kollective Microsoft Teams Collaboration Observability app

Known Issues

None

*This is the initial release of the Kollective Video Experience Observability app. Live event telemetry requires an active Kollective Enterprise Video Optimization (ECDN) platform account. Start a free 30-day trial at https://portal.kollective.app/free-trial.*

Description:
Transform live video delivery visibility with comprehensive ECDN observability powered by Kollective Technology. Monitor Quality of Experience (QoE), Quality of Delivery (QoD), Quality of Video (QoV), and Quality of Engagement (QoEn) across every live event — from regional sales kickoffs to global CEO all-hands — with real-time analytics and eight purpose-built interactive dashboards designed for Unified Communications and IT operations teams. Already monitoring Microsoft Teams with Splunk? Pair this app with the Kollective Microsoft Teams Collaboration Observability app for complete unified workplace video visibility. Ready to optimize your live event delivery? Start a free 30-day trial at https://portal.kollective.app/free-trial or contact salesinfo@kollective.com to connect with your account manager. Learn more: http://kollective.com | LinkedIn: linkedin.com/company/kollective-technology

AWS-DFD-Visualizer - v2.5.6 [New App Release]

Young Suh — Wed, 08 Apr 2026 12:35:57 +0000

Platform: Splunk

Release Notes:

Release Notes: AWS-DFD-Visualizer v2.5.6
New Features & Enhancements
Custom Branding & UI Icons: Introduced high-resolution, AWS-inspired app icons and logos.
Added appIcon.png and appIcon_2x.png for a professional app-bar presence.
Integrated new logo.png and logo_2x.png for a consistent experience on dashboards and the Splunkbase listing.
Version Synchronization: Formalized versioning across app.conf, splunk-app-manifest.json, and the build pipeline to ensure consistency in Splunkbase.
Compliance & Security
Splunkbase Readiness: Resolved a critical AppInspect finding by enabling check_for_updates in the app's installation configuration.
DoD-Hardened Build Pipeline:
Improved the build process to automatically scrub WSL-specific metadata (Zone.Identifier) and hidden system files (.DS_Store) from the final package.
Maintained NIL-5/NIST 800-53 standards for secure software supply chain provenance.
Bug Fixes
Fixed a synchronization issue where the UI version label in app.conf did not match the manifest version.
Resolved pathing issues in the static asset directory to ensure icons load reliably on Splunk 9.x+ instances.

Short Description:
Interactive D3.js force-directed graph for AWS Security Data Flows, featuring official AWS icons and Application Composer aesthetics for "Zero Trust" visibility.

Description:
The AWS DFD Visualizer provides a high-fidelity, interactive force-directed graph visualization specifically designed for AWS infrastructure and security data flows. In complex cloud environments, SOC analysts and Security Architects often struggle to visualize "Zero Trust" data patterns and service-to-service relationships using standard tables or basic charts. This app addresses that gap by mapping search results directly into an architect-grade visualization using D3.js v7 and official AWS Application Composer aesthetics. It allows users to instantly identify connectivity patterns, data silos, and security relationships across services like Lambda, S3, RDS, and CloudWatch.

HWP_HWPX_PDF Parser - v1.0.0 [New App Release]

CTS ITCEN — Wed, 08 Apr 2026 12:34:49 +0000

Platform: Splunk

Release Notes:

BETA

Short Description:
A custom search command to seamlessly extract and parse text from Korean HWP and HWPX documents directly within Splunk.

Description:
The Add-on for HWP Documents introduces the | kordoc search command, enabling users to read and analyze Korean Word Processor (HWP/HWPX) files in their Splunk data pipeline. Built with a fully embedded, standalone architecture, it operates completely offline without requiring any external internet connections or package installations, ensuring secure and fast document parsing across both Linux and Windows environments.

Splunk Add-on for Salesforce - v6.0.2 [Version Update]

Splunk LLC — Wed, 08 Apr 2026 12:06:18 +0000

Platform: Splunk

Release Notes:

fixed requests CVE-2026-25645

Description:
*** Important: Read upgrade instructions and test your add-on update before deploying to production *** Version 2.0.0 of the Splunk Add-on for Salesforce introduces breaking changes. To avoid data loss or data duplication, follow the documented upgrade instructions in detail. If your are upgrading an earlier version of the Splunk Add-on for Salesforce, a best practice is to test your update in a non-production environment before deploying to production. The Splunk Add-on for Salesforce allows a Splunk software administrator to collect different types of data from Salesforce using REST APIs. The data includes: * Event log file data, https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm. * Output of Salesforce object queries (SOQL). This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence.

ThreatBook TI - v0.9.1 [Version Update]

Hui Wang — Wed, 08 Apr 2026 11:00:19 +0000

Platform: Splunk

Release Notes:

What's New: Optimized Caching Logic

We have redesigned the app's internal caching mechanism. Instead of making repeated external requests for frequent queries, the app now intelligently stores and reuses local data.

Description:
ThreatBook Cloud API for Splunk integrates ThreatBook threat intelligence with Splunk, enabling security teams to enrich IPs, domains, URLs, and file hashes with real-time threat intelligence. The app provides SPL search commands and automation capabilities to help analysts quickly investigate indicators and enhance security monitoring workflows with ThreatBook intelligence.

Microsoft O365 Email Add-on for Splunk - v2.4.7 [Version Update]

Splunk Works — Wed, 08 Apr 2026 07:46:58 +0000

Platform: Splunk

Release Notes:

Version 2.4.5

Added HTML link mismatch analysis to identify cases where displayed URLs do not match the actual destination
Added normalized SPF, DKIM, DMARC, and ARC result summaries
Added sender impersonation analysis for reply-to, sender, and display-name mismatch scenarios
Added URL risk analysis for shorteners, redirectors, IP-literal hosts, punycode domains, credential-harvest patterns, and brand/domain mismatches
Added HTML abuse detection for forms, hidden text, suspicious CSS hiding, remote images, and tracking-style indicators
Added attachment risk classification for suspicious file types, double extensions, embedded messages, nested archives, and macro-bearing attachments
Added transparent overall message risk scoring with supporting reasons and breakdown fields
Added optional raw ARC header collection
Refined input field visibility so body and attachment helper settings appear only when the related parent features are enabled

Version 2.4.6

Refreshed the package version after the 2.4.5 input UI updates so upgraded Splunk Web instances pick up the latest static assets more reliably
No functional changes beyond the versioned refresh of the updated input configuration experience

Version 2.4.7

Tuned URL brand-keyword mismatch analysis to better recognize trusted vendor redirectors and vendor-owned domain families
Reduced false positives for legitimate Microsoft redirect links such as aka.ms
Lowered the standalone weight of brand-keyword mismatch in overall message risk scoring

Description:
The Microsoft O365 Email Add-on for Splunk ingests Microsoft 365 email from a dedicated compliance mailbox through Microsoft Graph and writes the results to Splunk as JSON events. The add-on is designed for security and operational visibility. It can enrich messages with: - attachment metadata and file hashes - attachment analysis, including ZIP inspection and Office macro detection - body IOC extraction for URLs, domains, IPv4, and IPv6 values - phishing-focused link, sender, URL, HTML, and attachment risk analysis - vendor-aware URL analysis that reduces false positives for trusted redirectors such as Microsoft `aka.ms` - normalized SPF, DKIM, DMARC, and ARC result summaries - transparent message risk scoring with supporting reasons - Internet header parsing - mail relay and message path reporting - S/MIME certificate extraction - Microsoft 365 group membership snapshots through a separate input The add-on is built around disposable compliance mailboxes that receive BCC copies of mail through Exchange mail flow rules. It processes the copied messages and purges them from the compliance mailbox so production user mailboxes are not touched.

Egnyte Secure and Govern Add-on For Splunk - v1.1.10 [Version Update]

Chapman Hong — Tue, 07 Apr 2026 11:16:43 +0000

Platform: Splunk

Release Notes:

Improved reliability and stability of the add-on during intermittent Egnyte API connectivity issues.

Description:
Egnyte Secure & Govern Add-on For Splunk integrates with Egnyte Secure & Govern platform and ingest events from Egnyte Secure & Govern into Splunk. The Egnyte Secure & Govern Application provides insights into security incidents identified by Egnyte Secure & Govern. Splunk administrators can track enterprise-wide incidents identified by Egnyte Secure & Govern directly through the Splunk App.

Egnyte Collaborate Add-on for Splunk - v1.1.12 [Version Update]

Chapman Hong — Tue, 07 Apr 2026 11:10:44 +0000

Platform: Splunk

Release Notes:

Improved reliability and stability of the add-on during intermittent Egnyte API connectivity issues.

Description:
Egnyte Collaborate Add-on for Splunk provides insights into the overall incidents that are identified and raised by Egnyte's Collaborate product. This enables Splunk administrators to track enterprise-wide audit logs identified by Egnyte's Collaborate product directly through the Splunk app

Google Threat Intelligence - v1.1.0 [Version Update]

SOAR Community — Tue, 07 Apr 2026 10:47:17 +0000

Platform: SOAR

Release Notes:

Added support for python 3.13

Description:
Supercharge Splunk SOAR with Google Threat Intelligence by integrating real-time IOCs, breach insights, and threat actor data from VirusTotal, Mandiant, and Google for automated, context-rich responses

CrowdStrike Scheduled Search Technical Add-on - v3.1.0 [New App Release]

CrowdStrike — Tue, 07 Apr 2026 00:25:02 +0000

Platform: Splunk

Release Notes:

TA-crowdstrike-scheduled-search v3.1.0 Release Notes

Bug Fix

Resolved an issue with how CSV-format report data was processed and delivered to Splunk, ensuring reliable timestamp extraction regardless of payload size

Improvements

Strengthened authentication handling with network failure detection, OAuth2 error diagnostics, and mid-collection token expiry recovery
Improved API resilience with exponential backoff, jitter-based retry desynchronization, and expanded retry coverage for server errors
Hardened checkpoint integrity so the TA halts on delivery or parsing failures to prevent producing duplicates
Added batched event delivery to prevent pipe buffer overflows when ingesting large scheduled search results
Enhanced logging with TA version, SDK version, API trace IDs, rate limit headers, and checkpoint state transitions for faster troubleshooting
Removed unsupported SOCKS proxy types, tightened input validation, and centralized configuration constants
Updated dashboard queries and props.conf timestamp settings to align with current platform standards

Description:
The CrowdStrike Falcon Platform provides customers with extensive visibility into the configuration of and events taking place on endpoints and workloads. While triggered detections are an important part of endpoint security, CrowdStrike also provides the ability to search the raw event data. Scheduled searches can be used to automate the recurrence of those searches. This technical add-on allows CrowdStrike Falcon customers to retrieve successful scheduled searched from the Falcon platform via public APIs and have the events indexed into Splunk.

WHOIS - v2.2.12 [Version Update]

Splunk LLC — Mon, 06 Apr 2026 18:34:18 +0000

Platform: SOAR

Release Notes:

Patch the URL for KRNIC, fixing lookups for Korean IPs. Works around an existing issue in ipwhois [PAPP-37759]

Description:
This app implements investigative actions that query the whois database

Google Big Query Input - v1.1.0 [Version Update]

Brett Adams — Fri, 03 Apr 2026 05:56:35 +0000

Platform: Splunk

Release Notes:

Python 3.13 and dependence fixes

Description:
Get data from Google Big Query tables. Supports setting a timestamp field and checkpoint field. Originally created by Justin Lai and Brett Adams

Splunk Common Information Model (CIM) - v8.5.0 [Version Update]

Splunk LLC — Thu, 02 Apr 2026 22:12:17 +0000

Platform: Splunk

Release Notes:

https://help.splunk.com/en/splunk-enterprise-security-8/common-information-model/6.4/introduction/release-notes-for-the-splunk-common-information-model-add-on

Description:
The Common Information Model is a set of field names and tags which are expected to define the least common denominator of a domain of interest. It is implemented as documentation on the Splunk docs website and JSON data model files in this add-on. Use the CIM add-on when modeling data or building apps to ensure compatibility between apps, or to just take advantage of these data models to pivot and report.

TA-user-agents - v1.7.12 [Version Update]

Aplura LLC — Thu, 02 Apr 2026 20:30:19 +0000

Platform: Splunk

Release Notes:

==== Version 1.7.12

Bug Fix
** Fixed the README/apl_logging.conf.spec to properly parse against the TA.

Description:
This Add-on provides a dynamic lookup for parsing User Agent strings. This version was built to be faster, and does not require internet access from your Splunk systems.

TA-user-agents - v1.7.12 [Version Update]

Aplura LLC — Thu, 02 Apr 2026 20:30:19 +0000

Platform: Splunk

Release Notes:

==== Version 1.7.12

Bug Fix
** Fixed the README/apl_logging.conf.spec to properly parse against the TA.

Description:
This Add-on provides a dynamic lookup for parsing User Agent strings. This version was built to be faster, and does not require internet access from your Splunk systems.

Omega Core Audit for Oracle - v1.8.5 [Version Update]

Altin Karaulli — Thu, 02 Apr 2026 17:53:36 +0000

Platform: Splunk

Release Notes:

Version 1.8.5

Description:
Omega Core Audit for Oracle App for Splunk integrates Omega Core Audit with Splunk. Omega Core Audit is a software-only security solution that implements access control, continuous audit monitoring and real-time protection for Oracle databases. Omega Core Audit for Oracle App for Splunk provides an Executive, Security Analysts and Operational view on the activity performed on the enterprise’s Oracle databases monitored and protected by Omega Core Audit deployments. DATAPLUS Oracle Database security solutions www.dataplus-al.com

Oracle Unified Audit - v1.2.0 [Version Update]

Altin Karaulli — Thu, 02 Apr 2026 17:14:09 +0000

Platform: Splunk

Release Notes:

Version 1.2.0

Description:
Oracle Unified Audit App for Splunk integrates Oracle database unified audit with Splunk. Oracle Unified Audit App for Splunk provides an Executive, Security Analysts and Operational view on the activity of the enterprise’s Oracle databases. DATAPLUS Oracle Database security solutions www.dataplus-al.com

MS Graph for SharePoint - v1.5.2 [Version Update]

Splunk LLC — Thu, 02 Apr 2026 16:38:56 +0000

Platform: SOAR

Release Notes:

fix: resolve json parsing error

Description:
This app connects to SharePoint using the MS Graph API to support investigate and generic actions

PingDirectory App for Splunk - v1.1.3 [New App Release]

Ping Identity — Thu, 02 Apr 2026 15:35:01 +0000

Platform: Splunk

Release Notes:

Qualification update.

Description:
The PingDirectory App for Splunk gathers and presents throughput, latency, and GC metrics from PingDirectory via a series of customized reports and graphical illustrations. Developed by Ping Identity, the app gathers and presents transaction metrics from PingDirectory via a series of customized reports and graphical illustrations. The application enables identity and access management (IAM) administrators, architects, and security managers to easily obtain custom reports. This app supports PingDirectory version 8.0.0.0 and later.

Qualys Technology Add-on (TA) for Splunk - v1.11.23 [Version Update]

Qualys Inc. — Thu, 02 Apr 2026 12:32:45 +0000

Platform: Splunk

Release Notes:

-Bug fix for VM data input

Description:
The Qualys Technology Add-on (TA) for Splunk is a Technology Add-On for Qualys Cloud Platform data. It fetches Vulnerability Management (VM), Web Application Scanning (WAS), Policy Compliance (PC), Container Security(CS), File Integrity Monitoring(FIM), Endpoint Detection & Response (EDR), Security Enterprise Mobility (SEM), Activity Log, KnowledgeBase (KB), Policy Compliance Reporting Services (PCRS), Cyber Security Asset Management(CSAM) and Certview data using modular input and indexes it which then can be searched using the Search app, Splunk Enterprise Security app or the Qualys VM App, WAS App or PC App, EDR App, FIM App, CS App , Policy Compliance Reporting Services (PCRS) App, Cyber Security Asset Management(CSAM) App , Certview App and TotalCloud for Splunk Enterprise.

Netskope Add-on For Splunk - v4.4.0 [Version Update]

Technology Integrations — Thu, 02 Apr 2026 07:45:24 +0000

Platform: Splunk

Release Notes:

Added support for Netskope Log Streaming (NLS) sourcetypes with CSV parsing.
Added comprehensive CIM field mappings for all NLS sourcetypes to maintain compatibility with Splunk Enterprise Security.

Description:
THIS COMPONENT IS REQUIRED AND SHOULD BE INSTALLED BEFORE THE NETSKOPE APP FOR SPLUNK PLEASE GO TO DETAILS AND READ THE INSTALLATION INSTRUCTIONS !! UPGRADING IS SUPPORTED WITHIN THE >= 2.X CHAIN. IF COMING FROM 1.X, PLEASE REMOVE 1.X BEFORE INSTALLING ?=2.X !! The Add-on typically imports and enriches data from Netskope API, creating a rich data set ready for direct analysis or use in an App. The Netskope Add-on for Splunk will provide the below functionalities: * Collect data from Netskope via REST endpoints and store it in Splunk indexes * Categorize the data in different source types * Parse the data and extract important fields ## DEPRECATION INFO * Input named "Web Transaction V1" has been been removed from v3.4.0. So, it is recommended to move to the "Web Transaction V2" input. * Inputs named "Events (Deprecated)" and "Alerts (Deprecated)" has been removed from v3.7.0. So, it is recommended to move to "Events (Iterator)" and "Alerts (Iterator)" inputs.

OTel YAML Validator - v1.1.0 [Version Update]

Daniel Spavin — Thu, 02 Apr 2026 05:42:12 +0000

Platform: Splunk

Release Notes:

Version 1.1.0

Updated Creator to deprecate exporters and change to more recent options.
Updated the default YAML definition as described here: https://github.com/signalfx/splunk-otel-collector/blob/main/cmd/otelcol/config/collector/agent_config.yaml
Updated links to Splunk Workshops

Description:
OTel YAML Validator is an app designed to help you both create and validate OTel config files for Splunk Observability Cloud. Check this out if you are setting up OTel collectors or using SIM, RUM, APM, or metrics in Splunk O11y Cloud. The Create dashboard provides a point-and-click method of creating OTel config based on what you want to measure in your environment. The Validate dashboard provides code validation of the YAML against the public OTel spec, and shows a graph view of the receivers, processors, and exporters in your config. Combined with some useful links to provide examples - you'll have everything you need to get your O11y journey up and running.

Splunk MCP Server - v1.1.0 [Version Update]

Splunk LLC — Thu, 02 Apr 2026 04:02:25 +0000

Platform: Splunk

Release Notes:

Splunk MCP Server App 1.1.0 adds support for configuring the Splunk platform as an OAuth 2.1 server for Model Context Protocol (MCP) connectivity, and introduces beta features for running saved searches and applying MCP Server rate limiting.

What's New
• Added support for configuring the Splunk platform as an Open Authorization version 2.1 (OAuth 2.1) server that operates using the Model Context Protocol (MCP), enabling external applications to connect to and access data stored on the Splunk platform.
• Controlled Access: OAuth 2.1 server configuration on the Splunk platform is currently a Controlled Access feature. Contact Splunk Support to enable or disable this feature in your environment. Speak with your Support representative for specific details.
• Beta feature: Run Saved Search — Added the Run Saved Search tool to Splunk MCP, enabling AI assistants to run existing Splunk saved searches directly through MCP.
• Beta feature: MCP Server rate limiting — Added rate limiting support for the MCP Server. Since the MCP Server can be accessed by multiple agents and shares critical resources with both the MCP app and the Splunk instance, rate limiting helps maintain app performance and security.

Notes / Considerations
• OAuth 2.1 server support is available only through Controlled Access.
• Run Saved Search and MCP Server rate limiting are beta features in this release.
• Configured rate limits apply per instance only.

Description:
MCP Server for Splunk Platform The Model Context Protocol (MCP) is an open standard and framework that enables seamless, secure, and standardized two-way communication between AI applications (like large language models) and external data sources or tools. It acts as a universal adapter allowing AI systems to access, execute, and integrate functionalities from diverse systems through a common protocol, simplifying data sharing and tool interoperability without custom coding for each integration. Splunk's Model Context Protocol (MCP) server leverages this to provide a standardized, secure, and scalable interface to connect AI assistants, agents, and other intelligent systems with data in the Splunk platform for both Enterprise & Cloud customers in beta. 🔑 Key Features - Universal Connectivity Seamlessly connects AI agents and tools to Splunk data resources in a secure and efficient manner. - Enterprise-Grade Security Includes built-in authentication, authorization, and Role-Based Access Control (RBAC). - Rapid Deployment Offers a plug-and-play solution, eliminating the need for custom integrations. ⚙️ Core Capabilities - Explore the Data Navigate and interact with Splunk data effortlessly. - Discover Knowledge Objects Identify and access relevant saved searches, lookups, and other knowledge assets. - Execute Searches Run powerful Splunk queries to extract insights and drive intelligent workflows. - Leverage AI capabilities from Splunk’s AI Assistant for SPL & MLTK SPL search generation from natural language, search optimization, search explanation, retrieve MLTK models and algorithms.

MaxMind GeoIP App - v1.1.0 [Version Update]

William Storey — Wed, 01 Apr 2026 22:19:23 +0000

Platform: Splunk

Release Notes:

Set local = true for the geoip search command so it runs on the search
head instead of distributed peers. This avoids failures in distributed
searches when indexers do not have the MaxMind databases or updater-managed
app state available locally.

Short Description:
MaxMind GeoIP database lookups for Splunk

Description:
This is a Splunk app for MaxMind GeoIP database lookups. It provides IP geolocation and enrichment using MaxMind's GeoIP and GeoLite databases, including country, city, anonymous IP detection, ISP, and more. The app provides a streaming search command (geoip) that enriches events with data from one or more MaxMind databases.

Microsoft Teams Collaboration Observability - v1.1.0 [New App Release]

Kollective Technology — Wed, 01 Apr 2026 20:06:00 +0000

Platform: Splunk

Release Notes:

Release Notes

Version 1.1.0

Feature Release — April 1, 2026

New Dashboard

Collaboration Experience Dashboard — Fully redesigned dashboard replacing the previous multi-dashboard layout with a unified, tabbed experience for Microsoft Teams call observability

Dashboard Tabs

Overview — Command center view with Total Calls, Total Participants, Total Sessions, Active Locations, and quality distribution across Audio, Video, VBSS, and Call Types
Network Insights — Average and maximum values for Latency, Jitter, Audio Network Jitter, and Packet Loss; includes Network Performance Over Time chart for surfacing peak degradation events beyond averages
Stream Quality — Audio, Video, and VBSS stream quality breakdowns with four-band classification (Poor, Fair, Good, Excellent) at both aggregate and per-location levels
Location Performance — Ranked location table with call volume, session counts, and network metrics side by side; supports column sorting to surface outliers; quality-by-location bar chart
Trends and Analysis — Calls Over Time, Participants Over Time, and Sessions Over Time charts for identifying volume patterns and correlating activity with quality signals
Data Quality — Data stream classification summary (Total, Good, Poor, Unclassified); Data Stream Quality Over Time area chart; Data Quality by Location table

Enhancements

Global Location Filter — New dropdown input scopes all visualizations to a selected location simultaneously, enabling site-specific investigation without leaving the dashboard
Improved Table Usability — Numeric columns are center-aligned for easier scanning; all location and data tables standardized to display 50 rows
Contextual Help Text — Inline help and annotation panels added throughout each tab to guide interpretation of metrics and visualizations

Bug Fixes

Corrected location filter token resolution to ensure accurate per-location data scoping across all tabs

Known Issues

None

Note: This release introduces a redesigned dashboard experience. The previous individual dashboards (Executive Overview, Time Series Analytics, Location Performance Analytics) are superseded by the new unified tabbed layout.

Description:
Transform Microsoft Teams performance visibility with comprehensive network, stream quality, and user experience observability powered by Kollective Technology. Monitor call quality across every modality—audio, video, and screen sharing—analyze participant engagement, and gain actionable insights into your Teams deployment across all organizational locations with analytics and six purpose-built interactive dashboards designed for IT operations teams. Ready to optimize your Teams experience? Contact salesinfo@kollective.com for a free trial or connect with your account manager for activation. Learn more: http://kollective.com | LinkedIn: linkedin.com/company/kollective-technology