Contents x
      Splunk 4.10.0
      • 06 Apr 2025
      • 4 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      Splunk 4.10.0

      • Updated on 06 Apr 2025
      • 4 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      Splunk - 4.10.0

      tags: Python | SIEM | Log Management | Realtime Data | Realtime Events

      Table of Contents

      Description

      Integration with Splunk supports CDC users by providing the extraction of logs and observables from the Splunk platform. This enables CDC users to make informed decisions regarding incident response.

      Splunk searches, analyzes, and visualizes machine-generated data gathered from the websites, applications, sensors, devices, etc. that make up IT infrastructure and business. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, Splunk correlates all of this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

      The integration is bi-directional. It enables the closure of incidents/alerts on the CDC, to trigger a closure of the respective alerts in Splunk as well. Search and related drill-down options are used to get additional information from Splunk. All of the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.

      We have also provisioned this integration to be able to use either asynchronous APIs or backend APIs supported by the CDC, for alert ingestion.

      In addition, CyberProof has provided CLIs to add or update the configuration to map CDC alert closing reason name to Splunk disposition ID.

      | | |
      |---|---|
      | Integration Type: | SIEM |
      | Information read: | Logs from Splunk based on Criteria defined |
      | API Supported: | API V8.0.5 |
      | Input: | N/A |
      | Output: | Detailed logs which lead to the creation of alerts and observables on CDC. |

      Customer Configuration

      1. Create a new Role in Splunk, Call it 'API' for easy reference.
        • Under 'Inheritance', you will need to check the following:
          1. ess_analyst
          2. ess_user
          3. user
        • Under 'Capabilities', you will need to check the following:
          1. dispatch_rest_to_indexers
          2. rest_apps_management
      2. Create 2 new users which will be provided to CyberProof POC e.g. user & user_notable. Make sure the user_notable user has a bigger/longer queue for larger data requests.
      3. Assign those users the 'API' role created in point 1.
      4. Provide the Splunk instance IP, Port and both usernames and passwords in a secure way with CDC deployment team for the further configuration of the pack.

      API Account Configuration

      1. API Username 1 account (Notable search)

        • Search restrictions
          1. Restrict search time range: -1
          2. User-level concurrent search jobs limit: 3
          3. User-level concurrent real-time search jobs limit: 6
          4. Role-level concurrent search jobs limit: 0
          5. Role-level concurrent real-time search jobs limit: 0
          6. Limit total jobs disk quota: 700
        • Inheritance
          1. Ess_user
          2. User
        • Capabilities
          1. Dispatch_rest_to_indexers
          2. Rest_apps_management
        • Indexes search by default
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary
        • Indexes
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary

      2. API Username2 account Drill Down Search.

        • Search restrictions
          1. Restrict search time range: -1
          2. User-level concurrent search jobs limit: 7
          3. User-level concurrent real-time search jobs limit: 6
          4. Role-level concurrent search jobs limit: 0
          5. Role-level concurrent real-time search jobs limit: 0
          6. Limit total jobs disk quota: 700
        • Inheritance
          1. Ess_user
          2. User
        • Capabilities
          1. Dispatch_rest_to_indexers
          2. Rest_apps_management
        • Indexes search by default
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary
        • Indexes
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary

      |Parameter|Required|Comment|
      | :--- | :--- | :--- |
      |Base URL|True| |
      |Port|True| |
      |API Username 1 |True| For Notable search |
      |API Password 2|True| |
      |API Username 2 |True| For Drill Down Search |
      |API Password 2 |True| |

      CDC Command Lines

      No CDC command lines

      Workflows

      * **close_alert**
      Close the alert in Splunk

      * **create_alert_from_splunk**
      Push Splunk formatted alerts to the CDC.

      * **execute_query**
      Execute Splunk queries and set results in Redis.

      * **get_splunk_alert_data_from_redis**
      Get Splunk alert data from Redis, which needs to be injected to the CDC as an alert.

      * **inject_splunk_alert_to_cdc**
      Inject Splunk alerts to the CDC using CDC backend or CDC asyncAPI.

      Rules

      * **cdc_closed_alert_listener_for_splunk**
      Close alerts in Splunk.

      * **cdc_new_alert_from_splunk**
      Triggers injecting new alerts to the CDC workflow, when a new alert is created in Splunk.

      Sensors

      * **AlertsSensor**
      Sensors to pull alerts from Splunk.

      Poll interval - 30s

      Triggers

      No triggers

      Closing Reason Config Management

      • Closing reason config management utility facilitates mapping of closing reason selected in CDC to closing reasons (dispositions) available in Splunk through the closing reason config
      • The closing reason config map can be easily updated through CDC Resource Utils CLIs that adds, updates and removes the configuration.
        Please refer the CDC Resource Utils Integration documentation for more information on Closing reason config management.
      • Splunk closing reason config map contains mapping of the CDC closing reason name to Splunk disposition ID
      • Each splunk closing reason has a splunk closing reason ID
      • Splunk's closing reason management is available in ESS incident review configuration on the web console
      • Default mapping can also be provided for cases when Closing reason config map is not configured or CDC closing reason mapping isn't present in the config map
      • Default mapping can be configured through 'default_disposition_id' field of the Stackstorm's Pack UI configuration.

      Sample IDs for closing reason in splunk

      JSON { "name": "disposition:1", "label": "True Positive - Suspicious Activity", "name": "disposition:2", "label": "Benign Positive - Suspicious But Expected", "name": "disposition:3", "label": "False Positive - Incorrect Analytic Logic", "name": "disposition:4", "label": "False Positive - Inaccurate Data", "name": "disposition:5", "label": "Other", "name": "disposition:6", "label": "Undetermined", "name": "disposition:7", "label": "CDC reasoned" }

      Closing Reason Config Map

      YAML splunk: Benign Positive: disposition:3 False Positive - Incorrect alert logic: disposition:4 False Positive - Incorrect data: disposition:5 True Positive: disposition:1

      Entities (notable events)

      Known Issues

      Was this article helpful?
      What's Next