Contents x
      Splunk 4.5.0
      • 27 Sep 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      Splunk 4.5.0

      • Updated on 27 Sep 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article Summary

      tags: Python | SIEM | Log Management | Realtime Data | Realtime Events

      Description

      Integration with Splunk supports CDC users by providing the extraction of logs and observables from the Splunk platform. This enables CDC users to make informed decisions regarding incident response.

      Splunk searches, analyzes, and visualizes machine-generated data gathered from the websites, applications, sensors, devices, etc. that make up IT infrastructure and business. By consolidating log events and network flow data from thousands of devices, endpoints, and applications distributed throughout your network, Splunk correlates all of this information and aggregates related events into single alerts, to accelerate incident analysis and remediation.

      The integration is bi-directional. It enables the closure of incidents/alerts on the CDC, to trigger a closure of the respective alerts in Splunk as well. Search and related drill-down options are used to get additional information from Splunk. All of the read information is passed on to the CDC in the form of an alert, with information stored as raw information and observables.

      We have also provisioned this integration to be able to use either asynchronous APIs or backend APIs supported by the CDC, for alert ingestion.

      Integration Type:SIEM
      Information read:Logs from Splunk based on defined criteria.
      API Supported:API V8.0.5
      Input:N/A
      Output:Detailed logs that lead to the creation of alerts and observables in the CDC.

      Customer Configuration

      1. Create a new Role in Splunk, Call it 'API' for easy reference.
        • Under 'Inheritance', check the following:
          1. ess_analyst
          2. ess_user
          3. user
        • Under 'Capabilities', check the following:
          1. dispatch_rest_to_indexers
          2. rest_apps_management
      2. Create two new users that will be provided to CyberProof POC; e.g. user & user_notable. Make sure the user_notable user has a bigger/longer queue for larger data requests.
      3. Assign those users the 'API' role created in point 1.
      4. Provide the Splunk instance IP, Port and both usernames and passwords in a secure way with the CDC Deployment team, for the further configuration of the pack.

      API Account Configuration

      1. API Username 1 account (Notable search)

        • Search restrictions
          1. Restrict search time range: -1
          2. User-level concurrent search jobs limit: 3
          3. User-level concurrent real-time search jobs limit: 6
          4. Role-level concurrent search jobs limit: 0
          5. Role-level concurrent real-time search jobs limit: 0
          6. Limit total jobs disk quota: 700
        • Inheritance
          1. Ess_user
          2. User
        • Capabilities
          1. Dispatch_rest_to_indexers
          2. Rest_apps_management
        • Indexes search by default
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary
        • Indexes
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary

      2. API Username2 account drill-down search.

        • Search restrictions
          1. Restrict search time range: -1
          2. User-level concurrent search jobs limit: 7
          3. User-level concurrent real-time search jobs limit: 6
          4. Role-level concurrent search jobs limit: 0
          5. Role-level concurrent real-time search jobs limit: 0
          6. Limit total jobs disk quota: 700
        • Inheritance
          1. Ess_user
          2. User
        • Capabilities
          1. Dispatch_rest_to_indexers
          2. Rest_apps_management
        • Indexes search by default
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary
        • Indexes
          1. All non-internal indexes
          2. All internal indexes
          3. Notable
          4. Notable_summary
      ParameterRequiredComment
      Base URLTrue
      PortTrue
      API Username 1TrueFor Notable search
      API Password 2True
      API Username 2TrueFor Drill-Down Search
      API Password 2True

      CDC Command Lines

      No CDC command lines

      Workflows

      * **execute_query**
      Execute Splunk queries and set results in Redis.

      * **inject_splunk_alert_to_cdc**
      Inject Splunk alerts to the CDC using CDC backend or CDC asyncAPI.

      * **get_splunk_alert_data_from_redis**
      Get Splunk alert data from Redis, which needs to be injected to the CDC as an alert.

      * **create_alert_from_splunk**
      Push Splunk-formatted alerts to the CDC.

      Rules

      * **Splunk.cdc_closed_alert_listener_for_splunk**
      Close alerts in Splunk.

      * **cdc_new_alert_from_splunk**
      Triggers injecting new alerts to the CDC workflow, when a new alert is created in Splunk.

      Sensors

      * **AlertsSensor**
      Sensors to pull alerts from Splunk.

      Poll interval - 30s

      Triggers

      No triggers

      Known Issues

      No known issues

      Was this article helpful?
      What's Next