Purpose
This document provides set up information on the Splunk integration.
Introduction
Splunk is a software for searching, monitoring, and analyzing machine-generated big data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
A trial version of Splunk can be downloaded from the official Splunk website. It is implemented in both OUTSCAN and HIAB and is mostly used in Event Notification system and Audit Log.
Splunk is integrated with both HIAB and OUTSCAN. This guide describes the integration from a HIAB, but the procedure is the same for OUTSCAN.
There are two ways of integrating with Splunk:
-
Create a User with a role for a TCP mode.
-
Create an HTTP Event-Collector (HEC) for a HTTP Event-Collector mode that lets send data and applications events to Splunk over the HTTP and secure HTTP (HTTPS) protocols.
Prerequisites
-
To set up the HIAB/OUTSCAN-Splunk integration in TCP mode, it requires index, role, and user be already set up in Splunk.
It is recommended to create a new user with limited access rights and a separate Splunk index for the data sent from the HIAB to Splunk.
-
It is important that the index exists before defining a role for the HIAB access. Otherwise, the restricted access cannot be setup for the specific index. If an index has already been setup, skip to section Create a Role.
-
The HTTP Event-Collector does not require users and roles to be set up in Splunk since it uses a access token. However an index is required for the HTTP Event-Collector. If an index has already been setup, skip to section Create an HTTP Event Collector.
A Splunk index is a repository for data in Splunk which reside in flat files on the Splunk instance.
Splunk Integration - TCP
Due to the limitations of the number of characters that can be transferred through syslog to Splunk, the information in the Gathered Information field in the findings has been excluded as it exceeds the limit of what can be sent via syslog.
Create Index
-
Login with an existing Splunk account.
-
Go to Settings on the top left menu and then click on Indexes in the DATA group.
-
Click on the New Index button in the upper right corner.
-
Complete these details. In the steps below, HIAB is used as example.
-
Click Save.
-
The new index has been added to the list.
Create Roles
-
Go to Settings on the top left menu and then click on Roles in the USERS AND AUTHENTICATION group.
-
Click New Role button in upper right corner.
-
Create a role in Splunk according to the HIAB Integration Mode you want to use.
a) Create a role in Splunk and specify the following parameter for a TCP Integration. See Mode option in the HIAB Integrations Settings table.
|
Parameter |
Value |
|---|---|
|
Name |
hiab-tcp-indexer |
|
Capabilities |
edit_tcp |
|
Indexes |
hiab |
The role is only granted access to indexes defined here.
-
Click Create.
Create Users
In this section we will add a new user (account) for the HIAB. This user will be given the role that was created in the previous step, this effectively limits the capabilities of this account to pushing data to the specified index.
-
Go to Settings on the top left menu and then click on Users in the USERS AND AUTHENTICATION group.
-
Click New User button in the upper right corner.
-
Click Add new on the user row:
-
Name: HIAB
-
Assign roles: hiab-indexer
-
-
Click Save.
Procedure in HIAB/OUTSCAN
-
In the HIAB click the Main Menu > Settings > Integration
-
Select the Splunk tab in the Integrations Settings window.
-
Fill in the Integration settings as shown in the HIAB Integrations Settings table.
-
Click the Save button.
-
Click the Status button in the lower right corner to test the setup to Splunk.
The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.
Splunk Integration - HTTP Event Collector
Create an HTTP Event Collector
-
Go to Settings on the top left menu.
-
Click on Data Inputs in the DATA group.
-
Click HTTP Event Collector in the Type row of the table.
-
Click the Global Settings button on the top right of the menu.
-
Click the Enabled button.
-
Select the Enable SSL checkbox.
-
Enter the HTTP port number.
-
Click the Save button.
-
Click the New Token button on the top right to create the token.
-
Select the HIAB index that was created in Creating Index section at the beginning of the configuration.
-
Click the Review button to Review the configuration.
-
Then click on the Submit button.
-
Do not forget to register the Token Value given after submitting the configuration.
Procedure in HIAB/OUTSCAN
-
In the HIAB or OUTSCAN click the Main Menu > Settings > Integration.
-
Select the Splunk tab in the Integrations Settings window.
-
Fill in the Integration settings as shown in the Integrations Settings table.
Integrations Settings
|
Option |
Value |
|---|---|
|
Enabled |
Click on this field to enable the Splunk feature. |
|
Mode |
|
|
Host |
Provide your Splunk server name. |
|
Port |
Provide the management port that Splunk is using to communicate.
Port 443 is also available. |
|
Username |
Provide username to authenticate against Splunk server. |
|
Password |
Provide password to authenticate against Splunk server. |
|
Token |
HTTP Event Collector (HEC) tokens. HEC tokens are sent in the headers of the sent data packets to authenticate them with Splunk. |
|
Index |
If the user enters an index that does not exists, it will create a new one. All events will be prefixed with the index name. |
|
Send audit log
|
Check this box to send audit log entries to Splunk. |
-
Click the Save button.
-
Click the Status button in the lower right corner to test the setup to Splunk.
The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.
The newly setup account only has access through the API and is only able to interact with the index, restricting its access.
Event Notifications for Splunk
Common Information Model
The Splunk CIM is a shared semantic model that focuses on extracting value from data. The CIM is an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.
You can now choose to send notifications related to Findings only in CIM format.
|
Outpost24 name |
Splunk CIM |
|---|---|
|
Script Name |
signature |
|
Script ID |
signature_id |
|
Target |
dest_ip |
|
Hostname |
dest_name |
|
Bugtraq |
bugtraq |
|
Risk Level |
risk |
|
CVSS |
cvss |
|
CVE |
cve |
|
Family |
Catagory |
|
Solution Patches |
MSKB |
|
Product |
vendor_product |
|
Severity |
severity |
For settings, see Event Notification Module.
References
Splunk Documentation
-
https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
-
https://docs.splunk.com/Documentation/CIM/4.13.0/User/Overview
Related Articles
- Windows 10/Windows 2019 Server
- HIAB Updates
- General Information about SMB/WinRM Scanning
- Change Risk Levels
- Removing an Agent from Windows
- ServiceNow - Legacy
- Windows 8.1
- Netsec Filters
- Discovering the Agent in OUTSCAN
- Technical Specification
- Account Settings
- How to Test SMB Authentication
- Windows 2016 Server
- Identity Provider Settings
- HIAB Server Settings
- Installing a Linux Agent
- Okta Identity Provider Configuration
- Scanning-Less Scanning
- Check Connectivity to Agent Server
- Scan Scheduling Errors
- Overview
- Event Notification Module
- HIAB Maintenance Settings
- HIAB Deployment Guide
- Database Connector (HIAB only)
- Azure AD Identity Provider Configuration
- Add Comments
- Target Groups
- Checking if Agent is Running
- Core Installation
- Windows 2008 R2 Server
- Agent Installation Introduction
- Automatic Asset Joining With Netsec
- Manage Users
- Firewall Setup for Agents
- Scanning Range
- SNMP (HIAB only)
- ADFS Identity Provider Configuration
- Splunk
- Agent Call Home
- Advanced Report Filters
- Accept Risks
- SMB Authentication from OUTSCAN/HIAB
- Virtual HIAB Appliance
- Using the Agent Info Command
- Amazon
- User Roles
- Removing an Agent from Linux
- Retrieving the Agent UUID
- Atlassian Jira
- Understanding Scanner and Scheduler
- Finding the Agent Version
- Create and Edit Event Notifications
- Installing a macOS Agent
- Syslog (HIAB only)
- Setting Up an Agent Using System Proxy
- ServiceNow - App
- Thycotic
- DNS Lookup in UI and in Console
- HIAB Console
- Auditing Guide
- Adding Agent Attributes
- HIAB Distribution Settings
- Run Verification Scans
- Agent Latest Version
- Finding New Agents In OUTSCAN
- Setting up a HIAB as an Appsec Scale Scanner
- Checking Schedules from OUTSCAN in Agent
- Hardening the HIAB
- Performing a PCI DSS Scan
- Two Factor Authentication
- Attributes
- Firewall Rules
- HIAB Enrollment
- Supported Platforms for Authenticated SSH Scanning
- Authenticated Scanning Using WinRM
- OneLogin Identity Provider Configuration
- Windows 7
- HIAB Remote Support
- Compliance Scanning
- Manage Targets
- Assign Tasks
- Authenticated Scanning Using SSH
- Tickets Quick Start Guide
- Retrieving Results From the Agent in OUTSCAN
- Appliance Logs
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- Updating the Agent
- Troubleshooting SMB Authentication
- Agent Licensing
- Mark as False Positives
- Installing a Windows Agent
- Using Farsight in Netsec
- Testing Target System for Open TCP Ports
- HIAB Restore
- Scan Stages
- Request Clarifications
- HIAB Setup Guide
- Updating Agent Attributes
- CyberArk
- LDAP/AD
- Checking if the Agent has Produced Results
- ArcSight (HIAB only)
- HIAB E-mail Whitelisting
- Adjust Identity Provider SAML Metadata File
- Scanning Critical Industrial Devices/Machines
- Reporting Tools
- Scan Scheduling
- Scanning Performance and Impact Tuning
- PCI Compliance Scanning
- Configuring and Accessing the HIAB console using SSH
- User Groups
- Create Users
- HIAB Remote SSH Guide
- Download Agents
- Create Targets
- Windows 2012 R2 Server
- HIAB Backup
- Report Scheduling
- Access Tokens
- O24AUTH
- Complementary Authenticated Scan on Default Credentials
- Authenticated Scanning Using SMB
- Dynamic Target Group