Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.



Introduction

Splunk is a software for searching, monitoring, and analyzing machine-generated big data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

A trial version of Splunk can be downloaded from the official Splunk website. It is implemented in both OUTSCAN and HIAB and is mostly used in Event Notification system and Audit Log.

Note

Splunk is integrated with both HIAB and OUTSCAN. This guide describes the integration from a HIAB, but the procedure is the same for OUTSCAN.

There are two ways of integrating with Splunk:

  • Create a User with a role for a TCP mode.
  • Create an HTTP Event-Collector (HEC) for a HTTP Event-Collector mode that lets send data and applications events to Splunk over the HTTP and secure HTTP (HTTPS) protocols.

Prerequisites

  • To set up the HIAB/OUTSCAN-Splunk integration in TCP mode, it requires index, role, and user be already set up in Splunk.

    Tip

    It is recommended to create a new user with limited access rights and a separate Splunk index for the data sent from the HIAB to Splunk.
  • It is important that the index exists before defining a role for the HIAB access. Otherwise, the restricted access cannot be setup for the specific index. If an index has already been setup, skip to section Create a Role.
  • The HTTP Event-Collector does not require users and roles to be set up in Splunk since it uses a access token. However an index is required for the HTTP Event-Collector. If an index has already been setup, skip to section Create an HTTP Event Collector.

A Splunk index is a repository for data in Splunk which reside in flat files on the Splunk instance.

Splunk Integration - TCP 

Create Index

  1. Login with an existing Splunk account.



  2. Go to Settings on the top left menu and then click on Indexes in the DATA group.

    splunk02
    splunk03

  3. Click on the New Index button in the top right corner.

    splunk04

  4. Complete these details. In the steps below, HIAB is used as example.

    splunk05

  5. Click Save.

  6. The new index has been added to the list.

    splunk06

Create Roles

  1. Go to Settings on the top left menu and then click on Access Controls in the USERS AND AUTHENTICATION group.

    splunk07

  2. Click Add new on the Roles row in the table.

    splunk08

  3. Create a role in Splunk according to the HIAB Integration Mode you want to use.
    1. Create a role in Splunk and specify the following parameter for a TCP Integration. See Mode option in the HIAB Integrations Settings table.

      ParameterValue
      Namehiab-tcp-indexer
      Capabilitiesedit_tcp
      Indexes searched by defaulthiab
      Indexeshiab



      splunk09


      Note

      The role is only granted access to indexes defined here.

splunk10


 splunk11

Create Users

In this section we will add a new user (account) for the HIAB. This user will be given the role that was created in the previous step, this effectively limits the capabilities of this account to pushing data to the specified index.

  1. Go to the Access Controls.
  2. Click Add new in the Roles row of the table.

    splunk08

  3. Click Add new on the user row:
    • Name: HIAB
    • Assignrole: hiab-indexer

      splunk12


Procedure in HIAB/OUTSCAN 

  1. In the HIAB click the Main Menu > Settings > Integration
  2. Select the Splunk tab in the Integrations Settings window.

    splunk23

  3. Fill in the Integration settings as shown in the HIAB Integrations Settings table.
  4. Click the Save button.
  5. Click the Status button in the lower right corner to test the setup to Splunk.

    splunk24

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

Splunk Integration - HTTP Event Collector

Create an HTTP Event Collector

  1. Go to Settings on the top left menu.
  2. Click on Data Inputs in the DATA group.

    splunk13

  3. Click HTTP Event Collector in the HTTP Event Collector row of the table.

    splunk14

  4. Click the Global Settings button on the top right of the menu.

    splunk15

    splunk16

  5. Click the Enabled button.
  6. Select the Enable SSL checkbox.
  7. Enter the HTTP port number.
  8. Click the Save button.
  9. Click the New Token button on the top right to create the token.

    splunk17

  10. Select the HIAB index that was created in Creating Index section at the beginning of the configuration.

    splunk18

  11. Review the configuration and then click on the Submit button.

    splunk19

  12. Do not forget to register the Token Value given after submitting the configuration.

    Splunk20

Procedure in HIAB/OUTSCAN

  1. In the HIAB or OUTSCAN click the Main Menu > Settings > Integration.
  2. Select the Splunk tab in the Integrations Settings window.

    splunk21

  3. Fill in the Integration settings as shown in the Integrations Settings table.


    Integrations Settings

    OptionValue
    EnabledClick on this field to enable the Splunk feature.
    Mode
    • HTTP Event Collector - When selected, username and password is not available.
    • TCP - When selected, username and password fields are enabled.
    HostProvide your Splunk server name.
    PortProvide the management port that Splunk is using to communicate. 
    Default: 8089
    UsernameProvide username to authenticate against Splunk server.
    PasswordProvide password to authenticate against Splunk server.
    TokenHTTP Event Collector (HEC) tokens. HEC tokens are sent in the headers of the sent data packets to authenticate them with Splunk.
    IndexIf the user enters an index that does not exists, it will create a new one. All events will be prefixed with the index name.
    Send audit log
    (HIAB only)
    Check this box to send audit log entries to Splunk.
  4. Click the Save button.
  5. Click the Status button in the lower right corner to test the setup to Splunk.

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

splunk22


Note

The newly setup account only has access through the API and is only able to interact with the index, restricting its access.

Event Notifications for Splunk

Common Information Model

The Splunk CIM is a shared semantic model that focuses on extracting value from data. The CIM is an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

Tip

You can now choose to send notifications related to Findings only in CIM format.
Outpost24 nameSplunk CIM
Script Namesignature
Script IDsignature_id
Targetdest_ip
Hostnamedest_name
Bugtraqbugtraq
Risk Levelrisk
CVSScvss
CVEcve
FamilyCatagory
Solution PatchesMSKB
Productvendor_product
Severityseverity

For settings, see Event Notifications

References

Integrations

Splunk Documentation