Splunk

Integration version: 50.0

The Splunk app prepares cases with all of the relevantalerts and events from Splunk. There are two ways to ingest these cases intoGoogle Security Operations: pull based, and push based methods.

The first method is calledpull based. Using this method, in order to ingestcases into Google SecOps, you need to configure the Splunk PullConnector, which pulls cases from the Splunk app. Thismethod doesn't require any additional configuration in the Splunk app.

The second method is calledpush based. Using this method, the Splunk appperforms API calls to Google SecOps to add a new case. In order towork with this method, you need to generate a Google SecOps API keyand add a Google SecOps URI in the configuration of the app.

Create an API key:

1. Navigate toSettings> Advanced> API.

2. Click the plus sign on the top right to add a new API key.

3. Enter the name of the API key and clickCreate.

   Note: To the push based method to work, you need to have a basic or adminlevel of permissions.

4. Copy the API key.

How to configure Splunk to work with Google SecOps

Prerequisites for enabling or disabling token authentication

Before you can enable token authentication, you must complete the followingrequirements:

• The Splunk platform instance where you want to enable token authenticationmust not operate in legacy mode, where Splunk Web operates as a separateprocess. If the Splunk platform is in legacy mode, token authentication doesnot run. For more information on legacy mode, see theStart and Stop SplunkEnterprisedocument in the Splunk Eneterprise Admin Manual.

• The account that you use to log into the Splunk platform must hold a rolethat has the edit_tokens_settings Splunk platform capability before you canturn token authentication on or off.

Enable token authentication using Splunk Web

When token authentication is off, the following message displays on theTokenspage in Splunk Web:

Token authentication is currently disabled > To enable token authentication, click Enable Token Authentication.

Complete the following steps on the instance where you want to enable tokenauthentication:

1. Log in to the Splunk platform instance as an administrator user, or a userthat can manage tokens settings. You cannot use a token to log in to SplunkWeb. You must provide a valid user name and password.

2. After you log in successfully, in the system bar, selectSettings>Tokens.

3. ClickEnable Token Authentication. The Splunk platform instance enablestoken authentication immediately, and there is no need to restart theinstance.

Use Splunk Web to create authentication tokens

1. In the system bar, clickSettings> Tokens.

2. ClickNew Token.

3. In theNew Token dialog, enter the Splunk platform user that you want tocreate the token for in theUser field.

4. Enter a short description of the token purpose in theAudience field.

5. (Optional) In theExpiration list, selectAbsolute Time orRelative Time. This selection determines what to enter in the text fieldbelow the list.

   • If you selectedAbsolute Time, then two text fields appear under thelist.

     1. Enter a valid date into the first field. You can also click thefield to select a date from a pop-up calendar.

     2. Enter a valid 24-hour time in the second field.

   • Otherwise, one text field appears under the drop down list.

     1. Enter a string that represents how long after the current time youwant the token to remain valid. For example, if you want the tokento expire 10 days from now, enter+10d into this field.

6. (Optional) In theNot Before list, selectAbsolute Time orRelative Time.

   Repeat the step you used for the Expiration control. The Not before timecan neither be in the past, nor can it be later than the "Expiration" time.

7. ClickCreate. TheNew Token window updates theToken field to showyou the token that has been generated.

8. Select all of the token text in the field. Depending on your operatingsystem and browser, you can click on theToken field, then either tripleclick or press Ctrl-A or Command-A on your keyboard. Confirm that you haveselected all of the token text. There are no further opportunities to seethe whole token after you close the window.

9. Copy the text from theToken field.

10. Paste the token into a text file, e-mail, or other form of communication tothe person you have authorized to use the token. Confirm that you share thetoken only with those who you have authorized to use it. Anybody who has thefull token can use it to authenticate.

11. ClickClose.

12. Use a token to configure the Google SecOps Splunk integration.

Installation

Single search head

1. Download the TA-Siemplify package to your local computer.https://splunkbase.splunk.com/app/5010/

2. Install the app on your search head.

   SelectApp: Search & Reporting. TheUpload an app dialog appears.

3. ClickChoose File and select the app file.

4. ClickUpload. Wait until the file is uploaded.

5. Restart Splunk.

Configure TA-Siemplify

1. In Splunk Enterprise, go to theApps page.

2. SelectSiemplify.

3. In theAdd on Settings tab, add the following:

   For push based method:

   • Set theSiemplify API URI to the URI of yourGoogle SecOps server.
   • SetMode toPush mode.
   • In theAPI Key field, enter the token value that was generated inthe API Keys section.

   For pull based method:

   • Set theMode toPull mode.

4. ClickSave.

Alert Configuration

To send alert and event data to Google SecOps, a trigger action mustbe added to an existing Splunk Alert.

The Environment, Device Vendor, Device Product, and Event Type fields supportevent templating. Event templating allows the specific fields withinGoogle SecOps to be dynamically set based on values in the alert. Toutilize event templating, surround a field name with square brackets '[ ]'. Thefirst event in the alert will be used to fill in these fields.

Example: If you have an alert that contains a field device_vendor with a valueofMicrosoft, you can put [device_vendor] in the Device Vendor configurationparameter and when the alert is sent to Google SecOps the vendor willbe set toMicrosoft.

1. In Splunk, navigate toAlerts.

2. In theEdit list, selectEdit Alert.

3. In theTrigger Actions section, navigate toAdd Actions>Send Alert to Siemplify.

4. Configure the Alert as follows:

   • Name: The value set here will affect the name of the Alert.
   • Priority: The value set here will affect the priority of theGoogle SecOps case.
   • Category: Used to define the visual family.
   • Environment: Maps to the environment in Google SecOps.Leave blank for no environment. Templating with square brackets issupported.
   • Device Vendor: Used to define the vendor of the system sending theevent into Google SecOps. If the alerts were generated byMicrosoft Sysmon use Microsoft or from a value within the alert/eventusing templating.
   • Device Product: Used to define the product of the system sending theevent into Google SecOps. If the alerts were generated byMicrosoft Sysmon, this value should be Sysmon or from a value within thealert/event using templating.
   • Event Type: Used to define the event type in theGoogle SecOps Event Configuration section. If the alert waslooking for malicious processes, the event type should be something like"Process Found" or from a value within the alert/event using templating.
   • Time Field: Used to define the StartTime and EndTime of theGoogle SecOps Case. If this is not supplied, it will check forthe "_indextime" field. If it is unable to find "_indextime", it will usethe time the alert was generated. Templating is not supported.
   • Expand MultiValue Fields: By setting this to 1 the system will findany multivalue fields and create additional fields mapping to each value inthe multivalued field. For example, if a multivalue field, src_hosts,contains a value of: Server1, Server2, Server3. The system will createnew fields of: src_hosts_0: Server1, src_hosts_1: Server2, src_hosts_2:Server3. This option is only supported when Bring All Events Data isdisabled.
   • Bring All Events Data: This setting will attempt to bring the rawevents that make up an alert containing a transforming command (chart,timechart, stats, top, rare, contingency, highlight). To support this achange to the Splunk Search Head is required.

5. To enable raw events from transformation searches, copy:$SPLUNK_HOME/etc/apps/TA-siemplify/default/savedsearches.conf to$SPLUNK_HOME/etc/apps/TA-siemplify/local/savedsearches.conf Edit:$SPLUNK_HOME/etc/apps/TA-siemplify/local/savedsearches.conf Uncomment:#dispatch.buckets =1

6. Save the file and restart Splunk for these settings to take effect.

Troubleshooting

To change the log level toDEBUG, complete the following steps:

1. In Splunk Web, select your application.

2. Go toSettings> Server settings> Server logging.

3. For theLog level parameter, selectDEBUG.

4. ClickSave.

Querying log data from Google SecOps TA will depend on your Splunkimplementation. If you have Splunk CIM installed, the logs will be in thecim_modactions index. Otherwise, the logs will be in the_internal index.

Network

Network Access to Splunk API access from Google SecOps to Splunk:Allow traffic over port 8089.

How to deploy Google SecOps add-on in cluster environment

To create deployment server and search heads complete the following steps:

1. Log in to the deployment server using SSH.

2. Make sure that/opt/splunk/etc/system/local/serverclass.conf file exists.If not, execute:

   vi /opt/splunk/etc/system/local/serverclass.conf

   Example of the configuration is as follows:

   [global] # whitelist matches all clients.[serverClass:AllApps] [serverClass:AllApps:app:*] [serverClass:Google Security OperationsAPP]

3. Upload and extract app file in the/opt/splunk/etc/deployment-appsdirectory.

4. Create Splunk user if it doesn't exist:

   useradd splunk

5. Create splunk group doesn't exist:

   groupadd splunk

6. Add Splunk user permissions for the app:

   chown splunk:splunk {app path}

7. Login to search heads using SSH.

8. Add search heads as clients to the deployment server:

   /opt/splunk/bin/splunk set deploy-pollIP_ADDRESS:8089 #(deployment server ip address)

9. Restart all of the search heads.

10. Log in to the UI of the deployment server.

11. Navigate toSettings> Distributed Environment> Forwarder Manager.

12. Go to theServer Classes tab and clickNew Server Class.

13. Provide a name for the server class.

14. Add Google SecOps add-on as an app and the Search Heads asclients.

15. Restart all of the Search Heads.

16. Make sure that the app is configured properly on all search heads. Splunkdoesn't consistently sync the apps across the cluster.

Known Issues

If you receive theint() argument must be a string, a bytes-like object or anumber, not 'NoneType'. Please double check spelling and also verify that acompatible version of Splunk_SA_CIM is installed error in the logs, make surethat the API root and API key parameters in the configuration have a value, evenif you are working with the Pull mode.

Configure Splunk integration in Google SecOps

The Splunk integration gives you the ability to verify the connection using a CACertificate file. This is an additional connection verification method.

To use this method you need to have the following:*

• CA Certificate file
• Splunk integration version 26.0 or higher

Configure the integration in Google SecOps:

1. Parse your CA Certificate file into a Base64 string.

2. Open the integration configuration page.

3. In theCA Certificate File field, enter the CA Certificate string.

4. To test the connection, select theVerify SSL checkbox and clickTest.

For detailed instructions on how to configure an integration inGoogle SecOps, seeConfigureintegrations.

Integration parameters

Use the following parameters to configure the integration:

Actions

Get Host Events

Description

Get events related to hosts in Splunk.

Parameters

Run On

This action runs on the Hostname entity.

Action Results

Script Result

JSON Result

[{"app":"SA-AccessProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087674","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"0","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".404","_time":"2021-02-02T04:01:58.404+02:00"},{"_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087731","_indextime":"1612231318","_kv":"1","_raw":"127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms","_serial":"1","_si":["splunk","_internal"],"_sourcetype":"splunkd_access","_subsecond":".172","_time":"2021-02-02T04:01:58.172+02:00"},{"app":"SA-EndpointProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087653","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"2","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".804","_time":"2021-02-02T04:01:57.804+02:00"}]

Case Wall

Ping

Description

Test connectivity to Splunk with parameters provided at the integrationconfiguration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Case Wall

Splunk Csv Viewer

Description

[{"app":"SA-AccessProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087674","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"0","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".404","_time":"2021-02-02T04:01:58.404+02:00"},{"_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087731","_indextime":"1612231318","_kv":"1","_raw":"127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms","_serial":"1","_si":["splunk","_internal"],"_sourcetype":"splunkd_access","_subsecond":".172","_time":"2021-02-02T04:01:58.172+02:00"},{"app":"SA-EndpointProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087653","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"2","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".804","_time":"2021-02-02T04:01:57.804+02:00"}]

{"index":"default","bytes":70,"host":"dogo","source":"www","sourcetype":"web_event"}

[{"app":"SA-AccessProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087674","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"0","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".404","_time":"2021-02-02T04:01:58.404+02:00"},{"_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087731","_indextime":"1612231318","_kv":"1","_raw":"127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms","_serial":"1","_si":["splunk","_internal"],"_sourcetype":"splunkd_access","_subsecond":".172","_time":"2021-02-02T04:01:58.172+02:00"},{"app":"SA-EndpointProtection","_bkt":"_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7","_cd":"425:9087653","_indextime":"1612231318","_kv":"1","_raw":"02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"","_serial":"2","_si":["splunk","_internal"],"_sourcetype":"scheduler","_subsecond":".804","_time":"2021-02-02T04:01:57.804+02:00"}]

For detailed instructions on how to configure a connector inGoogle SecOps, seeConfiguring theconnector.

To configure the selected connector, use the connector-specific parameters listedin the following tables:

• Splunk Query Connector configuration parameters
• Splunk Pull Connector configuration parameters
• Splunk ES - Notable Events Connector configuration parameters

Splunk Query Connector

The connector sends queries that are a part of the dynamic list (whitelist),retrieves results, and builds a case based on the retrieved results.

Sample Splunk queries to view the logs

1. Queries should be entered as the dynamic list (whitelist) rules.

2. Search queries with multiple filters should use space as a delimiter betweensearch filters—for example,index=cim_modactions sourcetype=modular_alerts:risk.

3. Using multiple dynamic list (whitelist) rules rather than entering multiplespace-delimited search filters into the same rule results in a separatesearch executed for every added rule.

   • index=cim_modactions
   • sourcetype=modular_alerts:send_data_to_siemplify
   • index=_internal sourcetype=splunkd
   • component=sendmodalert
   • action=send_data_to_siemplify
   • index=_internal source=/opt/splunk/var/log/splunk/send_data_to_siemplify_modalert.log

Connector parameters

To configure the connector, use the following parameters:

Connector rules

The connector supports proxy.

Splunk Pull Connector

Pull alerts and events from Splunk into Google SecOps.

Connector parameters

To configure the connector, use the following parameters:

Connector rules

The connector supports proxy.

Splunk ES - Notable Events Connector

Ingest notable events from Splunk ES.

(`get_notable_index` OR `get_sequenced_index`) | eval `get_event_id_meval`,rule_id=event_id | tags outputfield=tag | `mvappend_field(tag,orig_tag)` |`notable_xref_lookup` | `get_correlations` | `get_current_status` | `get_owner`| `get_urgency` | typer | where (urgency="medium" AND urgency="low") AND(status_label="Unassigned" OR status_label="New")  | tail 50 | fields *

search (`get_notable_index` OR `get_sequenced_index`) | eval epoch=_time | eval`get_event_id_meval`,rule_id=event_id | tags outputfield=tag |`mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` |`get_current_status` | `get_owner` | `get_urgency` | typer | where(urgency!="informational" AND urgency!="low" **AND isTesting = "True"**) |fields *

[{"indicator":"2012/06/29_21:50","tlp":"TLP:RED","itype":"mal_url","severity":"very-high","classification":"public","detail":"","confidence":50,"actor":"","feed_name":"import","source":"admin","feed_site_netloc":"localhost","campaign":"","type":"url","id":"anomali:indicator-578a9be5-0e03-4ec0-940d-4b1842f40fd0","date_last":"2020-07-15 08:12:07 AM","Url":"indicator"},{"indicator":"2010/12/19_16:35","tlp":"TLP:RED","itype":"mal_url","severity":"very-high","classification":"public","detail":"","confidence":50,"actor":"","feed_name":"import","source":"admin","feed_site_netloc":"localhost","campaign":"","type":"url","id":"anomali:indicator-52cadd07-330a-45fd-962f-32e22d36a89a","date_last":"2020-07-15 08:12:07 AM"}]

Need more help?Get answers from Community members and Google SecOps professionals.