Skip to main content

Deploying SOC Prime's SSL Framework for Splunk

How to deploy the SSL Framework Content Pack from the SOC Prime Platform into your Splunk instance

Written by Andrew Vdovin

Overview

This guide describes how to deploy SOC Prime's SSL Framework Content Pack available on the SOC Prime Platform right into your Splunk instance.

SOC Prime's SSL Framework combines the capabilities of Qualys SSL Labs and SIEM systems. As a result, this integration enables automatic tracking of the status of SSL certificates and the security of web servers in the corporate domain.

SSL Framework is a utility that natively connects to the Qualys SSL Labs API to enable monitoring of your company’s domains. It also provides interactive dashboards and real-time email alerts on the security status changes. Combining SSL Framework with Splunk enables security practitioners to keep up with all the information about SSL certificates in their company. More specifically, this includes:

  • Automated general data gathering

  • Updates on the implementation of encryption algorithms and ciphers

  • Scheduling machine-based checks

  • Showing overall server rating

  • Monitoring the expiry date and updating you on the changes and new vulnerabilities that your certificate version may become exposed to in the never-ending process of cybersecurity evolution

Downloading SSL Framework for Splunk from the SOC Prime Platform

Our automated solution for managing SSL/TLS encryption certificates using SOC Prime's SSL Framework is available at the Splunkbase and at the SOC Prime Platform.

To download SSL Framework for Splunk from the SOC Prime Platform:

  1. Log in to the Platform using your credentials.

  2. Go to Content > Advanced Search, enter ssl framework in the Search Bar, and press Enter.

  3. After getting the search results, select SSL Framework to open the content item page.

  4. On the content item page, select the Splunk tab.

  5. Check the description and pay attention to the Dependencies & Recommendation section. Then, click the Download button.

Installing SSL Framework

After downloading SSL Framework from the SOC Prime Platform, you need to save the application to your workstation:

  1. Log in to your Splunk instance to start installation.

  2. After logging in, go to the Apps section by clicking the Gear icon.

  3. Click the Install app from file button in the top right corner, and then find and select the previously downloaded SSL Framework app.

  4. Upload the SSL Framework by clicking the Upload button.

  5. Once the application is installed successfully, configure it by clicking the Set up now button.

    Note:

    For monitoring external domains or hosts, the Qualys API will be used.

    For monitoring internal hosts, an internal script will be used.

  6. Configure all the application settings, including internal and external domains, proxy, authentication, etc.

  7. Click the Save button to finish the installation.

    After a successful configuration of SSL Framework in your Splunk instance, the SSL Framework Dashboard should look like this:

    Note:

    Domain scan scripts are scheduled for 4 a.m. every night, so don’t worry if the Dashboard is empty.

Working with SSL Framework

The day after a successful domain scan (happening every night at 4 a.m.), SSL Framework Dashboards display information about your domains:

ssl-framework

After analyzing the results, you can find all the information about the certificates of your domains.

In the example on the screenshot above:

  • 2 unique domains are monitored

  • 2 unique IP addresses

  • No domains with issues

  • No domains with certificates that will expire shortly

The TOP Domains with Vulnerabilities Dashboard displays that everything runs properly:

domains-with-vulnerabilities

The Soon to Expire Certification Dashboard displays there are no domains with soon expired certificates:

expire-certification

The Last Checked Servers Dashboard table displays the statistics on the last scan of the checked domains, including the following details:

  • Last Scanned Time

  • IP Address

  • Valid Until

  • Full report on the last scan

last-checked-servers

The Current State Dashboard table displays the current statistics on the following items:

  • Domains

  • IP Address

  • Rating

  • State

current-state

If the rating changes or a new vulnerability appears during the next scan, all these updates will be displayed on the Overall Rating Changed Dashboard table:

overall-rating-changed

Working with Alerts

This application comes with predefined alerts that enable you to receive email notifications about the changes triggered by a certain action:

alerts

For example, in this case, the trigger for sending alert notifications was adding new domains:

adding-new-domains

Downloaded Content Rating and Reviewing

We encourage security practitioners to share their feedback on the downloaded content by rating the content quality and leaving a review.

To leave your feedback on the downloaded SSL Framework for Splunk:

  1. Click the Write Review button if the review panel is hidden.

  2. Choose how to provide your feedback:

    1. Rate content using the star rating system

    2. Write your review on the content quality

  3. For an anonymous review, select the corresponding checkbox.

  4. Click the Submit button.

Troubleshooting

If you have encountered any issues and need assistance, contact us in the live chat available on any page of the SOC Prime Platform:

  1. Click the chat icon in the lower right corner of the screen.

  2. Select the Messages tab and click Send us a message.

  3. Describe your issue or question mentioning the name of the content item they are related to.

Did this answer your question?