Skip to main content

Using Automation with Splunk

S
Written by Sergey Bayrachny

In this article:

Integration

To set up an integration of Automation (previously called Continuous Content Management, or CCM) with your Splunk environment, install SOC Prime CCM App for Splunk - Optimized from Splunkbase. SOC Prime CCM App for Splunk - Optimized is SOC Prime CCM App for Splunk v2.0.1 or later. You can find earlier (deprecated) versions of the App here.

Requirements

  • Splunk v. 8.x or higher, or Splunk Cloud. If you have an all-in-one Splunk environment, use this guide to install the app. If you have a distributed Splunk environment, please contact SOC Prime support for help with installation since it may be specific to your configuration.

  • Access to the TDM API. Check if you have it here.

Installation of the SOC Prime CCM App for Splunk - Optimized

  1. Open the Splunk Web Console.

  2. Select the gear icon on the Apps tab.

  3. Click the Browse more apps button.

  4. Type "SOC Prime CCM App for Splunk - Optimized" in the search field to find the app and proceed to its installation in your environment.

Selecting Content and Configuring Jobs in Automation

To stream content from TDM to your Splunk Environment, you need to select rules of interest and configure their deployment through Jobs. Jobs are automated deployment tasks that include the rules you want to deploy and all additional deployment configurations.

Start with selecting rules you'd like to deploy. To this end, create a Content List. You can make it:

  • Dynamic: Define selection criteria to add and continuously update rules automatically. When setting up a Dynamic list, select Splunk Alert in the Content Platform dropdown to limit the automatically selected rules to only those that have translation into the Splunk Alert format.

  • Static: Add rules manually one by one from the SOC Prime Threat Detection Marketplace. After creating a static List fill it with content by clicking the Add to List icon on pages of rules that are relevant to you.

  • Inventory: Add rules manually one by one from the Inventory page of a different SIEM to copy them to your Splunk instance as Splunk Alerts.

You can find out more about Content Lists here.

When you've selected the rules of interest, create a Job to stream them:

  1. Go to the Jobs section in Automation and click Create

  2. Name your Job.

  3. Select Splunk in the Platform dropdown and Alert in the Content Type dropdown.

    Note that the Environment field is disabled. The environment you're going to stream the rules to is the one where you've installed SOC Prime CCM App for Splunk - Optimized.

  4. Define if Custom Field Mapping should be applied to the deployed rules.

    When the Use Default Custom Field Mapping based on Log Source checkmark is set, Custom Field Mapping is applied to content based on the log source products the content is intended for. For a Custom Field Mapping profile to be applied as part of this feature, it should have the Make Default checkmark set in its settings.

    If you disable this option, a Custom Field Mapping dropdown appears. Use it to select a single Custom Field Mapping profile that should be applied to all content in the connected List, or leave the dropdown empty to apply no Custom Field Mapping within the Job.

    To create a new Custom Field Mapping profile, go to Automate > Custom Field Mapping. You can find out more about Custom Field Mapping here.

  5. Optionally, select a Config for alternative translations if your environment uses an alternative data schema like cim, datamodel, corelight, or ocsf.

  6. Select your Content List.

  7. Optionally, configure and select a Preset. Presets are templates to modify rule parameters before deployment. You can find out more about them here. You can also create Filters to add extra conditions to the detection logic before deployment. Filters are linked to Presets. You can find out more about Filters here.

  8. Click Save Changes.

    The Schedule dropdown is disabled since Job execution is managed in SOC Prime CCM App for Splunk - Optimized (with the Interval setting in the parameters on the Input tab).

    Note:

    In the App versions 2.0.0 and earlier, Job execution is managed in More Settings > Interval in the parameters of SOC Prime CCM App for Splunk data input.

  9. Enable the newly created Job by clicking the On/Off switch.

Configuring the App in Your Splunk Environment

Please, select your version of the app and follow the instructions.

SOC Prime CCM App for Splunk - Optimized (v2.0.1 and later)

Configure what Automation Jobs to run and at what schedule on the Inputs tab of the App:

  1. Select SOC Prime CCM App for Splunk - Optimized in the main Apps menu.

  2. Select the Inputs tab.

  3. Click Create New Input.

  4. Fill in the parameters.

    • Name (required). The name of the Splunk Input parameter

    • Interval (optional). The interval of rule synchronization with the Automation module in seconds. If no value is set, 600 seconds is used by default

    • Index (not needed). By default, the "default" value is set. No need to change

    • CCM API key (required). TDM API key from your SOC Prime Platform account. Copy it from here

    • Jobs (required). Specify the names of the Jobs configured in Automation that include Content Lists with rules you want to deploy. Format: ["<job1>", "<job2>", ... ]

    • Splunk REST API host and port (optional). May be necessary for remote content installation. Format: ["<splunk_host>:<port>"]. Default: ["localhost:8089"]

    • Splunk REST API username (optional). May be necessary for remote content installation

    • Splunk REST API password (optional). May be necessary for remote content installation

    • Rule exceptions (optional). Specify rules that should be excluded from deployment if they are present in any Job. Format: ["<rule_name1>", "<rule_name2>", ... ]

    • Force updating content (optional). Force synchronization of all saved searches and parameters from Automation. Format: true/false. By default: true

5. Click Add.

Additionally, you can configure a proxy and logging level.

  1. Open the app and select the Configuration tab.

  2. Select the Proxy tab.

    Configure your proxy if you use one and click Save.

  3. Select the Logging tab.

    Set the logging level for the app and click Save.

SOC Prime CCM App for Splunk (v2.0.0 and earlier)

Configure what CCM Jobs to run and at what schedule using the Data Inputs menu in Splunk:

  1. Select Settings > Data Inputs.

  2. In the list of inputs, find SOC Prime CCM App for Splunk and click Add new.

  3. Fill in the parameters.

    • Name (required). The name of the Splunk Input parameter

    • CCM API key (required). TDM API key from your SOC Prime Platform account. Copy it from here

    • Jobs (required). Specify the names of the Jobs configured in Automation that include Content Lists with rules you want to deploy. Format: ["<job1>", "<job2>", ... ]

    • Proxy server (optional). Specify the proxy server you use for connection to Automation. Format: <host>:<port>

    • Rule exceptions (optional). Specify rules that should be excluded from deployment if they are present in any Job. Format: ["<rule_name1>", "<rule_name2>", ... ]

    • Splunk REST API host and port (optional). May be necessary for remote content installation. Format: ["<splunk_host>:<port>"]. Default: ["localhost:8089"]

    • Splunk REST API username (optional). May be necessary for remote content installation

    • Splunk REST API password (optional). May be necessary for remote content installation

    Managing Job Execution

    By selecting More settings, you can change the schedule of rule synchronization with the Automation module (that is, the execution time of the Job the rules are associated with) and set the source type. By default, the synchronization is run once every 30 minutes. The Cron format can be used for configuring the Interval settings.

Managing Rules and Debugging Deployment

Since integration with Splunk is implemented via SOC Prime CCM App for Splunk - Optimized rather than via setting up an integration environment on the SOC Prime Platform, Inventory and History components of Automation cannot be used for Splunk. Instead, you can manage rules and debug rule deployment directly in SOC Prime CCM App for Splunk - Optimized.

  1. Select SOC Prime CCM App for Splunk - Optimized in the main Apps menu.

  2. Check information about deploying, updating, and running rules on dashboards:

  • CCM Rule Status:

    • Status of all deployed rules (Enabled/Disabled)

    • Rule count and stats on the last update

  • CCM Rule Deployment History — statistics and logs of the deployment process:

    • Deployment of new alerts

    • Alert updates

    • Failed deployments and their causes

  • CCM Rules Running History — information on running statuses of deployed alerts:

    • When was the last run

    • Number of results

    • Result status

To check all alerts installed from Automation via SOC Prime CCM App for Splunk - Optimized select the Alerts tab and click This App's.

To view the settings of a certain alert and make changes to them, click on the alert.

The fired events for this alert are also displayed on this page. You can configure actions for all available alerts.

Did this answer your question?