To run investigations in your on-prem Splunk instance, you need to do the following:
Configure a Data Plane Integration with your Splunk instance on the SOC Prime Platform
Install and configure the SOC Prime Attack Detective App for Splunk that connects your on-prem Splunk instance to Attack Detective
Configure a Data Plane Integration on the SOC Prime Platform
Click Add Data Plane on the Account > Platform Settings > Data Planes page.
Name your profile, select Splunk as your platform, and choose if you want to share the profile with your teammates. A shared Data Plane will be available for using, viewing, and editing to all users from your organization.
Turn on the On-Prem switch.
After that, Attack Detective is automatically set as the only place to use the Data Plane.
Fill in the fields that appeared in the Configuration section.
Splunk URL. The URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).
Attack Detective API key. Click the Generate icon on the right of the field. An Attack Detective API key will be generated. You'll need it to configure the input in the SOC Prime Attack Detetive App for Splunk. Copy the key from the modal that appears and save it in a safe and accessible place. For security reasons, you won't be able to view it again. If you lose this secret key, you'll need to generate a new one.
Note:
To use the Data Plane for Attack Detective, in your Splunk instance create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.
Optionally, make the following settings:
Default Custom Field Mappings. Select the Custom Field Mapping profiles you would like to assign to this Data Plane. They will be applied automatically to Sigma Rule translations with matching Log Sources. You can configure a new profile by clicking the Gear icon.
Click Save Changes.
Install and Configure the SOC Prime Attack Detetive App for Splunk
Install the App
Open the Splunk Web Console.
Select the gear icon on the Apps tab.
Click the Browse more apps button.
Type “SOC Prime Attack Detective App for Splunk” in the search field to find the app and proceed to its installation in your environment.
Configure the App
Select SOC Prime Attack Detective App for Splunk in the main Apps menu.
Сreate an index for the App and configure getting the searches from Attack Detective on the Inputs tab:
In your Splunk header menu, open Settings > Indexes (in the Data section).
Click the New index button.
Give the index a name like
socprime.Click Save.
Configure data rotation for this newly created index according to your organization's policies.
Select the Inputs tab.
Click Create New Input.
Fill in the parameters.
Parameter | Description | Required |
Name | Provide a descriptive name for this data input | Required |
Interval | Time interval of input in seconds. The default value is 30 | Required |
Index | A technical parameter that should not be changed. Please, keep the Default value | Do not change |
Attack Detective API key | The API key generated when configuring the Data Plane integration on the SOC Prime Platform
| Required |
Parallel Jobs Count | The number of searches that can be run simultaneously. Please, set it according to the performance of your Splunk instance | Required |
Splunk REST API host and port | May be necessary for remote execution. Format: ["<splunk_host>:<port>"]. Default: ["localhost:8089"] | Optional |
Splunk REST API username | May be necessary for remote execution | Optional |
Splunk REST API password | May be necessary for remote execution | Optional |
5. Click Add.
Optionally, you can configure a proxy (if you use one) and logging level on the Configuration tab.
Once you run investigations in Attack Detective, you can check the health of your connection as well as the success of search executions on the Attack Detective App Details tab.
Before the First Data Audit or Scan
The index created during the configuration is filled by the results of a special search run each hour. This data is used by Attack Detective to speed up data audits and scans. If you're going to run data audits or scans that cover time periods before the app has been installed (like for the last 7 or 30 days), you need to run the Reports search manually at least for the same period, which will generate all audit data historically for each day of the period. To do this:
In the App menu, go to Reports.
Click Open in Search for SOC Prime Attack Detective Data Audit EventCodes with Indexes - Filling the Trend.
Select the same or greater time period as will be used for your data audit or scan in the calendar picker next to the Run button.
Run the search.
The search can take a long time depending on the selected period. You can send the job to the background. To do this:
Go to Job > Send Job to Background in the menu under the search query.
The Send Job to Background window appears. Optionally, you can set the Email when complete checkmark and enter your email to receive an email notification when the job is finished.
Click the Send to Background button.
Wait until the search is finished. After that, the index
socprimewill be populated with trended historical data, so you can run a Data Audit or Scan for the same period.
Note that the map and collect commands are used during Data Audits, and Splunk potentially can recognize them as risky.
All configurations related to investigations are made in Attack Detective on the SOC Prime Platform. Before installing the SOC Prime Attack Detective App for Splunk, make sure to configure your on-prem Splunk Data Plane on the SOC Prime Platform.