All Apps and Add-ons

How to configure Splunk Stream "Ephemeral Streams" for Enterprise Security?

gworkun
Explorer

Looking to get the Splunk Stream "Ephemeral Streams" working for Enterprise Security (concept outlined here: https://www.splunk.com/blog/2015/02/13/splunk-app-for-stream-how-can-you-use-ephemeral-streams.html)

I've read the short documentation on applying a template for Stream (https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/UseStreamconfigurationtemplate...), but to no avail.

Have accomplished the following:
- Splunk Enterprise set up
- Splunk Enterprise Security on separate search head
- Splunk Stream installed/ Main app on ES Search Head (can control protocols to stream successfully)

So issue is, when attempting to initiate a Steam from a Notable Event through an Adaptive Response, nothing occurs. Didn't know if there is a piece missing or a configuration/network permissions change that would need to occur (such as enabling specific port for the ES Search Head to talk to Splunk Forwarder that has stream app enabled, etc.).

Any help or advice would be appreciated. Thanks!

0 Karma

mpandya_splunk
Splunk Employee
Splunk Employee

Hi! Here are the steps you can perform to get the ephemeral stream through ES.

1) Install ES and Stream on Splunk

2) Configure ISF (Independent Stream Forwarder) which checks into search head. (Steps to configure ISF: https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/InstallStreamForwarderonindepe...)

3) Make sure to get enough data indexed in splunk stream(For sourcetypes: tcp, dns, http, ip, udp)

3) Created a search such as: host=hostname_of_ISF sourcetype="stream:ip" dest_ip="10.202.18.155" where the dest_ip is the IP of your Search head

4) Save the search as alert which runs on cron schedule for every min

5) In the Trigger Actions, select Notable Events and save the alert

5) Navigate to ES app > Incident Review, on your created notable event, run Adaptive Response Action by clicking on New Response Action -> Stream Capture.

6) The adaptive response from Stream Capture should show a "success" status.

7) Navigate to Stream App> Configure Streams > Ephemeral streams. You will see the created streams on the dashboard

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...