Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Notable events to be stored in Splunk locally and also be sent to another platform

jaracan
Communicator
‎08-27-2024 02:04 AM

Hi,

Good day! Just wanted to check your insights or any reference that you can share.
We have Clustered Multisite Splunk environment and Splunk ES SHC and let's say correlation searches is triggered, it will generate notable events.

Is it possible that these notable events will be sent to another platform (example: Google Chronicle).
If yes, can you share how it will be done?

So let's say, the notable event is generated, it will be stored in Splunk locally and will also be forwarded to Google Chronicle SOAR. Is it possible?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:58 AM

There are at least three different ways of "integrating" ES with third-party solutions. Details of implementing each of them will greatly depend on particular use case and might involve some programming.

1) Use the external solution to search from your Splunk ES installation and retrieve notables.

2) Use the alert action (or adaptive response in case of ES) to push each notable separately to the external solution.

3) Use an additional alert to periodically export the list of new notables to the external solution.

In cases 2 and 3 you need to have something developed (either use something already made if there is already an app for it or write something from scratch) to push the data from Splunk to the third-party service.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2024 02:54 AM

Hi @jaracan ,

you can create a script that uses the API of the destination platform.

Then you can associate this script to a Correlation Search, or schedule al alert that calls this script.

Ciao.

Giuseppe

0 Karma
Reply

jaracan
Communicator
‎08-27-2024 02:58 AM

Hi @gcusello ,

Do you have sample template/script you mentioned or any reference link? That would be helpful. Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-27-2024 03:01 AM

Hi @jaracan ,

I cannot have it because it depends on the target platform that i  don't know:

you have to create a script that calls it using its API passing to the script the correlaton search data or a search on the Notable index.

Check if there's an app that permits this export, for some platform (e.g Microsoft Defender) it was already developed.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...