Splunk Dev

Questions about Integrating API security platform with Splunk?

JonaM
New Member

Hi Gentlemen,

I'm working for an API security company, we provide vulnerability detection and real-time detection and prevention.

We are now working on integrating our platform with Splunk and some question popped-up as part of the process:

  1. To which version and products of Splunk we should make the integration? is it a generic integration to all of them and we only need to switch platform, or it's different for each one? 
  2. How should we send the data to Splunk? we thought about syslog, is there any other recommended way?
  3. What kind of data is most recommended that we send for Splunk? 
  4. Can we create rules and actions through the integration with Splunk? (e.g WAF rule)
  5. What is the best practice to make the integration and test it? should we raise a Splunk environment, if so which one and those Splunk have any support for this processes?

Additionally I would like to understand whether we need to send data differently if the type of data is different, for example, let's assume I'm sending both vulnerabilities and anomalies, should I send both of them to the same place? or there is different location for each one of them.

 

Thanks in advance,

Jonathan.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @JonaM,

there's a common answer to your questions: all depends on your requisites because with Splunk you can do almost everything, I try to answer to your questions, but anyway:

  1. To which version and products of Splunk we should make the integration? is it a generic integration to all of them and we only need to switch platform, or it's different for each one?

Oviously always the last version (9.0.1 for Splunk Enterprise),about products they depends on your scope:

  • if you want a SIEM, you need Enterprise Security,
  • if you need observability and IT Operations, you need ITSI,
  • if you need infrastructure monitoring, you need Splunk Enteprise and various app for your infrastructure (Cisco, firewall, etc...)

Integration, in few words, is ingesting your logs in Splunk Enterprise and using them in the above apps.

Then you can integrate the Splunk infrastructure with your infrastructure e.g. for authentication (integration with LDAP/AD), alerts managing (with Phantom), case opening (with your troubleticketing platform), etc...

     2. How should we send the data to Splunk? we thought about syslog, is there any other recommended way?

Splunk has many solution for data ingestion, syslog is one of them and not the more efficient:

  • Agent (Splunk UNiversal Forwarder) the most efficient,
  • syslog,
  • WMI,
  • DB-Connect (SQL Query) for DBs,
  • HTTP Event Collector (for custom applications), etc...

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/WhatSplunkcanmonitor 

     3. What kind of data is most recommended that we send for Splunk? 

all text data and more (from csv files to DB tables), they depends on what you want to monitor.

     4. Can we create rules and actions through the integration with Splunk? (e.g WAF rule)

You can create all the rules you need (Correlations searches) using the ingested data.

     5. What is the best practice to make the integration and test it? should we raise a Splunk environment, if so which one and those Splunk have any support for this processes?

The best practice is to find a system integrator of your trust and with it define the requisites for your project, then you could build it togheter.

Additionally I would like to understand whether we need to send data differently if the type of data is different, for example, let's assume I'm sending both vulnerabilities and anomalies, should I send both of them to the same place? or there is different location for each one of them.

All the data are ingested and indexed in Splunk Enterprise with modes that depends on access rights and retentions, thes all these data can be used to answer to your requisites.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...