Splunk Enterprise Security

BlueCoat ThreatPulse -- Does anyone have experience logging data from ThreatPulse?

jasonportico
Engager

Greetings -
I'm using BlueCoat ThreatPulse as a web filter ('cloud' based). The only method to pull their logs is via API. However, there isn't an app for ThreatPulse (and the ProxySG uses syslog). I've tinkered with the RESTapi app but haven't had any luck bringing in data. Is there anyone here that's used the RESTapi with ThreatPulse or have any other suggestions on getting this data into Splunk?

Thanks,
Jason

0 Karma

splunker288
Explorer

There is actually a TA and app that are available from Symantec now. I'm guessing they didn't exist at the time. Currently I'm having issues with it. It seems the API is not working. Is anyone having similar issues? It has worked fine for months but now when I run the input scripts I don't get anything back.

0 Karma

brian_rowe
Engager

There is a fairly straightforward way to accomplish this--download the Blue Coat Reporter app, install it on a server, and have it download the WSS/ThreatPulse logs automatically. Those logs come down in gzip format, but can be indexed easily by Splunk--the format is similar to the standard ProxySG log formats.

Here's an article from Symantec on setting up the connection between Reporter and ThreatPulse: https://support.symantec.com/en_US/article.TECH241105.html

jasonportico
Engager

Thanks Brian, I appreciate the reply.

While I couldn't find any solid answer at the time, I decided to go the manual route. I wrote a python script to download the log files on the hour and then place them in a directory that Splunk monitors.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...