Splunk Enterprise Security

How to integrate ModSecurity events to Splunk Enterprise Security?

noybin
Communicator

Hi,

I need to make events I am receiving from a Modsecurity available and formatted for Splunk Enterprise Security. I have a distributed environment.

I know that I have to turn them into CIM, add tags, eventtype, extract fields, and create aliases.

  1. Is it mandatory to create a custom add-on for achieving the goal? If not, which files.conf do I have o change (inside which path)?
  2. Is there any tutorial/example on how to integrate a non natively supported device into Enterprise Security?
  3. The changes (tags, eventtype, extract fields and create aliases) have to be done on the Indexer, Search Head, or both?
  4. Am I missing something else?

Thank you very much.
Regrads.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
  1. It's customary to create a TA for your case. Not technically mandatory, but really - do create a TA. Files to create include props.conf, transforms.conf, eventtypes.conf, tags.conf, possibly lookups, maybe more.
  2. There are some examples in the CIM docs at http://docs.splunk.com/Documentation/CIM/4.4.0/User/UsetheCIMtonormalizeOSSECdata and I believe there have been .conf talks as well, here's one: http://conf.splunk.com/session/2015/recordings/2015-splunk-186.mp4
  3. CIM configurations typically are search-time, those need to be on the search head. Nothing terrible happens if you have them on the indexer as well though.
  4. There is an older app for ModSecurity on splunkbase, but it might not be CIM-compatible: https://splunkbase.splunk.com/app/880/
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you follow the naming convention TA-foo, ES will automatically load your TA.

Differently named TAs can be imported too, but there really is no need to deviate from the convention. http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#The_Update_ES_modular...

0 Karma

noybin
Communicator

Thanks Martin,

I've created a new directory in $SPLUNK_HOME/etc/apps/TA-ltmodsec
I've created a directory $SPLUNK_HOME/etc/apps/TA-ltmodsec/default
and I created a trasforms.conf and a props.conf inside the default folder.

props.conf

[source::udp:10514]
TRANSFORMS-001_rewrite_modsecurity_sourcetype = set_sourcetype_modsecurity
[modsecurity]
EXTRACT-modsec-client = \[client\s(?P[^\]]+)\]
EXTRACT-accion = ^(?:[^\.\n]*\.){6}\d+\] ModSecurity:\s+(?P[^\[]+)\s+\[
EXTRACT-modsec_id = \[id \"(?P[^\"]+)"\]

transforms.conf

[set_sourcetype_modsecurity]
SOURCE_KEY = MetaData:Host
REGEX = (52\.86\.132\.70)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::modsecurity

That didn't work.
When I move those files to $SPLUNK_HOME/etc/apps/search/local/ it works correctly.
Am I missing something in the addon I've created.

Thank you very much.
Regards.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There isn't much to miss. Create directory, create .conf file, restart Splunk, done.

0 Karma

noybin
Communicator

Hi, Thanks for your reply.

So, after creating a custom TA, does Enterprise Security load it automatically, or I should do something for ES to load the TA?

Are there specifiations when creating the TA such as TA's name and configuration?

Thanks again.

0 Karma

niemesrw
Path Finder

Hi noybin - this might help:

http://docs.splunk.com/Documentation/ES/3.3.3/CreateTA/GenericExample

You don't need to create a TA specifically, you can modify the local props & transforms if you want. And you only need to make changes on the search head.

I usually just put any modifications into the local search app or local ES app. The full path would be something like:

/opt/splunk/etc/apps/search/local
props.conf/tags.conf/transforms.conf /etc.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...