We are trying to develop an integration for Splunk based on our On-demand scanning APIs. We offer on-demand REST APIs to allow users to scan IPs, Domains and URLs indicators to get information such as Threat Posed by the indicator, Verdict on Indicator (Malicious/Benign), Screenshot of the Indicator's landing Page etc. Basically, it will be an enrichment application which users can use to enrich their existing threat information on a particular indicator.
I have done some R&D on Splunk and found out that the Splunk Enterprise is the top-level platform where as Splunk Enterprise Security is a application within that platform and specific to security and SIEM applications.
My question is that, whether I should develop a completely stand-alone separate application for Splunk Enterprise or try to integrate it with Splunk Enterprise Security application? I have a fairly good idea about how to develop Splunk Enterprise Standalone applications but little knowledge on how would I integrate our APIs with Splunk Enterprise Security since it is an already stand-alone application. Any important tips on which direction to take is what I am looking for. Thanks!
It depends on a number of factors. If I had to get an answer I would suggest integrating with both.
This may sound like a lot more work but it really isn't since ES is itself a Splunk application. This means you would likely just need to do a little more work over Splunk Enterprise integration to get it to work with ES.
In your case, there likely isn't much you would need to do to integrate with ES though.
Here are some details relating to the things you may want to do:
You can make a search command within Splunk pretty easily. See https://github.com/LukeMurphey/splunk-search-command-example for an example.
You might want to make an alert action. ES has a feature called "Adaptive Response" which is just a few small additions to a custom alert action. Adding the extra functionality would allow you app to get use within ES which is likely worth it.
I would start by making the custom alert action and then make the few changes necessary to make it an Adaptive Response action once the alert action is functional.
Here are some pointers that may be helpful:
Thanks for your informative comment. However, I am not sure if creating an alerts app would be the best use-case for our APIs. We are only looking to offer an additional source of information which users will use on their own. The required use case is that, a user wants threat information about an IP, Domain or URL indicator. Our app will provide a UI dashboard where he will enter that indicator value and will be presented with everything we have in form of nice dashboards.
If I go with alerts, the API will be triggered whenever there is an IP, Domain or URL indicator in the logs automatically. This is not what I am looking for rather the user should demand information for an indicator themselves. (For reference: I am looking to build something similar to PassiveTotal's app for Splunk: https://splunkbase.splunk.com/app/3083/)
I hope I was able to clarify the use case of our app, what are your views now?
The way I was currently going to approach this was as follows:
1- Create Custom SPL commands for each of our APIs
2- Create UI Dashboards for each indicator type (IP, Domain, URL)
3- Provide a TextInput in each dashboard where user can input the indicator value
4- Visualizations in each UI Dashboard which use our custom SPL commands to populate themselves with data from our server.
I think the only thing you might want to do in that case is to have the data from your search commands stored in CIM format.
Other than that, there likely isn't much you would need to do to integrate with ES.
I updated the answer accordingly.
Thanks @LukeMurphey for validating my approach. The only thing I was not clear about was the CIM model. Can you point out to any examples that can help me normalize my API data with Splunk CIM?