Splunk Enterprise Security

Should I build my integration for Splunk Enterprise or Splunk Enterprise Security?

umairahmad3985
Path Finder

Hi Everyone,

We are trying to develop an integration for Splunk based on our On-demand scanning APIs. We offer on-demand REST APIs to allow users to scan IPs, Domains and URLs indicators to get information such as Threat Posed by the indicator, Verdict on Indicator (Malicious/Benign), Screenshot of the Indicator's landing Page etc. Basically, it will be an enrichment application which users can use to enrich their existing threat information on a particular indicator.

I have done some R&D on Splunk and found out that the Splunk Enterprise is the top-level platform where as Splunk Enterprise Security is a application within that platform and specific to security and SIEM applications.

My question is that, whether I should develop a completely stand-alone separate application for Splunk Enterprise or try to integrate it with Splunk Enterprise Security application? I have a fairly good idea about how to develop Splunk Enterprise Standalone applications but little knowledge on how would I integrate our APIs with Splunk Enterprise Security since it is an already stand-alone application. Any important tips on which direction to take is what I am looking for. Thanks!

0 Karma
1 Solution

LukeMurphey
Champion

It depends on a number of factors. If I had to get an answer I would suggest integrating with both.

This may sound like a lot more work but it really isn't since ES is itself a Splunk application. This means you would likely just need to do a little more work over Splunk Enterprise integration to get it to work with ES.

In your case, there likely isn't much you would need to do to integrate with ES though.

Here are some details relating to the things you may want to do:

Search commands
You can make a search command within Splunk pretty easily. See https://github.com/LukeMurphey/splunk-search-command-example for an example.

You might want to have the output from your search commands indexed and stored according to the CIM. Data that is formatted according to the CIM will automatically be handled by ES.

Alert actions
You might want to make an alert action. ES has a feature called "Adaptive Response" which is just a few small additions to a custom alert action. Adding the extra functionality would allow you app to get use within ES which is likely worth it.

I would start by making the custom alert action and then make the few changes necessary to make it an Adaptive Response action once the alert action is functional.

Here are some pointers that may be helpful:

View solution in original post

LukeMurphey
Champion

It depends on a number of factors. If I had to get an answer I would suggest integrating with both.

This may sound like a lot more work but it really isn't since ES is itself a Splunk application. This means you would likely just need to do a little more work over Splunk Enterprise integration to get it to work with ES.

In your case, there likely isn't much you would need to do to integrate with ES though.

Here are some details relating to the things you may want to do:

Search commands
You can make a search command within Splunk pretty easily. See https://github.com/LukeMurphey/splunk-search-command-example for an example.

You might want to have the output from your search commands indexed and stored according to the CIM. Data that is formatted according to the CIM will automatically be handled by ES.

Alert actions
You might want to make an alert action. ES has a feature called "Adaptive Response" which is just a few small additions to a custom alert action. Adding the extra functionality would allow you app to get use within ES which is likely worth it.

I would start by making the custom alert action and then make the few changes necessary to make it an Adaptive Response action once the alert action is functional.

Here are some pointers that may be helpful:

umairahmad3985
Path Finder

Hi @LukeMurphey,

Thanks for your informative comment. However, I am not sure if creating an alerts app would be the best use-case for our APIs. We are only looking to offer an additional source of information which users will use on their own. The required use case is that, a user wants threat information about an IP, Domain or URL indicator. Our app will provide a UI dashboard where he will enter that indicator value and will be presented with everything we have in form of nice dashboards.

If I go with alerts, the API will be triggered whenever there is an IP, Domain or URL indicator in the logs automatically. This is not what I am looking for rather the user should demand information for an indicator themselves. (For reference: I am looking to build something similar to PassiveTotal's app for Splunk: https://splunkbase.splunk.com/app/3083/)

I hope I was able to clarify the use case of our app, what are your views now?

0 Karma

umairahmad3985
Path Finder

The way I was currently going to approach this was as follows:

1- Create Custom SPL commands for each of our APIs
2- Create UI Dashboards for each indicator type (IP, Domain, URL)
3- Provide a TextInput in each dashboard where user can input the indicator value
4- Visualizations in each UI Dashboard which use our custom SPL commands to populate themselves with data from our server.

0 Karma

LukeMurphey
Champion

I think the only thing you might want to do in that case is to have the data from your search commands stored in CIM format.

Other than that, there likely isn't much you would need to do to integrate with ES.

I updated the answer accordingly.

0 Karma

umairahmad3985
Path Finder

Thanks @LukeMurphey for validating my approach. The only thing I was not clear about was the CIM model. Can you point out to any examples that can help me normalize my API data with Splunk CIM?

0 Karma

LukeMurphey
Champion

The docs are here: https://docs.splunk.com/Documentation/CIM/4.14.0/User/Overview

It is pretty simple. You just need to use certain field value, field names and tags.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...