Splunk Enterprise Security

Splunk Stream: How can I integrate Splunk Stream with Enterprise Security and get the Adaptive Response action to run one-off Streams to function?

gworkun
Explorer

Hey all,

Looking for any better documentation/steps on integrating Splunk Stream app with Enterprise Security.
Running Stream v. 7.1.1
Running Enterprise Security v. 4.7
OS/Environment: All Windows based

End goal is to get the Adaptive Response action to run one-off Streams to function.

I've seen the 2 step documentation on getting Stream installed (we have the Stream TA on a number of forwarders for testing, they receive configuration changes from the "splunk_app_stream" on our Non-ES Search Head just fine).

I've tested adding the Configuration Template (http://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/UseStreamconfigurationtemplates) to one of the forwarders that has the Stream TA.

For ES, I have a test Notable Event that I attempt to run the "Stream Capture" Adaptive Response action, filling out the "Fields" to search for as typical "src,src_ip,etc." fields, but the action either shows Failed or, if it shows Success at all, it does not pick up anything related to the source IP or destination IP of the Notable Event.

Just curious if there's anything missing or some better documentation on where the primary Splunk Stream app should reside (if it needs to be on the same search head as ES), if the Stream template needs to exist on the Stream TA that is on the search heads and not just the forwarders actually obtaining wire data, etc.

Any help would be fantastic! If more details are needed, let me know, and I'd be happy to supply.

0 Karma

stefanhutchison
Explorer

I believe your problem is that in order for the ES SH to be able to trigger the stream capture, it has to be the SH running the stream app that the forwarders are communicating with. At least, that is the impression I get from http://docs.splunk.com/Documentation/ES/4.7.4/Install/IntegrateSplunkStream

gworkun
Explorer

Thanks for the idea. I gave it a try, pointed the Universal Forwarder to the ES Search Head, turned off all the streams in the Stream app config to test being able to turn it on demand, and now I am seeing successes in the Adaptive Response section of the Notable Events, but I'm not seeing any actual data come in.

Essentially, I'm not seeing anything when the "orig_action_name=makestreams". Nothing is getting stream-ified.

0 Karma

gworkun
Explorer

An error I occasionally get when going to run Adaptive Response action - >Stream Capture - is the following:

"ERROR sendmodaction - signature="Splunkd daemon is not responding: ("Error connecting to /services/splunk_app_stream/streams/: ('The read operation timed out',)",)" action_name="makestreams"

OR

"ERROR sendmodaction - signature="No stream capture target" action_name="makestreams"

The first error I'm not sure what to do with, but the second error, I'm adding a number of fields to the "Fields" textbox to search for. I'm guessing the connection here to the forwarder is what needs to take place, but I'm not sure how to make contact.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...