New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data protection in Google Cloud infrastructure. The Cloud IDS add-on enables Splunk customers to address threat detection for intrusions, malware, spyware, and command-and-control attacks on your network in Google Cloud. Below we’ll go deeper into GCC Cloud IDS capabilities, integration, and configuration with Splunk.  

Google’s Cloud IDS provides cloud-native network threat detection with industry-leading security. It works by creating a Google-managed peered network with mirrored VMs. Traffic in the peered network is mirrored and then inspected in order to provide advanced threat detection. In Google Cloud IDS you can configure which traffic to mirror: all traffic, based on protocol, IP address range, ingress, or egress. You can monitor VM-to-VM communication and have full visibility into network traffic, including both north-south and east-west traffic.

For detection and alerting Cloud IDS uses IDS endpoints and advanced threat protection. IDS endpoints is a zonal resource inspecting mirroring traffic from any zone inside its region - Cloud IDS support using VPC networks by assigning new subnets for each endpoint. Cloud IDS advanced threat detection uses multiple identification techniques to determine the identity of applications traversing your network, irrespective of port, protocol, evasive tactic, or encryption as well as digital signature sets which can be configured through Cloud IDS service profile. For more details on threat protections and configuring please refer to Google Cloud IDS overview.

Cloud IDS detects and alerts on threats, so by using Cloud IDS add-on you may ingest these data points onto Splunk and take actions and address these vulnerabilities. In the add-on you can configure how threat alerts and traffic are interpreted, field extractions, and Common Information Model mapping. To install the Splunk add-on please go to Google Cloud IDS Add-on for Splunk and then install it on all Splunk Search Heads instances. For Splunk Cloud customers please refer to Install apps on your Splunk Cloud Platform deployment. For customer-managed deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install (the part referring to Search Heads installation).

The add-on currently supports two source types : “google:gcp:ids:threat” for the IDS Threat alerts and “google:gcp:ids:traffic” for the IDS Traffic data, and two events - gcp_ids_threat and gcp_ids_traffic respectively. Using this data allows Splunk customers to address several types of threats and use Splunk SOAR for mitigation automation.

For more information on configuration and troubleshooting please take a look at Google Cloud IDS Add-on for Splunk documentation.

— Alexey Bokov, Cloud Strategist at Splunk