Currently working on an integration betweek Splunk and RSA Archer eGRC. We are working with the security operations model with the plan that when a Notable event triggers, the alerts and notable would then be forwarded to the SOC module within Archer.
We have established connection and have shown that we can pass events between the two systems, but not with the provided templates to get the correct info over to Archer.
Here is the very basic search we are using:
sourcetype=cisco:asa eventtype="Justin Test"
| stats count by _time
| where count>=1
| eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac + " deviceip=" + dvc
This creates the _raw feld and includes the data there following. This is where our issue lies. With the full search provided, it does not create the eval field. If I remove everything after the first closing quotation marks it will create the _raw field. I think the first issue arrises with the " + source +"
Any thoughts? I believe this syntax was written for 6.0.1 and thus perhaps the eval command has changed since then? Just spitballing and wanted to get another set of eyes.
You stats
command is the issue. After the stats command you are only left with count
and _time
fields. So none of the other fields exist. Try this
sourcetype=cisco:asa eventtype="Justin Test"
| eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac + " deviceip=" + dvc
| stats count values(_raw) as _raw by _time
| where count>=1
| table _raw