Splunk

Integration version: 45.0

The Splunk app prepares cases with all of the relevant alerts and events from Splunk. There are two ways to ingest these cases into Google Security Operations SOAR: pull based, and push based methods.

The first method is called pull based. Using this method, in order to ingest cases into Google Security Operations SOAR, you need to configure the Splunk Pull Connector, which pulls cases from the Splunk app. This method doesn't require any additional configuration in the Splunk app.

The second method is called push based. Using this method, the Splunk app performs API calls to Google Security Operations SOAR to add a new case. In order to work with this method, you need to generate a Google Security Operations SOAR API key and add a Google Security Operations SOAR URI in the configuration of the app.

Create an API key:

  1. Navigate to Settings > Advanced > API.

  2. Click the plus sign on the top right to add a new API key.

  3. Enter the name of the API key and click Create.

  4. Copy the API key.

How to configure Splunk to work with Google Security Operations SOAR

Prerequisites for enabling or disabling token authentication

Before you can enable token authentication, you must complete the following requirements:

  • The Splunk platform instance where you want to enable token authentication must not operate in legacy mode, where Splunk Web operates as a separate process. If the Splunk platform is in legacy mode, token authentication does not run. For more information on legacy mode, see the Start and Stop Splunk Enterprise document in the Splunk Eneterprise Admin Manual.

  • The account that you use to log into the Splunk platform must hold a role that has the edit_tokens_settings Splunk platform capability before you can turn token authentication on or off.

Enable token authentication using Splunk Web

When token authentication is off, the following message displays on the Tokens page in Splunk Web:

Token authentication is currently disabled > To enable token authentication, click Enable Token Authentication.

Complete the following steps on the instance where you want to enable token authentication:

  1. Log in to the Splunk platform instance as an administrator user, or a user that can manage tokens settings. You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.

  2. After you log in successfully, in the system bar, select Settings > Tokens.

  3. Click Enable Token Authentication. The Splunk platform instance enables token authentication immediately, and there is no need to restart the instance.

Use Splunk Web to create authentication tokens

  1. In the system bar, click Settings > Tokens.

  2. Click New Token.

  3. In the New Token dialog, enter the Splunk platform user that you want to create the token for in the User field.

  4. Enter a short description of the token purpose in the Audience field.

  5. (Optional) In the Expiration list, select Absolute Time or Relative Time. This selection determines what to enter in the text field below the list.

    • If you selected Absolute Time, then two text fields appear under the list.

      1. Enter a valid date into the first field. You can also click the field to select a date from a pop-up calendar.

      2. Enter a valid 24-hour time in the second field.

    • Otherwise, one text field appears under the drop down list.

      1. Enter a string that represents how long after the current time you want the token to remain valid. For example, if you want the token to expire 10 days from now, enter +10d into this field.

  6. (Optional) In the Not Before list, select Absolute Time or Relative Time.

    Repeat the step you used for the Expiration control. The Not before time can neither be in the past, nor can it be later than the "Expiration" time.

  7. Click Create. The New Token window updates the Token field to show you the token that has been generated.

  8. Select all of the token text in the field. Depending on your operating system and browser, you can click on the Token field, then either triple click or press Ctrl-A or Command-A on your keyboard. Confirm that you have selected all of the token text. There are no further opportunities to see the whole token after you close the window.

  9. Copy the text from the Token field.

  10. Paste the token into a text file, e-mail, or other form of communication to the person you have authorized to use the token. Confirm that you share the token only with those who you have authorized to use it. Anybody who has the full token can use it to authenticate.

  11. Click Close.

  12. Use a token to configure the Google Security Operations SOAR Splunk integration.

Installation

Single search head

  1. Download the TA-Siemplify package to your local computer. https://splunkbase.splunk.com/app/5010/

  2. Install the app on your search head.

    Select App: Search & Reporting. The Upload an app dialog appears.

  3. Click Choose File and select the app file.

  4. Click Upload. Wait until the file is uploaded.

  5. Restart Splunk.

Configure TA-Siemplify

  1. In Splunk Enterprise, go to the Apps page.

  2. Select Siemplify.

  3. In the Add on Settings tab, add the following:

    For push based method:

    • Set the Siemplify API URI to the URI of your Google Security Operations SOAR server.
    • Set Mode to Push mode.
    • In the API Key field, enter the token value that was generated in the API Keys section.

    For pull based method:

    • Set the Mode to Pull mode.

  4. Click Save.

Alert Configuration

To send alert and event data to Google Security Operations SOAR, a trigger action must be added to an existing Splunk Alert.

The Environment, Device Vendor, Device Product, and Event Type fields support event templating. Event templating allows the specific fields within Google Security Operations SOAR to be dynamically set based on values in the alert. To utilize event templating, surround a field name with square brackets '[ ]'. The first event in the alert will be used to fill in these fields.

Example: If you have an alert that contains a field device_vendor with a value of Microsoft, you can put [device_vendor] in the Device Vendor configuration parameter and when the alert is sent to Google Security Operations SOAR the vendor will be set to Microsoft.

  1. In Splunk, navigate to Alerts.

  2. In the Edit list, select Edit Alert.

  3. In the Trigger Actions section, navigate to Add Actions > Send Alert to Siemplify.

  4. Configure the Alert as follows:

    • Name: The value set here will affect the name of the Alert.
    • Priority: The value set here will affect the priority of the Google Security Operations SOAR case.
    • Category: Used to define the visual family.
    • Environment: Maps to the environment in Google Security Operations SOAR. Leave blank for no environment. Templating with square brackets is supported.
    • Device Vendor: Used to define the vendor of the system sending the event into Google Security Operations SOAR. If the alerts were generated by Microsoft Sysmon use Microsoft or from a value within the alert/event using templating.
    • Device Product: Used to define the product of the system sending the event into Google Security Operations SOAR. If the alerts were generated by Microsoft Sysmon, this value should be Sysmon or from a value within the alert/event using templating.
    • Event Type: Used to define the event type in the Google Security Operations SOAR Event Configuration section. If the alert was looking for malicious processes, the event type should be something like "Process Found" or from a value within the alert/event using templating.
    • Time Field: Used to define the StartTime and EndTime of the Google Security Operations SOAR Case. If this is not supplied, it will check for the "_indextime" field. If it is unable to find "_indextime", it will use the time the alert was generated. Templating is not supported.
    • Expand MultiValue Fields: By setting this to 1 the system will find any multivalue fields and create additional fields mapping to each value in the multivalued field. For example, if a multivalue field, src_hosts, contains a value of: Server1, Server2, Server3. The system will create new fields of: src_hosts_0: Server1, src_hosts_1: Server2, src_hosts_2: Server3. This option is only supported when Bring All Events Data is disabled.
    • Bring All Events Data: This setting will attempt to bring the raw events that make up an alert containing a transforming command (chart, timechart, stats, top, rare, contingency, highlight). To support this a change to the Splunk Search Head is required.

  5. To enable raw events from transformation searches, copy: $SPLUNK_HOME/etc/apps/TA-siemplify/default/savedsearches.conf to $SPLUNK_HOME/etc/apps/TA-siemplify/local/savedsearches.conf Edit: $SPLUNK_HOME/etc/apps/TA-siemplify/local/savedsearches.conf Uncomment: #dispatch.buckets =1

  6. Save the file and restart Splunk for these settings to take effect.

Troubleshooting

To change the log level to DEBUG, complete the following steps:

  1. In Splunk Web, select your application.

  2. Go to Settings > Server settings > Server logging.

  3. For the Log level parameter, select DEBUG.

  4. Click Save.

Querying log data from Google Security Operations SOAR TA will depend on your Splunk implementation. If you have Splunk CIM installed, the logs will be in the cim_modactions index. Otherwise, the logs will be in the _internal index.

Network

Network Access to Splunk API access from Google Security Operations SOAR to Splunk: Allow traffic over port 8089.

How to deploy Google Security Operations SOAR add-on in cluster environment

To create deployment server and search heads complete the following steps:

  1. Log in to the deployment server using SSH.

  2. Make sure that /opt/splunk/etc/system/local/serverclass.conf file exists. If not, execute:

    vi /opt/splunk/etc/system/local/serverclass.conf

    Example of the configuration is as follows:

    [global] # whitelist matches all clients.
[serverClass:AllApps] [serverClass:AllApps:app:*] [serverClass:
Google Security OperationsAPP]

  3. Upload and extract app file in the /opt/splunk/etc/deployment-apps directory.

  4. Create Splunk user if it doesn't exist:

    useradd splunk

  5. Create splunk group doesn't exist:

    groupadd splunk

  6. Add Splunk user permissions for the app:

    chown splunk:splunk {app path}

  7. Login to search heads using SSH.

  8. Add search heads as clients to the deployment server:

    /opt/splunk/bin/splunk set deploy-poll IP_ADDRESS:8089 #(deployment server ip address)

  9. Restart all of the search heads.

  10. Log in to the UI of the deployment server.

  11. Navigate to Settings > Distributed Environment > Forwarder Manager.

  12. Go to the Server Classes tab and click New Server Class.

  13. Provide a name for the server class.

  14. Add Google Security Operations SOAR add-on as an app and the Search Heads as clients.

  15. Restart all of the Search Heads.

  16. Make sure that the app is configured properly on all search heads. Splunk doesn't consistently sync the apps across the cluster.

Known Issues

If you receive the int() argument must be a string, a bytes-like object or a number, not 'NoneType'. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed error in the logs, make sure that the API root and API key parameters in the configuration have a value, even if you are working with the Pull mode.

Configure Splunk integration in Google Security Operations SOAR

The Splunk integration gives you the ability to verify the connection using a CA Certificate file. This is an additional connection verification method.

To use this method you need to have the following:*

  • CA Certificate file
  • Splunk integration version 26.0 or higher

Configure the integration in Google Security Operations SOAR:

  1. Parse your CA Certificate file into a Base64 string.

  2. Open the integration configuration page.

  3. In the CA Certificate File field, enter the CA Certificate string.

  4. To test the connection, select the Verify SSL checkbox and click Test.

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Server Address String {SCHEMA}://{IP}:{PORT} Yes Address of the Splunk Server.
Username String N/A No The email address of the user which should be used to connect to Splunk.
Password Password N/A No The password of the according user.
API Token Password N/A No Splunk API Token. API token has priority over other authentication methods, when this field is not empty.
Verify SSL Checkbox Unchecked No Use this checkbox, if your Splunk connection requires an SSL verification (unchecked by default).
CA Certificate File String N/A No Base 64 encoded CA certificate file.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Get Host Events

Description

Get events related to hosts in Splunk.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Event Per Host Limit Integer 100 Yes Specify how many events to return per host.
Results From String -24h Yes Specify the start time for the events.
Results To String now Yes Specify the end time for the events.
Result fields CSV N/A No Specify a comma-separated list of fields that need to be returned.
Index String N/A No Specify what index should be used, when searching for events related to the host. If nothing is provided, action will not use index.
Host Key String host No Specify what key should be used to get information about host events. Default: host.

Run On

This action runs on the Hostname entity.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
[{
    "app": "SA-AccessProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087674",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "0",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".404",
    "_time": "2021-02-02T04:01:58.404+02:00"
},
{
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087731",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms",
    "_serial": "1",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "splunkd_access",
    "_subsecond": ".172",
    "_time": "2021-02-02T04:01:58.172+02:00"
},
{
    "app": "SA-EndpointProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087653",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "2",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".804",
    "_time": "2021-02-02T04:01:57.804+02:00"
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and results are available: "Successfully returned events for the following hosts in Splunk: \n {0}".format(entity.identifier)

If successful and results are not available for some: "No events were found for the following hosts in Splunk:\n {0}".format(entity.identifier)

If successful and results are not available for all: "No events were found for the provided hosts in Splunk"

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Get Host Events". Reason: {0}''.format(error.Stacktrace)

If 400: "Error executing action "Get Host Events". Reason: {0}''.format(messages/text)

 General
Case Wall Table

Name: {Entity.identifier} Events

Columns: Based on the results.

Ping

Description

Test connectivity to Splunk with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if successful: "Successfully connected to the Splunk server with the provided connection parameters!"

The action should fail and stop a playbook execution:
if not successful: "Failed to connect to the Splunk server! Error is {0}".format(exception.stacktrace)

 General

Splunk Csv Viewer

Description

Parameters

Parameter Type Default Value Is Mandatory Description
Results string N/A Yes Raw results.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_succeed True/False is_succeed:False

SplunkQuery

Description

Execute a query in Splunk.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Search Mode DDL

Smart

Possible values:

  • Verbose
  • Smart
  • Fast

 No Specify the mode for executing search.
Query String Yes Specify the query that needs to be executed. Example: index="_internal"
Results count limit Integer 100 No

Specify how many results to return.
Note: this parameter appends the "head" key word to the provided query. Default is 100.
Results from String -24h No Specify the start time for the query. Default: -24h
Results to String now No Specify the end time for the query. Default: now.
Result fields CSV No

Specify a comma-separated list of fields that need to be returned.
Note: this parameter appends "fields" key word to the provided query.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_succeed True/False is_succeed:False
JSON Result
[{
    "app": "SA-AccessProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087674",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "0",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".404",
    "_time": "2021-02-02T04:01:58.404+02:00"
},
{
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087731",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms",
    "_serial": "1",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "splunkd_access",
    "_subsecond": ".172",
    "_time": "2021-02-02T04:01:58.172+02:00"
},
{
    "app": "SA-EndpointProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087653",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "2",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".804",
    "_time": "2021-02-02T04:01:57.804+02:00"
}]
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and results are available: "Successfully returned results for the query "{0}" in Splunk".format(query)

If successful and results are not available: "No results were found for the query "{0}" in Splunk".format(query)

Async message: "Waiting for query {0} to finish execution.".format(query name)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "SplunkQuery". Reason: {0}''.format(error.Stacktrace)

If 400: "Error executing action "SplunkQuery". Reason: {0}''.format(messages/text)

 General
Case Wall Table

Name: Splunk Query Results

Columns - Based on the results.

 General

Submit Event

Description

Submit event to Splunk.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Index String main Yes Specify the index, where the event should be created.
Event String N/A Yes Specify the raw event that needs to be submitted.
Host String N/A No Specify the host that is related to the event.
Source String N/A No Specify the source of the event. Example: www.
Sourcetype String N/A No Specify the source type of the event. Example: web_event

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result
{
    "index": "default",
    "bytes": 70,
    "host": "dogo",
    "source": "www",
    "sourcetype": "web_event"
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully added a new event to index "{0}" in Splunk.".format(index)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Submit Event". Reason: {0}''.format(error.Stacktrace)

If 400: "Error executing action "Submit Event". Reason: {0}''.format(messages/text)

 General

Update Notable Events

Description

Update notable events in Splunk ES.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Notable Event IDs CSV N/A Yes Specify IDs of notable events. Example: 1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7@@notable@@cb87390ae72763679d3f6f8f097ebe2b,1D234D5B-1531-2D2B-BB94-41C439BE12B7@@notable@@cb87390ae72763679d3f6f8f097ebe2b
Status DDL

Select One

Possible values:

Select One

Unassigned

New

In Progress

Pending

Resolved

Closed

 Yes Specify the new status for notable events.
Urgency DDL

Select One

Possible values:

Select One

Critical

High

Medium

Low

Informational

 Yes Specify the new urgency for the notable event.
New Owner String N/A Yes Specify the new owner of the notable event.
Comment String N/A Yes Specify the comment for the notable event.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and data is available (is_success=true)

print "Successfully updated {0} notable events in Splunk.".format(count(notable_events))

If fail to update (status_code=400, is_success=false):

print "Action wasn't able to update notable events. Reason:{0}".format(string_from_response)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other:

print "Error executing action "Update Notable Events". Reason: {0}''.format(error.Stacktrace)

 General

Execute Entity Query

Description

Execute an entity query in Splunk.

How to work with action parameters?

This action gives an ability to easily retrieve information related to entities. For example, it's possible to solve the use case, where you want to see the amount of events of the endpoints affected by the provided hashes without any complicated query building. In order to solve this problem in the Splunk you would need to prepare the following query: index="main" | where (device_ip="10.0.0.1" or device_ip="10.12.12.12") and (hash="bad_hash_1" or hash="bad_hash_2") In order to create the same query using "Execute Entity Query" action, you need to fill out the action parameters in the following way:

Query index="main"
IP Entity Key device_ip
File Hash Entity Key hash
Cross Entity Operator AND

All of the other fields can be left empty.

If the use case is to see how many endpoints were affected by the provided hashes, then the configuration of the "Execute Entity Query" will have the following look.

Query index="main"
File Hash Entity Key hash

"Cross Entity Operator" in this situation won't have an impact, because it only affects the query, when multiple "Entity Keys" are provided.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Search Mode DDL

Smart

Possible values:

  • Verbose
  • Smart
  • Fast

 No Specify the mode for executing search.
Query String Yes Specify the query that needs to be executed without the "Where" clause. Example: index="_internal"
Results count limit Integer 100 No Specify how many results to return. Note: this parameter appends the "head" key word to the provided query. Default is 100.
Results from String -24h No Specify the start time for the query. Default: -24h
Results to String now No Specify the end time for the query. Default: now.
Result fields CSV N/A No

Specify a comma-separated list of fields that need to be returned.
Note: this parameter appends "fields" key word to the provided query.
IP Entity Key String N/A No Specify what key should be used with IP entities. Please refer to the action documentation for details.
Hostname Entity Key String N/A No Specify what key should be used with Hostname entities, when preparing the . Please refer to the action documentation for details.
File Hash Entity Key String N/A No Specify what key should be used with File Hash entities. Please refer to the action documentation for details.
User Entity Key String N/A No Specify what key should be used with User entities. Please refer to the action documentation for details.
URL Entity Key String N/A No Specify what key should be used with URL entities. Please refer to the action documentation for details.
Email Address Entity Key String N/A No Specify what key should be used with Email Address entities. Please refer to the action documentation for details.
Stop If Not Enough Entities Checkbox Checked Yes If enabled, action will not start execution, unless all of the entity types are available for the specified ".. Entity Keys". Example: if "IP Entity Key" and "File Hash Entity Key" are specified, but in the scope there are no file hashes then if this parameter is enabled, action will not execute the query.
Cross Entity Operator DDL

OR

Possible Values:

OR

AND

 Yes Specify what should be the logical operator used between different entity types.

Run On

This action runs on the following entities:

  • IP Address
  • Host
  • User
  • Hash
  • URL

Action Results

Script Result
Script Result Name Value Options Example
is_succeed True/False is_succeed:False
JSON Result
[{
    "app": "SA-AccessProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087674",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:58.404 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-AccessProtection;Access - Default Account Usage - Rule\", search_type=\"\", user=\"admin\", app=\"SA-AccessProtection\", savedsearch_name=\"Access - Default Account Usage - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=0, dispatch_time=1612179969, run_time=51348.242, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtQWNjZXNzUHJvdGVjdGlvbg__RMD509c859ea7b9951b8_at_1612179932_61.40533\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "0",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".404",
    "_time": "2021-02-02T04:01:58.404+02:00"
},
{
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087731",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "127.0.0.1 - admin [02/Feb/2021:04:01:58.172 +0200] \"POST /servicesNS/nobody/SA-AccessProtection/saved/searches/Access%20-%20Default%20Account%20Usage%20-%20Rule/notify?trigger.condition_state=1 HTTP/1.1\" 200 1985 - - - 3ms",
    "_serial": "1",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "splunkd_access",
    "_subsecond": ".172",
    "_time": "2021-02-02T04:01:58.172+02:00"
},
{
    "app": "SA-EndpointProtection",
    "_bkt": "_internal~425~1A082D7B-D5A1-4A2B-BB94-41C439BE3EB7",
    "_cd": "425:9087653",
    "_indextime": "1612231318",
    "_kv": "1",
    "_raw": "02-02-2021 04:01:57.804 +0200 INFO  SavedSplunker - savedsearch_id=\"nobody;SA-EndpointProtection;Endpoint - Should Timesync Host Not Syncing - Rule\", search_type=\"\", user=\"admin\", app=\"SA-EndpointProtection\", savedsearch_name=\"Endpoint - Should Timesync Host Not Syncing - Rule\", priority=default, status=success, digest_mode=1, scheduled_time=1612179932, window_time=300, dispatch_time=1612179970, run_time=51347.420, result_count=0, alert_actions=\"\", sid=\"rt_scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5ef3c08822811b7cd_at_1612179932_62.25751\", suppressed=1, thread_id=\"AlertNotifierWorker-0\", workload_pool=\"\"",
    "_serial": "2",
    "_si": [
        "splunk",
        "_internal"
    ],
    "_sourcetype": "scheduler",
    "_subsecond": ".804",
    "_time": "2021-02-02T04:01:57.804+02:00"
}]
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and results are available: "Successfully returned results for the query "{0}" in Splunk".format(query)

If successful and results are not available: "No results were found for the query "{0}" in Splunk".format(query)

Async message: "Waiting for query {0} to finish execution.".format(query name)

If "Stop If Not Enough Entities" is enabled and not enough entity types are available for the provided "Entity Keys" (is_success=false): Action wasn't able to build the query, because not enough entity types were supplied for the specified ".. Entity Keys". Please disable "Stop If Not Enough Entities" parameter or provide at least one entity for each specified ".. Entity Key".

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Execute Entity Query". Reason: {0}''.format(error.Stacktrace)

If 400: "Error executing action "Execute Entity Query". Reason: {0}''.format(messages/text)

 General
Case Wall Table

Name: Splunk Query Results

Columns: Based on the results.

 General

Connectors

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

To configure the selected connector, use the connector-specific parameters listed in the following tables:

Splunk Query Connector

The connector sends queries that are a part of the dynamic list (whitelist), retrieves results, and builds a case based on the retrieved results.

Sample Splunk queries to view the logs

  1. Queries should be entered as the dynamic list (whitelist) rules.

  2. Search queries with multiple filters should use space as a delimiter between search filters—for example, index=cim_modactions sourcetype=modular_alerts:risk.

  3. Using multiple dynamic list (whitelist) rules rather than entering multiple space-delimited search filters into the same rule results in a separate search executed for every added rule.

    • index=cim_modactions
    • sourcetype=modular_alerts:send_data_to_siemplify
    • index=_internal sourcetype=splunkd
    • component=sendmodalert
    • action=send_data_to_siemplify
    • index=_internal source=/opt/splunk/var/log/splunk/send_data_to_siemplify_modalert.log

Connector parameters

To configure the connector, use the following parameters:

Parameters
Product Field Name Required

Input the source field name to retrieve the Product Field name.

Default value is device_product.
Event Field Name Required

Enter the source field name to retrieve the Event Field name.

Default value is app.
API Root Required

API root of the Splunk instance.

Default value is https://IP:8089.
Username Required

Username of the Splunk account.
Password Required

Password of the Splunk account.
API Token Optional

Splunk API token.

If this field has any value, the API token has priority over other authentication methods.
Verify SSL Required

If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid.

Unchecked by default.
Environment Field Name Optional

Name of the field where the environment name is stored.
Rule Generator Field Required

The name of the field used to map the rule generator value.
Alert Name Field Name Required

Alert name.
Events Count Limit Per Query Optional

Max amount of events to fetch per query.
Max Day Backwards Optional

Amount of days from where to fetch events.
Aggregate Events Query Optional

If enabled, the connector will combine all events under one alert.

Disabled by default.
PythonProcessTimeout (Seconds) Required

Timeout limit for the python process running the current script.

Default value is 60 seconds.
Proxy Server Address Optional

Address of the proxy server to use.
Proxy Username Optional

Proxy username to authenticate with.
Proxy Password Optional

Proxy password to authenticate with.
Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field.

The default value .* catches all and returns the value unchanged.

The parameter lets you manipulate the environment field using the regular expression logic.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Connector rules

The connector supports proxy.

Splunk Pull Connector

Pull alerts and events from Splunk into Google Security Operations SOAR.

Connector parameters

To configure the connector, use the following parameters:

Parameters
Product Field Name Required

Input the source field name to retrieve the Product Field name.

Default value is device_product.
Event Field Name Required

Enter the source field name to retrieve the Event Field name.

Default value is name.
Environment Field Name Optional

Name of the field where the environment name is stored.

If the environment field isn't found, the result environment is "" .

Default value is "".
Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field.

The default value .* catches all and returns the value unchanged.

The parameter lets you manipulate the environment field using the regular expression logic.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is "".
PythonProcessTimeout (Seconds) Required

Timeout limit for the python process running the current script.

Default value is 60 seconds.
Server Address Required

IP address of the Splunk API server.
Port Required

Port of the Splunk instance.

Default value is 8089.
Username Required

Username of the Splunk account.
Password Required

Password of the Splunk account.
Time Frame Optional

Timeframe for fetching the alerts.

Default value is 1 hour.

Examples:

If the value is set to 1 minute, the connector fetches alerts starting from 1 minute ago.

If the value is set to 3 hours, the connector fetches alerts starting from 3 hours ago.

If the value is set to 1 day or week, the connector fetches alerts starting from 1 day (24 hours) or 1 week ago, respectively.
Alerts Count Limit Optional

Number of alerts returned by the connector per 1 iteration.

Default value is 100.
Use SSL Optional

Check to enable the SSL or TLS connection.

Unchecked by default.
Proxy Server Address Optional

Address of the proxy server to use.
Proxy Username Optional

Proxy username to authenticate with.
Proxy Password Optional

Proxy password to authenticate with.

Connector rules

The connector supports proxy.

Splunk ES - Notable Events Connector

Ingest notable events from Splunk ES.

Define case priority

The case priority is defined by the Urgency parameter in the notable event. Only this parameter is taken into consideration when ingesting the notable event into Google Security Operations SOAR.

Connector parameters

To configure the connector, use the following parameters:

Parameters
Product Field Name Required

Input the source field name to retrieve the Product Field name.

Default value is Product Name.
Event Field Name Required

Enter the source field name to retrieve the Event Field name.

Default value is index.
Environment Field Name Optional

Name of the field where the environment name is stored.

If the environment field isn't found, the default environment is used.

Default value is "".
Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field.

The default value .* catches all and returns the value unchanged.

The parameter lets you manipulate the environment field using the regular expression logic.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds) Required

Timeout limit for the python process running the current script.

Default value is 180 seconds.
Server Address Required

Server address of the Splunk instance.

Default value is https://:8089.
Username Optional

Username of the Splunk account.
Password Optional

Password of the Splunk account.
API Token Required

Splunk API token.

If this field has any value, the API token has priority over other authentication methods.
Lowest Urgency To Fetch Required

Lowest urgency used to fetch notable events.

Possible values are:

  • Informational
  • Low
  • Medium
  • High
  • Critical

Default value is Medium.

Fetch Max Hours Backwards Optional

Amount of hours from where to fetch notable events.

Default value is 1 hour.
Only Drilldown Events Optional

If enabled, the connector attempts to fetch drilldown events without fetching base events. This parameter requires the Fetch Base Events option enabled.

Disabled by default.
Padding Time Optional

Amount of hours that will be used as a padding.

If no value is provided, this parameter isn't applicable.

Max value is 12 hours.
Max Notable Events To Fetch Optional

Number of notable events to process per one connector iteration.

Default value is 10.
Use whitelist as a blacklist Required

If enabled, the dynamic list is used as a blocklist.

Disabled by default.
Verify SSL Required

If checked, verifies that the SSL certificate for the connection to the CrowdStrike server is valid.

Unchecked by default.
Proxy Server Address Optional

Address of the proxy server to use.
Proxy Username Optional

Proxy username to authenticate with.
Proxy Password Optional

Proxy password to authenticate with.
Query Filter Optional

Additional query filter sent to Splunk to get notable events.

Value provided here is appended to the WHERE query clause.
Extract Base Events Optional

If enabled, the connector extracts base events related to the notable event using information about the job. In other case, the connector creates a Google Security Operations SOAR event based on the notable event.

If this parameter is set to True but the connector can't work with jobs, the connector uses information about notable events as a fallback mechanism.

Enabled by default.
Multivalue Fields Optional

A comma-separated list of fields containing multiple entities.

For example, if a field contains two hostnames, the notable event is split into two Google Security Operations SOAR events to map entities correctly.

Notable Event Data Along Base Event Optional

If enabled, the connector adds Google Security Operations SOAR events based on the notable event in addition to base events.

Disabled by default.

Rule Generator Field Name Optional

The name of the field used to map the rule generator value.

Only information about the notable event itself is used for mapping, events are disregarded. If invalid value is provided, the connector sets the field to the rule_name value.
Alert Name Source Optional

Source for the alert name.

Possible values are:

  • Search Name
  • Rule Name

Default value is Search Name.

How to use the Query Filter parameter

If there is a need to narrow down notable events based on the specific parameters, use the Query Filter parameter. The value provided in this parameter is appended to the WHERE clause of the query sent to get notable events.

The example of the sent query is as follows: 

(`get_notable_index` OR `get_sequenced_index`) | eval `get_event_id_meval`,
rule_id=event_id | tags outputfield=tag | `mvappend_field(tag,orig_tag)` |
`notable_xref_lookup` | `get_correlations` | `get_current_status` | `get_owner`
| `get_urgency` | typer | where (urgency="medium" AND urgency="low") AND
(status_label="Unassigned" OR status_label="New")  | tail 50 | fields *

For example, if Query Filter = isTesting = True, then the query appears as follows:

search (`get_notable_index` OR `get_sequenced_index`) | eval epoch=_time | eval
`get_event_id_meval`,rule_id=event_id | tags outputfield=tag |
`mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` |
`get_current_status` | `get_owner` | `get_urgency` | typer | where
(urgency!="informational" AND urgency!="low" **AND isTesting = "True"**) |
fields *

Connector rules

The Splunk ES connector uses dynamic list and blocklist (whitelist and blacklist). The connector uses the search_name field from the event to compare against the dynamic list.

Connector event

[{
    "indicator": "2012/06/29_21:50", 
    "tlp": "TLP:RED", 
    "itype": "mal_url", 
    "severity": "very-high", 
    "classification": "public", 
    "detail": "", 
    "confidence": 50, 
    "actor": "", 
    "feed_name": "import", 
    "source": "admin", 
    "feed_site_netloc": "localhost", 
    "campaign": "", 
    "type": "url", 
    "id": "anomali:indicator-578a9be5-0e03-4ec0-940d-4b1842f40fd0", 
    "date_last": "2020-07-15 08:12:07 AM",
"Url": "indicator"
  },{
    "indicator": "2010/12/19_16:35", 
    "tlp": "TLP:RED", 
    "itype": "mal_url", 
    "severity": "very-high", 
    "classification": "public", 
    "detail": "", 
    "confidence": 50, 
    "actor": "", 
    "feed_name": "import", 
    "source": "admin", 
    "feed_site_netloc": "localhost", 
    "campaign": "", 
    "type": "url", 
    "id": "anomali:indicator-52cadd07-330a-45fd-962f-32e22d36a89a", 
    "date_last": "2020-07-15 08:12:07 AM"
  }]

Jobs

Sync Splunk ES Closed Events

Description

Synchronizes closed Splunk ES notable events and Google Security Operations SOAR alerts.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Server Address String https://IP:8089 Yes Server address of the Splunk instance.
Username String N/A No Username of the Splunk account.
Password Password N/A No Password of the Splunk account.
API Token Password N/A Yes Splunk API token. API token has priority over other authentication methods, when this field is not empty.
Max Hours Backwards Integer 24 Yes Specify how many hours backwards to synchronize statuses. Default: 24 hours.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Splunk server is valid.

Sync Splunk ES Comments

Description

This job will synchronize comments in Splunk ES events and Google Security Operations SOAR cases.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Server Address String https://IP:8089 Yes Server address of the Splunk instance.
Username String N/A No Username of the Splunk account.
Password Password N/A No Password of the Splunk account.
API Token Password N/A Yes Splunk API token. API token has priority over other authentication methods, when this field is not empty.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Splunk server is valid.