Splunk

This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.

This document describes the steps required to integrate Splunk with the Mandiant Security Validation (MSV) Platform.

This integration is remote capable.

API Calls

The following API calls are used when integrating with MSV Platform.

Purpose	Call
Login	`/services/auth/login`
Search	`/services/search/jobs/export` This API uses exec_mode set to blocking to run the query.

Prerequisites

Information to gather before you start:

IP address used to access Splunk.
Port for Splunk communications (default is 8089).
Identify whether the protocol is HTTP or HTTPS for connections to the Splunk port.
Identify or create credentials to access Splunk. Read permissions are required.
Identify the field name mappings for the following:
1. Source IP
2. Destination IP
3. Source Port
4. Destination Port
5. Event Signature ID
6. Event Name
7. Event Source Host
  There could be multiple field names, depending on log sources and configurations.
Verify that the Splunk account has the following capabilities enabled:
- accelerate_search
- edit_search_schedule_window
- export_results_is_visible
- get_metadata
- get_typeahead
- list_accelerate_search
- list_inputs
- list_metrics_catalog
- pattern_detect
- request_remote_tok
- rest_apps_view
- rest_properties_get
- rest_properties_set
- run_collect
- run_mcollect
- schedule_rtsearch
- search
- User is set to the GMT/UTC timezone

Create Alert conditions within Splunk

Create an index to store the alert. Settings > Indexes > New Index. Fill in the name of the index.
Splunk Indexes
Create an alert by going to: Settings > Searches, Reports, and Alerts. Do this step in the Search & Reporting (search) app. Select New Alert.
Splunk Searches, Reports, and Alerts
On the New Alert page, enter the following:
Creating a Crowdstrike alert for demo purposes which is triggered whenever Splunk sees the event.FileName=mimikatz.exe and action=blocked
1. Name: Crowdstrike Mimikatz
2. Search: index="crowdstrike" AND action="blocked" AND "event.FileName"="mimikatz.exe"
3. Alert Type: Scheduled
  This step sets up the alert search to run every 15min
  1. Run on Cron Schedule
4. Time Range: Last 15 minutes
  This setting should match your Cron schedule to avoid duplicating alerts.
5. Cron Expression: */15 * * * *
6. Expires: 24 Hours (default)
7. Trigger Conditions:
  1. Trigger alert when: Number of Results is greater than 0
    Whenever it's detected, an alert is triggered.
  2. Trigger: For each Result
  3. Throttle: Unchecked
8. Trigger Actions:
  1. When triggered: Log Event
  2. Event: Do not hesitate to add other fields if necessary, but it is the basic information that is required. In particular, the base_event_uids=$result._cd$ that will link to the base event for MSV to match it.
```
time=$result_time$,
hostname=$result.dest$,
destination=$result.event.LocalIP$,
action=$result.action$,
base_event_uids=$result._cd$
```
    - $result.[field from source event]$ are the fields to match.
  3. Source: alert:$name$ The name of the event in the alert index
  4. Sourcetype: alert:crowdstrike The source type of the event in the alert index
  5. Host: crowdstrike The name of the Host in the alert index
  6. Index: msv_alerts The name of the index that was created in Step 1.
    Splunk Edit Alert
    For corresponding MSV setup, refer to the enabling Correlation Query section. The following is an example of an alert that has been triggered:
    Splunk Triggered Alert
    The Action which triggered this alert:
    Action for the Alert

Add the Splunk Integration

The %ACTOR_IPS% variable can be used in all queries. This variable improves event matching.

Go to Settings > Integrations.
Click Add Integration > Splunk.
Enter information for the Host, Port, Protocol, Username, and Password or API Token.
Set the Authentication Method (defaults to Token with Bearer Token, Basic, and Token+Cookie as additional options).
1. The Token method authenticates by logging in and creating a session token, not by using a token that you provide to the Security Validation Platform.
2. The Bearer Token method authenticates over HTTP without requiring the Username and Password values. Bearer tokens are permanent unless they are revoked or given an expiry time by a Splunk system administrator.
3. Basic Authentication Use Case: Your Splunk instance is behind a proxy and there's the possibility of requests hitting different search heads; if you were using token authentication, the token created by logging into one search head would not work for requests on another search head.
  If you are using a load balancer, try using Token+Cookie for the authentication type. Otherwise, verify that the credentials are correct.

Review and update the Query to include instance-specific field names, sources, data types, and other customizations.

This Integration supports the following variables inside queries:

Variable	Description
`%ACTOR_IPS%`	IP addresses of Actors used to run an Action.
`%DOMAINS%`	Domain names queried in recent DNS Actions.
`%SENDERS%`	Email addresses and user names of senders in recent email Actions.
`%RECIPIENTS%`	Email addresses and user names of recipients of recent email Actions.
`%HOST_CLI_ACTOR_IPS%`	IP addresses of Actors that recently ran a Host CLI Action.
`%HOST_CLI_ACTOR_HOSTNAMES%`	Hostname of Actors that recently ran a Host CLI Action.
`%LAST_INDEX%`	The start time for the query window.

The default queries can be viewed by clicking Show default query.

The query includes information that allows event matching based on any file hashes included in an Action.

Splunk Integration

Expand Advanced options.
(Optional) Update Query time (minutes) and Delay time (minutes).
The Query time is the amount of time (minutes) before and after the query runs that the platform looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the first query after a Job Action starts. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.
If your monitors are set to run more frequently than the query time, this configuration impacts the pass/fail results for AEDA monitors.
(Optional) Select Enable query for Malicious DNS Actions and configure the Query. This query will only be used when you run Malicious DNS Actions or Captive DNS Actions.
(Optional) Select Enable query for Email Actions and configure the Query. This query will only be used when you run Email Actions.
(Optional) Select Enable query for Host CLI Actions and configure the Query. This query will only be used when you run Host CLI Actions.
If you enable the Host CLI Actions query and use the %HOST_CLI_ACTOR_HOSTNAMES% variable, the platform substitutes the plain hostname and the information from the Alternate Hostname field on the Actor configuration page.
(Optional) Select Pre-Process Event Correlation.
(Optional) Select Enable correlation query and fill in the pertinent information from the alert that was created in Splunk to set up MSV to search for the Splunk alerts.
Correlation queries let the Security Validation Platform recognize Splunk summary indexes as alerts in Job Action results. To build and use a Correlation Query on the platform, you must have a summary index. Correlation alerts populate this summary index. Use the name of the index in the integration's Correlation Query.

In the index, each row must contain a property for base event UIDs. The property should be an array of _cd values from the base events to which the alert is correlating.
_cd is an internal property to Splunk and does not show up by default, but it does exist by default in every index row. If your base_event_uids are stored as a string separated by commas, you can split your query by adding '| eval base_event_uids = split(base_event_uids, ",")' to the end of it. See the Splunk documentation for information on creating summary indexes.
- In the Correlation Query, replace CHANGE_ME_CORRELATION_INDEX with the name of your populated index in Splunk.
  See Correlated Events for information about how the Security Validation Platform matches correlated events to a Job Action.
  For further assistance configuring the Correlation Query to work with a summary index, contact Support.
  Correlation Query
- After the 15-minute runtime, you see that the alert correlated to the original Action run.
  Correlated Action
(Optional) For Timeout for Query Requests (seconds), enter how much time to allow before the query times out. This timeout applies to all queries that you configure for this integration.
(Optional) Select Discover network devices automatically.
Modify the Query Interval (seconds) and Event Time Adjustment (seconds), if necessary.
(Optional) Assign a Name.
(Optional) Choose Yes to save suspicious events.
Click Submit.
Splunk Integration - Advanced Options

Set up Proxy Assignment

If all outbound connections go through a proxy, you may want to set up a proxy definition and assignment for your integration. For information on setting up your proxy rules, see Proxy Rules.

Verify Connectivity to Splunk

Click Test to verify that:

The Director can communicate with Splunk on the port and protocol specified.
The user credentials are working.

If there is an issue when running the test, a message identifies the specific cause of the error, helping to identify the settings you need to review.

Run a Malicious or Captive DNS Action and then review the last run query to verify:

The custom DNS query works as expected (if configured).

Troubleshooting Jobs

If events are missing when running Jobs, check the integration's last query. It contains the specific query and errors that occurred when the query was run. In addition, it can provide status information when events for a Job are being processed.