What is Splunk?
Splunk is designed to help IT, DevOps, and security teams improve their organizations by optimizing data from a variety of sources. Their purpose is to improve the use of data within these types of organizations to gain clarity and drive innovation.
Integration actions
Splunk can remotely launch Cyber Triage collections and users can export Cyber Triage data into Splunk.
Whom is it built for?
Internal IR Teams.
Why is it useful?
The Cyber Triage analysis results are imported into Splunk so that the data is available for future investigations. Users have more context when they investigate similar alerts in the future and they know how common a process is or where else it was seen. Resolving incidents faster maximizes your analysts’ time because they wont need to wait for the collection to happen, and having the most context in your SIEM improves future alert triage.
Where is it used?
The Cyber Triage/Splunk integration allows you to remotely start collections about suspicious endpoints and bring the results back to Splunk for multi-source correlations and alert triage.
What are the usage details?
Cyber Triage allows you to perform a mini-forensic investigation on an endpoint. It pushes a collection tool to the remote endpoint to collect volatile and file system data and analyzes the data. You can start a collection from within Splunk and import the Cyber Triage results.
STEP 1: Starting a Collection
To start a collection of a remote endpoint, you’ll need to configure the app to define things like the Cyber Triage Server hostname and API key.
You can start the collection by adding Cyber Triage as a “Trigger Action” for an Alert. You will need to specify the hostname or IP of the target endpoint.
If you configured Cyber Triage so that it uses your own SSL certificate instead of the default one, then change the verify server cert property in the Splunk app to True and place your PEM formatted cert into %SPLUNK_HOME%\etc\auth as cybertriage.pem.
STEP 2: Importing Data
You can also import your Cyber Triage results back into Splunk so that you can later do searches and correlations. You can do this with the Standard (desktop) and Team versions of Cyber Triage.
You first need to generate a JSON Report from the Cyber Triage dashboard. Next, import it into Splunk with the “Add Data” feature. Pick the JSON and specify the Application/cybertriage source type. This will map Cyber Triage data to the following CIM data models:
- Authentication/Failed_Authentication
- Authentication/Successfull_Authentication
- Application_State/All_Application_State/Ports
- Application_State/All_Application_State/Processes
- Application_State/All_Application_State/Services
- Change_Analysis/Account_Management/Accounts_Created
- Network_Traffic/All_Traffic
- Malware
- Web
What is the required Cyber Triage version?
Team.
Additional links
- Integrate with Splunk for Faster Alert Triage
- linkedin.com/company/splunk/
- splunkbase.splunk.com/app/3868/
- github.com/splunk/
*For more information about this integration contact our sales team: sales@cybertriage.com.