- 07 May 2024
- 4 Minutes to read
- Print
- DarkLight
Splunk Integration
- Updated on 07 May 2024
- 4 Minutes to read
- Print
- DarkLight
Summary
The Silent Push Events Collector is a plugin developed by Silent Push intended to collect IoCs from the Silent Push App directly into your Splunk Enterprise instance.
The data will be collected according to the Filter Profiles created in Silent Push App:
Here's a quick tutorial video that explains the basics - https://www.silentpush.com/blog/threat-intelligence-app-for-splunk-now-available
Before you start
This guide is strictly for Splunk Enterprise users and assumes you have already the following to hand:
- A Splunk Enterprise instance running.
- The admin credential for it.
- Your Splunk Base credentials.
- A Silent Push account.
- An active
Filter Profile
on the Silent Push app.
Installation
To install the Splunk Add-On:
Go to
Menu > Apps > Find More Apps
Type
Silent Push
in the search box, and hit EnterLocate
Silent Push Events Collector
Click the
Install
buttonEnter your Splunk Base credentials
Accept the terms and conditions
Click
Enter
Configuration
Generating an API key
If you don't already have one, you’ll have to generate a Silent Push API key. To do so, follow these steps:
Navigate to
Menu > Organization
Select the
API Keys
tabClick on
Add New API Key
Type a
Nickname
for your API Key (e.g. 'Splunk Add-on')Select an
Expiration date
Click
Create
Your API Key should now appear in the list of keys
Copy it to your clipboard by clicking the
Copy
button
Adding your API key
Now that you have your Silent Push API Key, go back to your Splunk Enterprise instance, in the “Silent Push Events Collector” Add-on we just installed, follow these steps:
Navigate to
Menu > Settings
Paste your Silent Push API Key, and save it
If succesfull, you'll receive a notification informing you that your API key has been saved.
Collecting data
After you have configured the Add-On, navigate to Filter Profiles
in Splunk Enterprise.
Splunk will now display a list of Filter Profiles that you have configured within the Silent Push app.
The data will be collected automatically according to the periodicity defined in the Settings
, although you have to define the Splunk index which the data will be pulled into, for this just simply select the required index:
You can manually pull data by clicking the Pull
button.
If the sync has worked, after pulling the data button, your index will be populated with the IoCs contained within the associated Silent Push Filter Profile.
To check the index:
Navigate to
Search & Reporting
Type
index=“yourindexname”
Select
All time (real-time)
next to theSearch
icon, as shown below:
Two new adaptive response actions
If you have a Splunk Enterprise Security subscription, you also have two new Adaptive Response Actions:
- Silent Push - Enriching (enriches the notable with Silent Push contextual data)
- Silent Push - Scoring (re-scores the notable through Silent Push, only when the notable score is lower than Silent Push score)
Adaptive Response - Enriching
This action will enrich the notable with Silent Push contextual data, such as AS Name, subnet etc.
To enrich your notable through Silent Push, follow these steps in Splunk Enterprise Security
Navigate to
Incident Review
Expand the notable you'd like to enrich
In the Actions column, click on the dropdown button and then
Run Adaptive Response Actions
Inside the modal window, choose
Silent Push - Enriching
, and clickRun
Close the modal window
In the notables expanded details, you should see your action in the
Adaptive Responses
table (you may need to refresh it)Click on the
Silent Push - Enriching
action you just ranAnother tab will open showing your action's details (you may need to change the time window on the right hand side dropdown)
Expand the action details to see the Silent Push enriched data, prefixed by
_SP
This is the adaptive response:
This is the enriched data, after the adaptive response is run:
Adaptive Response - Scoring
This action re-scoresthe risk object through Silent Push, but only when the risk object score is lower than Silent Push score
.
To re-score your notable through Silent Push in Splunk Enterprise, follow these steps:
Navigate to
Incident Review
Expand the notable you want to re-score
In the
Actions
column, click on the dropdown button and thenRun Adaptive Response Actions
Inside the modal window, choose
Silent Push - Scoring
and click theRun
buttonClose the modal window
In the notable expanded details, you should see your action in the
Adaptive Responses
table (you may need to refresh it)Click on the
Silent Push - Scoring
action you just ranAnother tab should open showing your action details (you may need to change the time window on the right-hand dropdown menu)
If you expand the action details, you should see something like:
newriskscore = 90
annotations.all = winning risk factor: asntakedownreputation
annotations.frameworks = Silent Push
This is what the re-scored data should look like:
You can also view additional details on the Risk Analysis dashboard:
Obtaining live WHOIS data
You're also able to add the most recent WHOIS data to a domain notable:
Navigate to
Incident Review
Expand the domain notable in question
In the
Actions
column, click the dropdown button and thenRun Adaptive Response Actions
Inside the modal window, choose
Silent Push - Who Is Live Information
and clickRun
Close the modal window
In the notables expanded details, you'll see your action in the
Adaptive Responses
table (you may need to refresh it)Click on the
Silent Push - Who Is Live Information
Another tab will open showing your action details (you may need to change the time window on the right-hand dropdown menu)
Expand the action details to see the Silent Push Who Is data prefixed by
_SP
This is what the response looks like:
This is the outputted WHOS data, once the adaptive response has been run: