Splunk Integration
    • 07 May 2024
    • 4 Minutes to read
    • Dark
      Light

    Splunk Integration

    • Dark
      Light

    Article summary

    Summary

    The Silent Push Events Collector is a plugin developed by Silent Push intended to collect IoCs from the Silent Push App directly into your Splunk Enterprise instance.

    The data will be collected according to the Filter Profiles created in Silent Push App:

    splunkarch

    Here's a quick tutorial video that explains the basics - https://www.silentpush.com/blog/threat-intelligence-app-for-splunk-now-available

    Before you start

    This guide is strictly for Splunk Enterprise users and assumes you have already the following to hand:

    • A Splunk Enterprise instance running.
    • The admin credential for it.
    • Your Splunk Base credentials.
    • A Silent Push account.
    • An active Filter Profile on the Silent Push app.

    Installation

    To install the Splunk Add-On:

    1. Go to Menu > Apps > Find More Apps

    2. Type Silent Push in the search box, and hit Enter

    3. Locate Silent Push Events Collector

    4. Click the Install button

    5. Enter your Splunk Base credentials

    6. Accept the terms and conditions

    7. Click Enter

    Configuration

    Generating an API key

    If you don't already have one, you’ll have to generate a Silent Push API key. To do so, follow these steps:

    1. Navigate to Menu > Organization

    2. Select the API Keys tab

    3. Click on Add New API Key

    4. Type a Nickname for your API Key (e.g. 'Splunk Add-on')

    5. Select an Expiration date

    6. Click Create

    7. Your API Key should now appear in the list of keys

    8. Copy it to your clipboard by clicking the Copy button

    Adding your API key

    Now that you have your Silent Push API Key, go back to your Splunk Enterprise instance, in the “Silent Push Events Collector” Add-on we just installed, follow these steps:

    1. Navigate to Menu > Settings

    2. Paste your Silent Push API Key, and save it

    3. If succesfull, you'll receive a notification informing you that your API key has been saved.

    Collecting data

    After you have configured the Add-On, navigate to Filter Profiles in Splunk Enterprise.

    Splunk will now display a list of Filter Profiles that you have configured within the Silent Push app.

    The data will be collected automatically according to the periodicity defined in the Settings, although you have to define the Splunk index which the data will be pulled into, for this just simply select the required index:

    splunk_indexes

    You can manually pull data by clicking the Pull button.

    If the sync has worked, after pulling the data button, your index will be populated with the IoCs contained within the associated Silent Push Filter Profile.

    To check the index:

    1. Navigate to Search & Reporting

    2. Type index=“yourindexname”

    3. Select All time (real-time) next to the Search icon, as shown below:
      splunk_alltimerealtime

    Two new adaptive response actions

    If you have a Splunk Enterprise Security subscription, you also have two new Adaptive Response Actions:

    • Silent Push - Enriching (enriches the notable with Silent Push contextual data)
    • Silent Push - Scoring (re-scores the notable through Silent Push, only when the notable score is lower than Silent Push score)

    Adaptive Response - Enriching

    This action will enrich the notable with Silent Push contextual data, such as AS Name, subnet etc.

    To enrich your notable through Silent Push, follow these steps in Splunk Enterprise Security

    1. Navigate to Incident Review

    2. Expand the notable you'd like to enrich

    3. In the Actions column, click on the dropdown button and then Run Adaptive Response Actions

    4. Inside the modal window, choose Silent Push - Enriching, and click Run

    5. Close the modal window

    6. In the notables expanded details, you should see your action in the Adaptive Responses table (you may need to refresh it)

    7. Click on the Silent Push - Enriching action you just ran

    8. Another tab will open showing your action's details (you may need to change the time window on the right hand side dropdown)

    9. Expand the action details to see the Silent Push enriched data, prefixed by _SP

    This is the adaptive response:
    splunk_adaptiveresponse
    This is the enriched data, after the adaptive response is run:
    splunk_outputtedata

    Adaptive Response - Scoring

    This action re-scoresthe risk object through Silent Push, but only when the risk object score is lower than Silent Push score.

    To re-score your notable through Silent Push in Splunk Enterprise, follow these steps:

    1. Navigate to Incident Review

    2. Expand the notable you want to re-score

    3. In the Actions column, click on the dropdown button and then Run Adaptive Response Actions

    4. Inside the modal window, choose Silent Push - Scoring and click the Run button

    5. Close the modal window

    6. In the notable expanded details, you should see your action in the Adaptive Responses table (you may need to refresh it)

    7. Click on the Silent Push - Scoring action you just ran

    8. Another tab should open showing your action details (you may need to change the time window on the right-hand dropdown menu)

    9. If you expand the action details, you should see something like:

    newriskscore = 90
    annotations.all = winning risk factor: asntakedownreputation
    annotations.frameworks = Silent Push

    This is what the re-scored data should look like:
    splunk_rescoreddata

    You can also view additional details on the Risk Analysis dashboard:
    splunk_riskanalysis

    Obtaining live WHOIS data

    You're also able to add the most recent WHOIS data to a domain notable:

    1. Navigate to Incident Review

    2. Expand the domain notable in question

    3. In the Actions column, click the dropdown button and then Run Adaptive Response Actions

    4. Inside the modal window, choose Silent Push - Who Is Live Information and click Run

    5. Close the modal window

    6. In the notables expanded details, you'll see your action in the Adaptive Responses table (you may need to refresh it)

    7. Click on the Silent Push - Who Is Live Information

    8. Another tab will open showing your action details (you may need to change the time window on the right-hand dropdown menu)

    9. Expand the action details to see the Silent Push Who Is data prefixed by _SP

    This is what the response looks like:
    splunk_whosresponse
    This is the outputted WHOS data, once the adaptive response has been run:
    splunk_whosidata


    Was this article helpful?