Splunk SIEM

Updated
  • Updated on Aug 21, 2025
  • Published on Jul 18, 2025
  • 3 minute(s) read
Prev Next

The Silent Push app for Splunk enhances your SIEM environment by integrating proactive threat intelligence. It enables real-time lookups, feed ingestion, and correlation of domains, IPs, and Indicators of Future Attack (IOFA) with Splunk event data, streamlining threat detection and response.

Key features

The Silent Push app integrates the following Silent Push data types into Splunk:

  • Indicators of Future Attack (IOFA): Provides early warnings of potential breaches by correlating with existing logs.

  • PADNS Data: Accesses DNS records and enriches context with metrics like IP Diversity for threat hunting and analysis.

  • Reputation Data: Investigates the history and trustworthiness of indicators like ASNs, nameservers, and subnets.

  • Enrichment Data: Retrieves context for domains, IPv4, and IPv6 to identify and understand potential security threats.

  • Web Scan Data: Searches historical IP scanning data, retrieves current metadata, and captures screenshots for incident response.

  • Correlation Results: Matches indicators within Splunk indices to enhance security monitoring and incident response.

Benefits

  • Direct Access to Silent Push Data: Splunk users gain seamless access to Silent Push's threat intelligence datasets.

  • Real-Time Threat Detection: Correlate logs with IOFAs for early breach warnings.

  • Improved Context for Indicators: Access enriched context for domains, IPs, and other indicators.

  • Automated Investigations: Automate data enrichment with reputation and risk scores for domains and IPs.

  • Enhanced Incident Response: Security logs are enriched with risk and reputation scores, enabling faster, informed decisions.

  • Visualization Dashboards: Visualize threat intelligence, including indicators, correlation results, and reputation details.

Requirements

In order to get started with the Silent Push app for Splunk, users must have the following:

  • Silent Push API Key: Obtain a valid API key from a Silent Push account.

  • Splunk Version: Compatible with Splunk Enterprise 9.0.x, 9.1.x, 9.2.x, 9.3.x, or Splunk Cloud.

  • Operating System: Platform-independent.

  • Optional:

    • Splunk Common Information Model (CIM) for matching indicators with data model events.

    • Splunk Enterprise Security (ES) for creating notable events based on correlations.

Deployment Options

Standalone Instance

Install the Silent Push app on a single Splunk instance and configure it as described in the Configuration section below.

Distributed Environment

  • Heavy Forwarder: Install the app to collect and forward Silent Push-enriched logs to indexers.

  • Search Head: Install to enable dashboards, correlation searches, and direct queries. In Search Head Clusters, install on all search heads but configure only one instance; configurations replicate via the KVStore.

Splunk Cloud

  • Install the app on a Splunk Cloud Search Head for correlation, searches, and dashboards.

  • For data collection, configure the app on a Splunk-managed Input Data Manager (IDM) or an on-premises Heavy Forwarder. Contact Splunk Support for IDM configuration assistance.

Install Silent Push Integration

  • From SplunkBase: Download the Silent Push Technical Add-on (TA) from SplunkBase.

  • Within Splunk: Navigate to Apps > Find More Apps, search for Silent Push, and install.

Configuration

Account Setup

  1. Go to Configuration > Account.

  2. Enter your Silent Push API Key and a unique Account Name (used only within the Splunk app).

Proxy (Optional)

For on-premises Splunk instances, configure a proxy for connecting to Silent Push for feed updates and lookups:

  1. Navigate to Configuration > Account.

  2. Specify proxy type (HTTP or SOCKS5), host, port, and credentials (if required).

Inputs

Configure Silent Push feeds (IOFA or custom feeds) for ingestion:

  1. Go to Inputs > Create New Input.

  2. Provide:

    1. Name: Unique feed name in Splunk.

    2. Silent Push Account: Select the configured account.

    3. Index: Optional; specify if Collection Type is set to index.

    4. Interval: Feed download interval (in seconds).

    5. Threat Intelligence Type: Set to Feed (Filter Profile for legacy customers).

    6. Source UUID: Copy the feed's UUID from the Silent Push URL (filter by Feed Name).

Correlation Settings

Customize how Silent Push indicators match Splunk event data:

  1. Navigate to Configuration > Correlation Settings.

  2. Configure:

    1. Enabled Indicator Types: Select indicator types for correlation.

    2. Search Matching Algorithm: Choose based on your data ingestion method:

    3. Raw Search: Matches fields directly; ideal for custom or non-CIM-compliant data.

    4. IP/Domain Target Query: Splunk queries to retrieve events for IP or domain correlation.

    5. IP/Domain Target Fields: Event fields to match against IP or domain indicators.

    6. Data Model Search: Matches against CIM data models for faster performance with normalized data.

    7. Select Datamodels: Choose CIM data models (if Data Model Search is selected).

Tip: Raw Search offers flexibility; Data Model Search provides faster performance with normalized data.

Logging

Set the app's logging level:

  1. Go to Configuration > Logging.

  2. Select a log level: DEBUG, INFO (default), WARNING, or ERROR.

  3. Logs are stored at: $SPLUNK_HOME/var/log/splunk/ta_silent_push_*.log.

Dashboards

The Silent Push app includes dashboards for:

  • Indicators Overview: Track collected indicators over time.

  • Correlation Overview: Monitor matches between Silent Push feeds and Splunk events.

  • Enrichment: Perform real-time lookup using the Silent Push API.

  • Reputation: Explore reputation data for IPs, ASNs, nameservers, and subnets.

  • PADNS: Investigate domains via forward/reverse lookups, density lookups, and ASNs associations.

  • Explore Web Data. Conduct live URL scans, capture screenshots, and search web scan data.

Lookups, Saved Searches, and Custom Commands

Lookups

silent_push_indicators_enrichment_domain: Domain enrichment data.

silent_push_indicators_enrichment_ip: IPv4/IPv6 enrichment data.

silent_push_matched_indicators_domain: Correlated domain indicators.

silent_push_matched_indicators_ip: Correlated IP indicators.

Saved Searches

Scheduled searches (detailed in the app's README.md) support:

  • Updating enrichment and correlation lookups.

  • Matching Splunk events with Silent Push indicators.

  • Generating notable events (with Splunk ES).

Custom Commands

Custom commands (listed in the app's README.md) enable:

  • On-demand correlation with Silent Push feeds.

  • Account usage queries.

  • PADNS lookups and web scans.

  • Enrichment for domains, IPs, subnets, and URLs