Splunk SIEM

New
  • Published on Jul 18, 2025
  • 5 minute(s) read
Prev Next

Requirements

In order to get started with the Silent Push app for Splunk, users must have the following:

  • Silent Push API Key: A valid API key from a Silent Push account.

  • Splunk Enterprise Version: The Splunk app is compatible with versions 9.0.x, 9.1.x, 9.2.x, and 9.3.x as well as Splunk Cloud.

  • OS: Platform interdependent

Optional

  • Splunk Common Information Model (CIM): The CIM data models must match the indicators with the data model events.

  • Splunk Enterprise Security (ES): Can be used to create notable events based on correlations with Silent Push feeds

Architecture and Deployment Methods

Standalone Instance

Install the Silent Push app for Splunk and follow the steps in the Configuration section below for App Setup. Once installed, a valid Silent Push API key can be added, along with optional proxy settings and preferred logging settings.

Distributed Environment

Install the Silent Push app on either a Heavy Forwarder or a Search Head, depending on your use case

  • Heavy Forwarder: If you only need to collect and forward Silent Push enriched logs to your indexers

  • Search Head: Install if you want to enable dashboards, correlation searches, and direct platform queries

In Search Head Cluster environments, install the Silent Push app on all search heads but only configure one instance. App configurations will be replicated automatically using the KVStore.

Splunk Cloud

Install the app on your Splunk Cloud Search Head to enable correlation, search, and dashboards

For data collection, configure either the app on a Splunk-managed IDM (Input Data Manager) or use an on-premises heavy forwarder

Splunk Support can provide additional assistance with IDM configuration if needed

Installing the Silent Push Integration for Splunk

You can install the Silent Push integration for Splunk by downloading the TA from SplunkBase or by installing directly from Splunk. To download from SplunkBase, navigate to the following link and download the TA: https://splunkbase.splunk.com/app/7440

The app can also be installed in Splunk by selecting Apps and then Find More Apps in the top menu bar and searching for Silent Push

Screenshot 2025-05-09 at 10.32.29 AM.png

Configuration

Account

Navigate to Configuration > Account  
Enter your API Key and Account Name

Screenshot 2025-04-23 at 1.29.25 PM.png

Note: The account name is a unique name that is only referenced when using the Silent Push app for Splunk

Proxy

For on-prem Splunk instances a proxy can be configured in the app for the purpose of connecting to Silent Push for updating Threat Feeds and running lookups in the app

Navigate to Configuration > Account 
Configure proxy type (HTTP or SOCK5), host, port, and optionally credentials if required.

Inputs

The inputs section allows you to specify which feeds to ingest into your Splunk instance. These can either be IOFA feeds or feeds that you have previously created in Silent Push.

Navigate to Inputs > Create New Input

To configure the inputs, the following fields need to be added:

  • Name. This is a unique name for the feed in your Splunk environment

  • Silent Push Account. Select the account to use when collecting data. If you have not configured a Silent Push account please see Account in the Configuration section

  • Index. Optional, only needs to be configured if the Collection Type is set to index

  • Interval. Default interval in seconds for downloading the feed

  • Threat Intelligence Type. Leave set to Feed. Filter Profile for legacy Silent Push customers.

  • Source UUID. The UUID of the feed to ingest. This can be found by filtering by the Feed Name and copying the UUID from the URL Picture

Screenshot 2025-05-09 at 10.35.48 AM.png

Correlation Settings

The correlation settings allow you to configure how Silent Push indicators are matched against your Splunk event data. You can select how the matching is performed based on your environment and the data structure.

To configure the correlation settings first navigate to Configuration > Correlation Settings

  • Enabled Indicator Types: Select the indicator types to use with correlation

  • Search Matching Algorithm: select the option that aligns with how you are ingesting data in your Splunk environment. Depending on your selection there will be different fields to further configure

  • Raw Search: Performs direct field matching, best for custom data or non-CIM compliance data

  • IP Target Query: Splunk query to retrieve events for IP indicator correlation

  • IP Target Fields: List of event fields to match against IP indicators

  • Domain Target Query: Splunk query to retrieve events for domain indicator correlation

  • Domain Target Fields: List of event fields to match against domain indicators

  • Data Model Search: Matches indicators against CIM data models

  • Select Datamodels: This is only configured if Data Model Search is set in the previous field. Choose which CIM data models you want to include for correlation

Tip: Raw search will provide more flexibility while Data Model search results in faster performance with normalized data

Logging

The logging level for the app can be customized based on organizational requirements. In order to set the log level for the app

Navigate to Configuiration > Logging

Select the log level: DEBUG, INFO (default), WARNING, ERROR.
Logs are stored at: $SPLUNKHOME/var/log/Splunk/tasilent_push_*.log

Dashboards

Several dashboards are included within the Silent Push app that allow users to perform on-demand lookups, track feed ingestion, and monitor correlations with Splunk events. The available dashboards include:

  • Indicators Overview. View collected indicators over time.

  • Correlation Overview. Monitor matches between Silent Push feeds and Splunk event data.

  • Enrichment. Perform real-time lookups using the Silent Push API’s

  • Reputation. Explore reputation data for IP’s ASN’s name servers, and subnets.

  • PADNS. Investigate domains using forward and reverse lookups, density lookups, and ASNs associated with a domain.

  • Explore Web Data. Perform live scans and capture screenshots of URLs, as well as search web scan data.

Lookups, Saved Searches, and Custom Commands

The Silent Push app installs a number of lookups, scheduled searches, and custom commands in order to support correlation and enrichment in Splunk

Lookups

Silent_push_indicators_enrichment_domain: contains enrichment data for domains 
Silent_push_indicators_enrichment_ip: Enrichment data for both IPv4 and IPv6 addresses 
Silent_push_matched_indicators_domain: Correlated domain indicators matched against Splunk events 
Silent_push_matched_indicators_ip: Correlated IP indicators matched against Splunk events

Saved Searches

The full list of saved searches can be viewed in the app’s README.md file. Scheduled searches are used by the app to

Populate and update enrichment and correlation lookups 
Match Splunk events with Silent Push indicators 
Generate notable events if using with Splunk Enterprise Security

Custom Commands

Several custom commands are also added to enhance enrichment. A full list of custom commands is available in the app’s README.md file:

Perform on-demand correlation with Silent Push feeds 
Query account usage 
Run PADNS lookups and web scans 
Retrieve enrichment details for domains, IPs, subnets, and URLs