Splunk - Silent Push Events Collector

Summary

The Silent Push Events Collector is a plugin developed by Silent Push intended to collect IoCs from the Silent Push App directly into your Splunk Enterprise instance.

The data will be collected according to the Filter Profiles created in Silent Push App:

splunkarch

Here's a quick tutorial video that explains the basics - https://www.silentpush.com/blog/threat-intelligence-app-for-splunk-now-available

Before you start

This guide is strictly for Splunk Enterprise users and assumes you have already the following to hand:

A Splunk Enterprise instance running.
The admin credential for it.
Your Splunk Base credentials.
A Silent Push account.
An active Filter Profile on the Silent Push app.

Installation

To install the Splunk Add-On:

Go to Menu > Apps > Find More Apps
Type Silent Push in the search box, and hit Enter
Locate Silent Push Events Collector
Click the Install button
Enter your Splunk Base credentials
Accept the terms and conditions
Click Enter

Configuration

Generating an API key

If you don't already have one, you’ll have to generate a Silent Push API key. To do so, follow these steps:

Navigate to Menu > Organization
Select the API Keys tab
Click on Add New API Key
Type a Nickname for your API Key (e.g. 'Splunk Add-on')
Select an Expiration date
Click Create
Your API Key should now appear in the list of keys
Copy it to your clipboard by clicking the Copy button

Adding your API key

Now that you have your Silent Push API Key, go back to your Splunk Enterprise instance, in the “Silent Push Events Collector” Add-on we just installed, follow these steps:

Navigate to Menu > Settings
Paste your Silent Push API Key, and save it
If succesfull, you'll receive a notification informing you that your API key has been saved.

Collecting data

After you have configured the Add-On, navigate to Filter Profiles in Splunk Enterprise.

Splunk will now display a list of Filter Profiles that you have configured within the Silent Push app.

The data will be collected automatically according to the periodicity defined in the Settings, although you have to define the Splunk index which the data will be pulled into, for this just simply select the required index:

splunk_indexes

You can manually pull data by clicking the Pull button.

If the sync has worked, after pulling the data button, your index will be populated with the IoCs contained within the associated Silent Push Filter Profile.

To check the index:

Navigate to Search & Reporting
Type index=“yourindexname”
Select All time (real-time) next to the Search icon, as shown below:

Two new adaptive response actions

If you have a Splunk Enterprise Security subscription, you also have two new Adaptive Response Actions:

Silent Push - Enriching (enriches the notable with Silent Push contextual data)
Silent Push - Scoring (re-scores the notable through Silent Push, only when the notable score is lower than Silent Push score)

Adaptive Response - Enriching

This action will enrich the notable with Silent Push contextual data, such as AS Name, subnet etc.

To enrich your notable through Silent Push, follow these steps in Splunk Enterprise Security

Navigate to Incident Review
Expand the notable you'd like to enrich
In the Actions column, click on the dropdown button and then Run Adaptive Response Actions
Inside the modal window, choose Silent Push - Enriching, and click Run
Close the modal window
In the notables expanded details, you should see your action in the Adaptive Responses table (you may need to refresh it)
Click on the Silent Push - Enriching action you just ran
Another tab will open showing your action's details (you may need to change the time window on the right hand side dropdown)
Expand the action details to see the Silent Push enriched data, prefixed by _SP

This is the adaptive response:
splunk_adaptiveresponse
This is the enriched data, after the adaptive response is run:
splunk_outputtedata

Adaptive Response - Scoring

This action re-scoresthe risk object through Silent Push, but only when the risk object score is lower than Silent Push score.

To re-score your notable through Silent Push in Splunk Enterprise, follow these steps:

Navigate to Incident Review
Expand the notable you want to re-score
In the Actions column, click on the dropdown button and then Run Adaptive Response Actions
Inside the modal window, choose Silent Push - Scoring and click the Run button
Close the modal window
In the notable expanded details, you should see your action in the Adaptive Responses table (you may need to refresh it)
Click on the Silent Push - Scoring action you just ran
Another tab should open showing your action details (you may need to change the time window on the right-hand dropdown menu)
If you expand the action details, you should see something like:

newriskscore = 90
annotations.all = winning risk factor: asntakedownreputation
annotations.frameworks = Silent Push

This is what the re-scored data should look like:
splunk_rescoreddata

You can also view additional details on the Risk Analysis dashboard:
splunk_riskanalysis

Obtaining live WHOIS data

You're also able to add the most recent WHOIS data to a domain notable:

Navigate to Incident Review
Expand the domain notable in question
In the Actions column, click the dropdown button and then Run Adaptive Response Actions
Inside the modal window, choose Silent Push - Who Is Live Information and click Run
Close the modal window
In the notables expanded details, you'll see your action in the Adaptive Responses table (you may need to refresh it)
Click on the Silent Push - Who Is Live Information
Another tab will open showing your action details (you may need to change the time window on the right-hand dropdown menu)
Expand the action details to see the Silent Push Who Is data prefixed by _SP

This is what the response looks like:
splunk_whosresponse
This is the outputted WHOS data, once the adaptive response has been run:
splunk_whosidata

Silent Push Knowledge Base

Splunk Integration