Integrate ASMS with Splunk (2024)

Table of Contents
Install the AlgoSec App View business impact and internet exposure data Isolate a server Customize the AlgoSec App AlgoSec features in other Splunk apps FAQs

The AlgoSec Splunk App V2 for Security Incident Response provides the ability to better analyze security incidents, understand their impact, and quickly accomplish remediation.

Note: See the AlgoSec Splunk App V2 page on Splunkbase Integrate ASMS with Splunk (1) for product compatibility details and download.

Install the AlgoSec App

Do the following:

  1. Download the AlgoSec Splunk App V2 from the AlgoSec Splunk App V2 page on Splunkbase Integrate ASMS with Splunk (2).

  2. Configure the AlgoSec App V2, by doing the following:

    1. Under Manage Applications look for the AlgoSec App line and click set up.

    2. Provide the AlgoSec server IP Address, username and password.

The AlgoSec Incident Response App is now ready for use.

View business impact and internet exposure data

The AlgoSec App V2 provides the ability to retrieve business application information and internet exposure information for a specific server. This information includes:

Business Application context from AlgoSec AppViz

Names of affected applications, indication as to whether the application is critical, and more details about the applications, including a link to the AppViz Web Interface with a list of the relevant applications.

Network Connectivity (exposure to the Internet)AlgoSec Traffic Simulation Query results to indicate whether the server is open to the Internet

Do either of the following:

  • View business impact and internet exposure information from the IP address
  • View business impact and internet exposure information directly from the App

Note: Accessing the App from the IP address will pre-populate the server field.

View business impact and internet exposure information from the IP address

Do the following:

  1. Search the logs for the desired IP address.

  2. Click the Actions arrow for the desired IP, and select one of the following options in the menu:

    • Find Affected Business Applications. Chose this option to link directly to AppViz to view a list of affected applications along with all of the information AppViz provides.
    • Analyze in AlgoSec Incident Analysis. Chose this option to view business context information and internet exposure information from the Security Incident Analysis tab of the App.

Details shown include:

Business Impact area

The Business Impact area includes:

  • A list of affected applications.
  • A notification indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz in the More details field.
Exposure to the Internet area

The Exposure to the Internet area includes:

  • Information about the connectivity between the server and the internet.
  • A link to the specifics of the traffic query in AFA in the More details field.

View business impact and internet exposure information directly from the App

Do the following:

  1. Click on the AlgoSec Security Handling App.

  2. Go to the Security Incident Analysis tab in the AlgoSec App. This is the home page by default.

    See Also
    uAQL - uberAgent Query LanguageLLM Security: Splunk & OWASP Top 10 for LLM-based Applications | SplunkeBPF Runtime Security at Scale: Top Tetragon Use Cases (Part 2) - IsovalentFortify Digital Resilience with Splunk + Cisco Talos Incident Response | Splunk

  3. In the Server IP field, type the name of the IP address.

  4. Click Submit.

Information about the server appears:

Business Impact area

The Business Impact area includes:

  • A list of affected applications.
  • A notification indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz in the More details field.
Exposure to the Internet area

The Exposure to the Internet area includes:

  • Information about the connectivity between the server and the internet.
  • A link to the specifics of the traffic query in AFA in the More details field.

Isolate a server

You can open a FireFlow change request to block all traffic to and from a risky server.

To customize the change request, see Customize the Isolate Server change request.

Do one of the following:

  • Isolate a server from the IP address
  • Isolate a server directly from the App

Note: Accessing the App from the IP address will pre-populate the server field.

Isolate a server from the IP address

Do the following:

  1. Search the logs for the desired IP address.

  2. Click the Actions arrow for the desired IP, and select Isolate server from the network.

    A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. The Security Incident Response tab appears with a link to the change request in FireFlow, allowing you to track implementation progress.

Isolate a server directly from the App

Do the following:

  1. Click on the AlgoSec Security Handling App.

  2. Click on the Security Incident Response tab in the AlgoSec App.

  3. Complete the IP of Server to Isolate, Change Request Title, and Details fields.

  4. Click Submit.

A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. A link to the change request appears in the page to allow you to track implementation progress.

Customize the AlgoSec App

The AlgoSec App supports the following customizations:

  • Customize the fields supporting AlgoSec workflow actions
  • Configure the 'Find Affected Business Applications' workflow action
  • Customize the Isolate Server change request
  • Customize the parameters used to calculate internet exposure
  • Customize the conditions for Business Application Criticality

Customize the fields supporting AlgoSec workflow actions

Do the following:

  1. Go to Settings -> Fields and choose Workflow actions.

  2. Click one of the AlgoSec actions (ABFAppLookup, algosec_incident_analysis, algosec_isolate_server) and add the needed field names under Apply only to the following fields.

  3. Click Save.

  4. Repeat for the other actions, as desired.

Configure the 'Find Affected Business Applications' workflow action

In order to use the Find Affected Business Applications action, you must configure the App with the IP address of your AlgoSec server.

Do the following:

  1. Go to Settings -> Fields and choose Workflow actions.

  2. Choose ABFAppLookup.

  3. Update the URL field with your AlgoSec Server IP address.

Customize the parameters used to calculate internet exposure

The Security Incident Analysis page includes a box which details Exposure to the Internet. This information is based on traffic simulation query results performed by AlgoSec Firewall Analyzer. By default, the query runs with the chosen IP address as the source, '8.8.8.8' (representing the Internet) as the destination, and 'any' as the service.

If desired, you can customize these parameters. For example, you may want to check connectivity from the internet to the chosen server, you may want to choose a different IP address to represent the Internet, or you may want to check the connectivity for other areas of the network (critical internal networks, etc.).

Do the following:

  1. Open the AlgoSec App, choose Edit, and then click Edit Source (XML).

  2. Scroll down to the last panel and edit the following line to represent the traffic simulation query you prefer.

    <query>| afaquery src="$ip$" dst="8.8.8.8"</query>

  3. To add additional queries, do the following:

    1. Duplicate the panel by copying all the lines from the <panel> start tag to its end </panel>.

    2. Modify the panels to represent the traffic simulation queries you prefer.

  4. Click Save.

Customize the Isolate Server change request

By default, the Isolate Server function creates a change request with two traffic lines: one line blocks traffic from the chosen server to 'any' with 'any' service, and the other blocks traffic from 'any' to the chosen server with 'any' service. If desired, you can customize these parameters by editing the 'isolate server' script.

Do the following:

  1. Go to the following path in your Splunk server file system: \etc\apps\TA-AlgoSec_Incident_Handling\bin

  2. Find AFFIsolateServer.py.

  3. Edit the script and change the parameters per your needs.

Customize the conditions for Business Application Criticality

By default, a business application is marked as critical when one of the affected applications has the 'critical' label. If desired, you can specify different conditions, by editing the relevant script. Similarly, you can also extract additional information from AppViz (e.g. technical contacts/owners of the affected applications).

Do the following:

  1. Go to the following path in your Splunk server file system: \etc\apps\TA-AlgoSec_Incident_Handling\bin

  2. Find ABFSearch.py.

  3. Edit the script as desired.

AlgoSec features in other Splunk apps

AlgoSec capabilities can be activated from within other Splunk Apps (built-in or custom) by using the Workflow Actions. By default, these actions will appear in the Action menus of IP addresses in the following field names:

  • source_ip
  • dest_ip
  • ip
  • src_ip
  • dst_ip
  • source
  • destination
  • server_ip

The IP address from the chosen field will be automatically populated in the AlgoSec App pages. For more details, see Customize the fields supporting AlgoSec workflow actions.

In addition, the workflow actions also include the pre-defined Find Affected Business Applications (AlgoSec) action. Clicking on it will open an AlgoSec AppViz window with a list of all the business applications affected by the chosen IP address. For more details, see Configure the 'Find Affected Business Applications' workflow action.

You can pick and choose AlgoSec functionality, customize it, and incorporate it in your own custom Splunk Apps.

Do the following:

  1. Copy the relevant configuration parameters to your Splunk App (AlgoSec server IP, username/password, etc.).

  2. Copy the scripts and panels to your own Splunk Apps.

Tip: You can also use the scripts in the AlgoSec App as a reference.

Integrate ASMS with Splunk (2024)

FAQs

How do I integrate application logs with Splunk? ›

Collect logs from your hosts and containers
  1. Log in to Splunk Observability Cloud.
  2. In the left navigation menu, select Data Management.
  3. Go to the Available integrations tab, or select Add Integration in the Deployed integrations tab.
  4. Select the tile for the platform you want to import logs from.
May 28, 2024

Show Me More
How do I integrate devices in Splunk? ›

From the Threat Command main menu, select Automation > Integrations. From the On-Premises device list, select the Splunk Enterprise Security (TAXII) device. Click the link icon to the far right of the device IOC group.

Explore More
How do I integrate AlgoSec with Splunk? ›

Install the AlgoSec App

Download the AlgoSec Splunk App V2 from the AlgoSec Splunk App V2 page on Splunkbase . Configure the AlgoSec App V2, by doing the following: Under Manage Applications look for the AlgoSec App line and click set up. Provide the AlgoSec server IP Address, username and password.

Discover More Details
Which two apps ship with Splunk Enterprise? ›

Default apps which ship with Splunk enterprise package are Alert_logevent, appsbrowser, gettingstarted, launcher, legacy, sample_app, search, Splunkforwader, SplunkLightForwarder, user_prefs, etc. Want to become a Splunk Software engineer?

Keep Reading
How do I forward application logs to Splunk? ›

Configure Splunk Enterprise to receive logs
  1. Add a new data input. Open Splunk Web and navigate to Settings > Data inputs. In the Local inputs section, click Add new for the TCP (or UDP) input type. ...
  2. Configure the input settings. Select the appropriate log Source type. ...
  3. Review the pending changes and click Submit.
Feb 10, 2023

Discover More Details
How do I push logs into Splunk? ›

Creating Log Streaming to Splunk
  1. Go to Settings-> Log Streaming -> New Log Streaming.
  2. Select Splunk.
  3. Configure the following options: Name: Add a meaningful name for the Splunk Integration. Description: Add a description.
  4. Click Submit.

Keep Reading
Why use AlgoSec? ›

AlgoSec automates the process of managing firewall policies and rules in response to emerging cyber threats. This allows organizations to protect sensitive data and block unauthorized access without relying on painstaking manual processes. Firewall management is a vital part of every organization's security posture.

Learn More
What is AlgoSec application? ›

AlgoSec brings together your infrastructure, security policies and the applications that run your business, so you can drive change across the estate and speed application delivery. Cloud/SDN. Network & Security.

Keep Reading
Who is Splunk's main competitor? ›

Top Competitors and Alternatives of Splunk

The top three of Splunk's competitors in the Log Management category are Datadog with 61.48%, Logstash with 5.08%, Loggly with 4.52% market share.

Tell Me More
What is the difference between Splunk and Splunk Enterprise? ›

Splunk Enterprise is typically deployed on-premises or in a private cloud, while Splunk Cloud is a fully managed cloud-based offering provided by Splunk.

Find Out More

How is Splunk better than other tools? ›

How is Splunk better than other tools? Splunk excels with its powerful data analysis capabilities, extensive features for log management, real-time monitoring, and a robust ecosystem for integration with various tools and platforms.

Learn More
How to check app logs in Splunk? ›

Open logs in Splunk platform
  1. Navigate to Log Observer. ...
  2. Select Index next to Saved Queries, then select the indexes you want to query. ...
  3. In the content control bar next to the index picker, select Add Filter.
  4. To search on a keyword, select the Keyword tab, type the keyword or phrase you want to search on, then press Enter.
May 28, 2024

Tell Me More
How do I stream logs to Splunk? ›

How to
  1. In Destination, select Splunk.
  2. In Display name, enter a human-readable description for the destination. ...
  3. In Event collector token, enter the HEC token you created and enabled in Splunk.
  4. If you want to send compressed gzip logs to this destination, check Send compressed data.

Tell Me More
How do I access application logs? ›

Click on the Windows Start Button. Right-click on Computer and select Manage. In the Computer Management dialog, expand System Tools | Event Viewer | Windows Logs. Select Application Log.

Read On
Top Articles
Naval/Maritime History - 20th of August - Today in Naval History - Naval / Maritime Events in History
Shadowlands: The Mage Tower Returns Permanently
Watch The Trailer for "Queen Sugar" Season 6, Which Returns This Fall
The Female Directors Of "Queen Sugar" Reveal The Stories Behind Your Favorite Scenes
Walmart Auto Care Centers Hours
Craigslist Cars New Orleans Louisiana
Edenmodelsva
247 Trasnfer Portal
What Causes That Tingling Feeling In Your Feet?
Ticklish Feet: Causes, How-to avoid and More
Brinsfield Funeral Home Leonardtown Md Obituaries
Watch Oklahoma Sooners vs. Houston on SEC Network for free on fuboTV, DirecTV
Latest Posts
Divers recover 5 bodies from wrecked superyacht off Sicily; 1 still missing
Here's a look at the people who are dead or missing in freak superyacht sinking
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5909

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.