SecOps has been able to integrate with Splunk OOTB since SecOps 1.1 via the RCF, however, the method for integrating with Splunk has not changed. To be more specific, the current integration files used for sending Splunk alerts in CEF format to SecOps 1.3.x via the UCF has not changed since the SecOps 1.1 days. The current documented Splunk integration method, as outlined in the RSA SecOps 1.3 Splunk Implementation Guide, still works, is stable, and more importantly is still supported. The only wrinkle with the current method is that it will not easily work in a Splunk "clustered" environment. Fortunately, there is a solution.
There's a Splunk app available free to Splunk customers called, the Splunk App for CEF, which has been available for quite some time; as of November 2016, version 2 of the app was released. As described from the Splunk:
"The Splunk App for CEF enables you to aggregate and augment Splunk Enterprise events, transforming them into the Common Event Format (CEF), an open log management standard. The Splunk App for CEF is for users of applications such as HP ArcSight who want to take advantage of the unique capabilities possible with the Splunk platform, including its raw data indexing, add-ons, and data models, to transform raw data before sending it to a CEF-compatible application.
The Splunk App for CEF produces output that consists of your search results reformatted into the Common Event Format. You can then use the CEF output for further processing in compatible applications such as HP ArcSight."
The app essentially performs the same exact function as our current integration method and then some. More importantly, it is supported to run on Splunk clustered and non-clustered environments, is installed via the Splunk UI, and is "fully" supported by Splunk. By leveraging the Splunk App for CEF, all that is needed for a SecOps Splunk integration to work is to map Splunk field names to CEF field names (within the app) , the IP/hostname of the UCF server, and the configured UCF port for sending syslog to over to the Splunk administrator. There is no additional configuration work that needs to be done on the UCF/SecOps side, unless additional alert meta from Splunk needs to be mapped.
One additional point regarding the installation of the Splunk App for CEF, it needs to be deployed to "every" Splunk Search Indexer.
This document was generated from the following discussion: CIBR/SecOps - Splunk Integration
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.