HTTP Reporting Splunk
  • 30 Mar 2021
  • 1 Minute to read
  • Dark
    Light
  • PDF

HTTP Reporting Splunk

  • Dark
    Light
  • PDF

Setting up Splunk as a HTTP SIEM Integration

The Process element has been updated in version 2.14 to include much more detail regarding the application). This change may impact reports and alerts. Please make the necessary updates.

Previously the Detail JSON would look something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"/Users/peter/Downloads/system 2.log", "process":"applicaton_name_here"}"}

Starting in version 2.14, the Detail JSON looks something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"\/Users\/username\/Pictures\/Backgrounds\/IMG_1900.JPG", "process":{"name":"dock","impname":"dock","ver":"2092.20.9","cert":{"status":"Trusted","certHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx","signHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxx","serial":"YYYYYYYYYYYYYYYY","desc":"Dock","prod":"Dock","inner":"com.apple.dock","strong":"com.apple.dock","original":"com.apple.dock","executable":"file:\/\/\/System\/Library\/CoreServices\/Dock.app\/Contents\/MacOS\/Dock","publisher":"Software Signing","signers":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}"}

SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.

Configuring Splunk Data Input

In the Splunk admin UI, click Settings in the top navigation bar. Then click Data Inputs. Click HTTP Event Collector

Splunk-settings-datainputs.png

In the upper right click on Global Settings to edit and save the global configuration. SecureCircle does not require any changes in settings from the default settings, but be sure the Enable SSL and HTTP Port Number settings are updated if needed.

splunk-global-settings.png

Click New Token in the upper right to enter a multi-step configuration wizard.

Select Source: Enter a name for the token. All remaining settings are optional are can be left as the default value.
splunk-token-add-data.png

Input Settings:
Source Type = automatic
App context = Search & Reporting (search)
Index = select the index where incoming data will be stored. Create a new index if required.
splunk-input-settings.png

Review:
Verify configuration and click Submit

splunk-review.png

After completing the Data Input wizard for HTTP Event Collector, a new token will be generated.
splunk-token.png

Configuring SecureCircle Output

In the SecureCircle admin UI, go to Configurations > Integratrations > SIEM on the left navigation menu. For new integrations, click Add Server.

Click HTTP and enter all the information required. Examples names, ports, and domains are used below.

Field Name Value
Name Splunk HTTP
Host splunk.securecircle.com
Port 8088
Path /services/collector
Message Pattern {"sourcetype": "_json", "host": "splunk.securecircle.com", "event": %s}
Header Information
Content-Type application/json
Authorization Splunk b7ae6510-977e-46d7-876f-d1ce9fee1f75

For the Authorization Header use 'Splunk (token created in the earlier step)'

splunk-create-http3.png

When completed the Splunk HTTP entry will show in your SIEM integration list.

splunk-complete.png


Was this article helpful?