- 30 Mar 2021
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
HTTP Reporting Splunk
- Updated on 30 Mar 2021
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
Setting up Splunk as a HTTP SIEM Integration
Previously the Detail JSON would look something like below based on the event.
{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"/Users/peter/Downloads/system 2.log", "process":"applicaton_name_here"}"}
Starting in version 2.14, the Detail JSON looks something like below based on the event.
{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"\/Users\/username\/Pictures\/Backgrounds\/IMG_1900.JPG", "process":{"name":"dock","impname":"dock","ver":"2092.20.9","cert":{"status":"Trusted","certHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx","signHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxx","serial":"YYYYYYYYYYYYYYYY","desc":"Dock","prod":"Dock","inner":"com.apple.dock","strong":"com.apple.dock","original":"com.apple.dock","executable":"file:\/\/\/System\/Library\/CoreServices\/Dock.app\/Contents\/MacOS\/Dock","publisher":"Software Signing","signers":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}"}
SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.
Configuring Splunk Data Input
In the Splunk admin UI, click Settings in the top navigation bar. Then click Data Inputs. Click HTTP Event Collector
In the upper right click on Global Settings to edit and save the global configuration. SecureCircle does not require any changes in settings from the default settings, but be sure the Enable SSL and HTTP Port Number settings are updated if needed.
Click New Token in the upper right to enter a multi-step configuration wizard.
Select Source: Enter a name for the token. All remaining settings are optional are can be left as the default value.
Input Settings:
Source Type = automatic
App context = Search & Reporting (search)
Index = select the index where incoming data will be stored. Create a new index if required.
Review:
Verify configuration and click Submit
After completing the Data Input wizard for HTTP Event Collector, a new token will be generated.
Configuring SecureCircle Output
In the SecureCircle admin UI, go to Configurations > Integratrations > SIEM on the left navigation menu. For new integrations, click Add Server.
Click HTTP and enter all the information required. Examples names, ports, and domains are used below.
Field Name | Value |
---|---|
Name | Splunk HTTP |
Host | splunk.securecircle.com |
Port | 8088 |
Path | /services/collector |
Message Pattern | {"sourcetype": "_json", "host": "splunk.securecircle.com", "event": %s} |
Header Information | |
Content-Type | application/json |
Authorization | Splunk b7ae6510-977e-46d7-876f-d1ce9fee1f75 |
For the Authorization Header use 'Splunk (token created in the earlier step)'
When completed the Splunk HTTP entry will show in your SIEM integration list.