Skip to content

Interpres Application - Splunk Enterprise Security

  • Type: SIEM/Data Lake
  • Vendor: Splunk

The Splunk Enterprise Security app will run pre-defined Splunk query to collect available telemetries, triggered alerts, all formatted assets, and detections from Splunk.

Vendor setup

You can choose between one of these two authentication options: 1. Service account - In Settings->Users, create a user with proper access to make REST query, run search, and access Splunk ES asset list. Note down the username and password for this service account. - Make sure the service account has sufficient access to internal indexes and Windows indexes. 2. API token: - In Setting->Tokens->New Token. Note down the token.

Network pre-requisites: 1. Allow traffic from Interpres to Splunk Search Head on the Splunk management port. By default, it is port 8089. 2. For Splunk Cloud customers, please follow Splunk's documentation to request access to Splunk Cloud environment through REST API: https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTTUT/RESTandCloud.

App Configuration

App Parameters:

  • Hostname: The hostname or IP of the Search Head.
  • Api Port: The management port of the Search Head.
  • Verify Server Cert: Enable/disable server certificate verification.
  • Username: The username of the service account created for Interpres to query with, if use a service account for authentication.
  • Password: The password of the service account created for Interpres to query with, if use a service account for authentication.
  • Api Token: The API token created in Splunk, if use an API token for authentication.

App Validation

Check there is connectivity (green light) in the integration created.

Implemented Actions

  • Get Telemetry: This action queries Splunk with pre-defined search queries to collect all data sources that are searchable in Splunk and map them to MITRE ATT&CK subcategories

  • Get Alerts: This action queries Splunk with pre-defined search queries to collect triggered alerts.

  • Get Detections: This action queries Splunk with pre-defined search queries to collect all alerts and correlation searches with their name, description, logic, and MITRE ATT&CK techniques attached.

  • Get Assets: This action queries Splunk with pre-defined search queries to collect formatted asset list from Splunk Enterprise Security.