External Threat Landscape Management

CYFIRMA App for Splunk

Introduction

This design document serves to provide an overview of the DeCYFIR Add-on & App for Splunk.

DeCYFIR is a cloud-based threat discovery and cyber-intelligence platform, designed to defend organizations by uncovering attack surfaces, building digital risk profiles & using personalized insights to predict imminent attacks and decode cyber threats before a cyberattack hits.

The Splunk add-on will help in collecting DeCYFIR alert events data using the events API and sending it to Splunk events. It will also ingest DeCYFIR IOC data as lookup data in Splunk Enterprise.

The Splunk app will have searches based on Alerts & IOC data. Dashboards are created based on Splunk searches.

Installation of Splunk Enterprise

To install the Splunk enterprise, follow this manual Splunk Installation Manual.


Installation for both APP & Add-on

  1. Login to Splunk Enterprise.
  2. Click on Apps > Search for App.
    • Search for “CYFIRMA DeCYFIR Add-on for SPLUNK.
    • Search for “CYFIRMA DeCYFIR app for SPLUNK.
  3. Search for Apps & enter the app name to search for.
  4. Check the prerequisites and details.
  5. Click on Install.

Account

Splunk Add-on > Configuration

After installation of DeCYFIR Add-on, set up the account by following the steps below:
  1. On the left panel of Splunk Enterprise click on the TA-CIP.
  2. Click on the Configuration tab.
  3. In the Accounts Sub tab click on Add.
  4. Give a unique name to the configuration and add the URL of the product & API key generated from the Product.
  5. Click on Add.

Proxy

Splunk Add-on > Configuration

To set up the proxy for API data collection, follow the steps here:
  1. Go to Add-on by clicking on DeCYFIR from the left bar.
  2. Click on the Configuration tab.
  3. Click on the Proxy tab under the configuration tab.
  4. Fill in all the necessary details.
  5. Click on Save.
Parameters Required Description
Enable No Enablement of proxy
Proxy Type No Type of the Proxy. Available options are https
Host Yes Server Address of Proxy Host
Port Yes Port to the proxy server
User Name No Username for the Proxy Server
Password No Password for the above Username
DNS Resolution No Keep DNS Resolution on or off

Logging

Splunk Add-on > Configuration

To log API data collection, follow the steps here:
  1. Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
  2. Click on the Configuration tab.
  3. Click on the Logging tab under the configuration tab.
  4. Select the log level. Available log levels are Debug, Info, Warning, Error and Critical.
  5. Click on Save.
Parameters Required Description
Log Level No Log level for the logging, default to INFO

Additional Parameters

Splunk Add-on > Configuration

To set up additional parameters for API calls and retry mechanism, follow the steps here:
  1. Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
  2. Click on the Configuration tab.
  3. Click on the Add-on Settings tab under the configuration tab.
  4. Number of Retries.
  5. Sleep Time.
  6. Page Size.
  7. Click on Save.
Parameters Required Description
Number of Retries Yes Number of attempts to be made, default to 3
Sleep Time Yes Wait time in seconds between consecutive retries, default to 100
Page Size Yes Data to fetch in a single rest API call. [Text Wrapping Break]Default to 100

DeCYFIR Alerts

Inputs

To create input and API data collection, the steps are as follow:
  1. Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
  2. Click on the Inputs tab.
  3. Click on Create New Input -> Select DeCYFIR Alerts.
  4. Fill in all the necessary details.
  5. Click on Save.
Parameters Required Description
Name Yes The unique name for DeCYFIR Alerts data input
Interval Yes Interval time of input in seconds. Minimum is 0
Index Yes Name of the index in which data will be indexed in Splunk. This index should be present on the Indexer in case of a distributed environment
Global Account Yes Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab

DeCYFIR IOCs

Inputs

To create input and collection of API data, follow the below-mentioned steps:
  1. Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
  2. Click on the Inputs tab.
  3. Click on Create New Input -> Select DeCYFIR IOC.
  4. Fill in all the necessary details.
  5. Click on Save.
Parameters Required Description
Name Yes The unique name for DeCYFIR Alerts data input
Interval Yes Interval time of input in seconds. Minimum is 0
Lookup Name Yes Name of the lookup file in which data will be stored in Splunk
Global Account Yes Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab

Splunk App

Once the app is installed, it would need to be setup. To complete the setup, please follow the steps here:
  1. Go to DeCYFIR App for Splunk.
  2. Click on “Continue to app setup page”.
  3. Enter the URL for CYFIRMA. Example: decyfir.cyfirma.com.
  4. Enter the API Key for the above URL.
  5. Click Save.

DeCYFIR Alert Details

Splunk App > Dashboard

Show details of the DeCYFIR Alerts.
  1. Shows the count of alerts of all the categories.
  2. Trend of counts of all categories.
  3. Details of all categories.

Splunk App > Dashboard

Clicking on any single value will highlight that panel and below will show the trend for the selected category.

Splunk App > Dashboard

Splunk App > Dashboard

Select the alert details you want to see by clicking on the arrow in the first column.

DeCYFIR IOCs

Splunk App > Dashboard

Show the details of DeCYFIR IOCs.
  1. Shows the count of IOC of all the Indicator Types.
  2. Trend of counts of selected indicator types.
  3. The detailed table of IOC.
  4. Clicking on any IOC Data table row will open a pop-up window with additional information.

Splunk App > Dashboard

Splunk App > Dashboard

Clicking on any single value will highlight that panel and below will show the trend for the selected indicator type.

Splunk App > Dashboard

By clicking on any row in the table, a pop-up window will display additional details related to the selected value.

Splunk Alerts

Splunk App > Dashboard

Shows the details of the alerts configured in Splunk.
  1. Total number of alerts created by the Alerts Configured in Splunk.
  2. Trend by the selected alerts.
  3. Table of Splunk alert details.
Clicking on view details in the table will shows that events because of which the alert is triggered.

Splunk App > Dashboard