Enricher - Splunk sightings

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Splunk sightings

Input

Domain, email, hashes (hash-md5, hash-sha1, hash-sha256, and hash-sha512), host, IP addresses (ipv4 and ipv6), and uri.

Output

Creates sightings for matching input observables, based on the search result items retrieved in the specified Splunk instance.

API endpoint

https://<splunk_server_url>:8089

Description

The Splunk sightings enricher searches the indices in the specified Splunk instance.

Matching data is extracted and saved to the platform as sightings.

Configure the Splunk sightings enricher parameters

  1. Go to Data configuration images/download/attachments/86441209/robot.svg-x24.png > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More images/download/attachments/86441209/ellipsis-v.svg-x24.png > Edit.

  4. In the Edit enricher panel, fill out these fields:

    Required fields are marked with an asterisk (*).

    Splunk URL *

    Enter the API URL for your Splunk instance.

    This is usually https://<splunk_server_url>:8089.

    Username *

    Enter your Splunk user name.

    Api key *

    Enter your Splunk authentication token.

    Search results limit *

    Enter the maximum number of search results the enricher retrieves per enrichment.

  5. Select Save.

Additional information

Search result matches generate sightings that are saved to the platform.

Each sighting includes the following information:

  • A unique ID.

  • A URL pointing to the Splunk instance data source.

  • A URL with the query that retrieved the data.

  • Details about the sighted observable.

For example, a Splunk index reference, the source log the data was found in, a timestamp, and any raw response data, if available.