Get started with the Splunk integration#
Caution
This application is no longer supported.
From 22 August 2022, use both of the following apps instead:
The Threat Intelligence EclecticIQ Platform App for Splunk is a native application that installs directly on your Splunk instance.
Requirements#
EclecticIQ Platform 2.x or later.
Threat Intelligence EclecticIQ Platform App for Splunk installed on your Splunk instance.
Network access between EclecticIQ Platform and your Splunk instance.
Download and install the app on Splunk#
Download the Threat Intelligence EclecticIQ Platform App from Splunkbase.
Save the
tar.gz
package locally.Log into your Splunk instance.
In the top navigation bar, open the Apps drop-down menu and select Manage Apps.
In the top right corner, click Install app from file.
In the Upload app page, click Browse and select the
tar.gz
package you just downloaded.Click Upload to install the package.
When prompted, click Restart to restart your Splunk instance.
(Optional) Create a new source group#
Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App.
When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App.
Set up Outgoing feed on EclecticIQ Platform#
In order to allow your Splunk instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:
In the left navigation bar, click Data Configuration > Outgoing feeds > +.
Set the following fields in your new outgoing feed:
Field name
Description
Feed name*
Enter a descriptive name for the outgoing feed.
Example: Outgoing feed for <vendor system>
Transport type*
Set this to HTTP download.
Content type*
Set this to EclecticIQ Observables CSV.
Feed content
Datasets*: Select one or more datasets to include in this outgoing feed.
Update strategy*: Select an update strategy.
The Threat Intelligence EclecticIQ Platform App supports these update strategies:
REPLACE: Select this option to purge the app KV store before updating it each time the feed runs.
Caution
Not recommended for feeds with large datasets, or feeds with frequent execution schedules.
DIFF: Select this option to send incremental updates through the feed.
Transport configuration
Public: Select this to make this feed publicly available.
Authorized groups: If Public is not selected, select one or more groups to make this feed available to.
If you created a source group earlier, add that here.
Execution schedule
Set to None by default.
Tip
For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.
Save and run the outgoing feed.
Get the feed ID#
We need the ID of the outgoing feed that you’ve just created.
To get the feed ID:
In the left navigation bar, click Data Configuration > Outgoing feeds.
In the Outgoing feeds overview, click on the outgoing feed you’ve just created.
In the panel that appears, click on the Created packages tab.
Locate and note the feed ID shown in this tab.
The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:
You can download the latest package from: https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
the feed ID is 8.
Install Threat Intelligence EclecticIQ Platform App#
Sign in to Splunk Web.
Click Install app from file at the top right.
In the Upload an app page:
Click on Browse
Locate and select the
tar.gz
package downloaded in Download and install the app on Splunk.(Optional) Select Upgrade app if you are upgrading from a previous version of the app.
Click Upload.
Configure Threat Intelligence EclecticIQ Platform App#
Once the Threat Intelligence EclecticIQ Platform App is installed:
In the top navigation bar of Splunk Web, click Apps > Manage Apps.
Locate EclecticIQ Platform App in the list of apps.
In the Actions column for EclecticIQ Platform App, click Set up.
In the EclecticiIQ Platform App Configuration Page, fill out these fields:
Field name
Description
EclecticIQ Platform url
Enter the URL of your EclecticIQ Platform instance.
EclecticIQ Platform Version
Enter your EclecticIQ Platform version.
For example: 2.9
Verify the SSL Connection if SSL is used
Select to ensure that a valid SSL certificate is received from EclecticIQ Platform.
ID of feeds for collection from EclecticIQ Platform
One or more feed IDs obtained from Get the feed ID, separated by commas.
For example, to receive indicators from feeds with IDs 6 and 7: 6,7.
EclecticIQ Platform Source Group
Enter a source group. If you have one set up from Create a source group, enter that group name here.
Username
Enter your user name. This user must be a member of the group specified in EclecticIQ Platform Source Group.
Password
Enter your password.
Click Save Settings to finish configuring the app.
Optional app configuration#
(Optional) When configuring the app on the EclecticIQ Platform App Configuration Page, you can set up these options:
Proxy IP |
If you’re using a proxy, enter its IP address here. |
---|---|
Proxy username |
If required, enter the username for authenticating with your proxy. |
Proxy password |
Enter the password for your proxy. |
Sightings query |
Set to Modify this to change the scope of the sightings query used by the app. |
Send the following sightings types |
All selected by default. Select one or more sighting types to send to EclecticIQ Platform through the app. |
Scripts Log Level |
Set the log level for scripts run by the app. Change this only if you have issues with the app. Possible values:
|