Get started with the Splunk integration#

Caution

This application is no longer supported.

From 22 August 2022, use both of the following apps instead:

The Threat Intelligence EclecticIQ Platform App for Splunk is a native application that installs directly on your Splunk instance.

Requirements#

  • EclecticIQ Platform 2.x or later.

  • Threat Intelligence EclecticIQ Platform App for Splunk installed on your Splunk instance.

  • Network access between EclecticIQ Platform and your Splunk instance.

Download and install the app on Splunk#

  1. Download the Threat Intelligence EclecticIQ Platform App from Splunkbase.

  2. Save the tar.gz package locally.

  3. Log into your Splunk instance.

  4. In the top navigation bar, open the Apps drop-down menu and select Manage Apps.

  5. In the top right corner, click Install app from file.

  6. In the Upload app page, click Browse and select the tar.gz package you just downloaded.

  7. Click Upload to install the package.

  8. When prompted, click Restart to restart your Splunk instance.

(Optional) Create a new source group#

Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App.

When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App.

Set up Outgoing feed on EclecticIQ Platform#

In order to allow your Splunk instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:

  1. In the left navigation bar, click Data Configuration Data configuration icon > Outgoing feeds > +.

  2. Set the following fields in your new outgoing feed:

    Field name

    Description

    Feed name*

    Enter a descriptive name for the outgoing feed.

    Example: Outgoing feed for <vendor system>

    Transport type*

    Set this to HTTP download.

    Content type*

    Set this to EclecticIQ Observables CSV.

    Feed content

    • Datasets*: Select one or more datasets to include in this outgoing feed.

    • Update strategy*: Select an update strategy.

      The Threat Intelligence EclecticIQ Platform App supports these update strategies:

      • REPLACE: Select this option to purge the app KV store before updating it each time the feed runs.

        Caution

        Not recommended for feeds with large datasets, or feeds with frequent execution schedules.

      • DIFF: Select this option to send incremental updates through the feed.

    Transport configuration

    • Public: Select this to make this feed publicly available.

    • Authorized groups: If Public is not selected, select one or more groups to make this feed available to.

      If you created a source group earlier, add that here.

    Execution schedule

    Set to None by default.

    Tip

    For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.

  3. Save and run the outgoing feed.

Get the feed ID#

We need the ID of the outgoing feed that you’ve just created.

To get the feed ID:

  1. In the left navigation bar, click Data Configuration Data configuration icon > Outgoing feeds.

  2. In the Outgoing feeds overview, click on the outgoing feed you’ve just created.

  3. In the panel that appears, click on the Created packages tab.

  4. Locate and note the feed ID shown in this tab.

    The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:

    You can download the latest package from:
    https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
    

    the feed ID is 8.

Install Threat Intelligence EclecticIQ Platform App#

  1. Sign in to Splunk Web.

  2. From the dashboard, click on Settings (Settings) in the left menu.

    Click the settings icon.
  3. Click Install app from file at the top right.

  4. In the Upload an app page:

    1. Click on Browse

    2. Locate and select the tar.gz package downloaded in Download and install the app on Splunk.

    3. (Optional) Select Upgrade app if you are upgrading from a previous version of the app.

    4. Click Upload.

Configure Threat Intelligence EclecticIQ Platform App#

Once the Threat Intelligence EclecticIQ Platform App is installed:

  1. In the top navigation bar of Splunk Web, click Apps > Manage Apps.

  2. Locate EclecticIQ Platform App in the list of apps.

  3. In the Actions column for EclecticIQ Platform App, click Set up.

  4. In the EclecticiIQ Platform App Configuration Page, fill out these fields:

    Field name

    Description

    EclecticIQ Platform url

    Enter the URL of your EclecticIQ Platform instance.

    EclecticIQ Platform Version

    Enter your EclecticIQ Platform version.

    For example: 2.9

    Verify the SSL Connection if SSL is used

    Select to ensure that a valid SSL certificate is received from EclecticIQ Platform.

    ID of feeds for collection from EclecticIQ Platform

    One or more feed IDs obtained from Get the feed ID, separated by commas.

    For example, to receive indicators from feeds with IDs 6 and 7: 6,7.

    EclecticIQ Platform Source Group

    Enter a source group. If you have one set up from Create a source group, enter that group name here.

    Username

    Enter your user name. This user must be a member of the group specified in EclecticIQ Platform Source Group.

    Password

    Enter your password.

  5. Click Save Settings to finish configuring the app.

Optional app configuration#

(Optional) When configuring the app on the EclecticIQ Platform App Configuration Page, you can set up these options:

Proxy IP

If you’re using a proxy, enter its IP address here.

Proxy username

If required, enter the username for authenticating with your proxy.

Proxy password

Enter the password for your proxy.

Sightings query

Set to index=main by default.

Modify this to change the scope of the sightings query used by the app.

Send the following sightings types

All selected by default.

Select one or more sighting types to send to EclecticIQ Platform through the app.

Scripts Log Level

Set the log level for scripts run by the app. Change this only if you have issues with the app.

Possible values:

  • 0: Default. Sets log level to DEBUG.

  • 10: Default. Sets log level to INFO.

  • 30: Default. Sets log level to WARNING.

  • 40: Default. Sets log level to ERROR.

  • 50: Default. Sets log level to CRITICAL.