slashnext automated data enrichment guide splunk enterprise...slashnext automated data enrichment...

1

SlashNext Automated Data Enrichment GuideSplunk Enterprise

USER GUIDE V 1 . 0 . 0

SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE | USER GUIDE 1.0.0 1

TABLE OF CONTENTS

1 | INSTALLATION .................................................................................................................................................................................................................................................2

2 | CONFIGURATION ..................................................................................................................................................................................................................................3

3 | CUSTOM SEARCH COMMANDS ....................................................................................................................................................................................................4

4 | ENRICHMENT DASHBOARDS ....................................................................................................................................................................................................6

snxhostreputation ............................................................................................................................................................................................................................4

snxhosturls ..........................................................................................................................................................................................................................................4

snxhostreport ....................................................................................................................................................................................................................................5

snxurlscan ............................................................................................................................................................................................................................................5

snxurlscansync ..................................................................................................................................................................................................................................5

snxurlscanreport ...............................................................................................................................................................................................................................6

SLASHNEXT.COM


1 | INSTALLATION

In order to install the SlashNext App for Splunk please follow the following steps:

1. Download the SlashNext App for Splunk from Splunkbase. The app will be downloaded as tar.gz file

2. Click on the gear icon under the Apps sidebar on your Splunk home to go the Manage Apps page

3. On the Manage Apps page, click on Install app from file button to upload the app file.

4. Choose the app file that you downloaded earlier and click on the Upload button to upload the file

5. Splunk will ask you to Restart your instance. Click on the Restart Now button to restart the Splunk instance

SLASHNEXT.COM


2 | CONFIGURATION

Once the app is installed, you need to configure the app with API credentials provided to you by SlashNext. In order to configure the app, follow the steps below:

26. After restart is done, login back to your instance and SlashNext App for Splunk will now appear under your Apps sidebar. At this

point, the app has been installed successfully

1. Click on SlashNext App for Splunk to launch the app.

2. Click on Setup button on the app menu bar to go to App Setup page for configurations

3. Enter the API key provided to you by SlashNext in the API Key field. If you do not have an API key then contact at [email protected]. Optionally, you can also specify an alternate API Base URL, if and only if, specifically specified by SlashNext otherwise leave it empty. Finally, click on the Save button to finish your configuration.

At this point, the configuration for the app is complete and is ready to be used. In case any error occurs, contact Splunk Support for further assistance.

SlashNext App for Splunk provides custom Splunk Search Commands that enable Splunk users to leverage SlashNext's On-demand Threat Intelligence Cloud platform within the Splunk Platform. The syntax of the search commands and their output is elaborated below

Search in SlashNext Cloud database and retrieve reputation of a host.

SLASHNEXT.COM


3 | CUSTOM SEARCH COMMANDS

3.1 | SNXHOSTREPUTATION

Syntaxsnxhostreputation host= / host_field=

Execute Host Reputation on Domain: "www.slashnext.com"

Examples:| snxhostreputation host=www.slashnext.com

Execute Host Reputation on IP: "11.22.33.44"

| snxhostreputation host=11.22.33.44

Execute Host Reputation on "domains" field in all the passed events

| snxhostreputation host_field=domains

Search in SlashNext Cloud database and retrieve list of all URLs associated with the specified host.

3.2 | SNXHOSTURLS

Syntaxsnxhosturls host= urls_limit=

Retrieve at maximum 10 URLs with Domain:"www.slashnext.com"

Examples:| snxhosturls host=www.slashnext.com urls_limit=10

Retrieve at maximum 10 URLs with IP: "11.22.33.44"

| snxhosturls host=11.22.33.44 urls_limit=10

Queries the SlashNext Cloud database and retrieves a detailed report for a host and associated URL.

3.3 | SNXHOSTREPORT

SLASHNEXT.COM


Syntaxsnxhostreport host=

Retreive Host Report for Domain: "www.slashnext.com"

Examples:|| snxhostreport host=www.slashnext.com

Retreive Host Report for IP: "11.22.33.44"

| snxhostreport host=11.22.33.44

Perform a real-time URL reputation scan with SlashNext cloud-based SEER Engine.

3.4 | SNXURLSCAN

Syntaxsnxurlscan url= | url_field=

Execute URL Scan on URL: www.slashnext.com/about/

Examples:| snxurlscan url=www.slashnext.com/about/

Execute URL Scan on "urls" field in all the passed events

| snxurlscan url_field=urls

Perform a real-time URL scan with SlashNext cloud-based SEER Engine in a blocking mode.

3.5 | SNXURLSCANSYNC

Syntaxsnxurlscansync url=

Execute a Synchronous URL Scan on URL: www.slashnext.com/about/

Examples:| snxurlscansync url=www.slashnext.com/about/

Queries the SlashNext Cloud database and retrieves a detailed report for a Scan ID.

SlashNext App for Splunk also provides Splunk users customized dashboards, that use the above mentioned custom search commands, to get enrichment information for IPs, Domains and URLs. To view these enrichment dashboards, follow the steps below:

3.6 | SNXURLSCANREPORT

4 | ENRICHMENT DASHBOARDS

SLASHNEXT.COM


Syntaxsnxurlscanreport scan_id= extended_info=

Retrieve Scan Report against Scan ID: 3b8f8a58-837a-4b81-8a0b-4654ab1e304b

Examples:| snxurlscanreport scan_id=3b8f8a58-837a-4b81-8a0b-4654ab1e304b

Retrieve Scan Report against Scan ID: 3b8f8a58-837a-4b81-8a0b-4654ab1e304b with Extended Information (Screenshot, HTML and Text data)

| snxurlscanreport scan_id=3b8f8a58-837a-4b81-8a0b-4654ab1e304b extended_info=true

1. Click on the Enrich button on the app menu-bar and a drop-down menu will appear. Select IP-Enrichment, Domain-Enrichment or URL-Enrichment for IPs, Domains and URLs respectively.

2. Let us first show the output of IP Enrichment, Click on IP-Enrichment to show its dashboard. Enter the IP against which the enrichment is to be performed and click on the Submit button. It will submit the request to SlashNext's On-demand Threat Intelligence Cloud .

SLASHNEXT.COM


3. On successful execution, the dashboard will show all the threat information against the scanned IP, as shown below:

SLASHNEXT.COM


4. On successful execution, the dashboard will show all the threat information against the scanned IP, as shown below:

slashnext automated data enrichment guide splunk enterprise...slashnext automated data enrichment...

Documents