Configure the Splunk Add-on for Splunk Attack Analyzer
Perform the following steps to configure the Splunk Add-on for Splunk Attack Analyzer and index job and forensic data from Splunk Attack Analyzer to the Splunk platform.
Prerequisites
- Access to a Splunk Attack Analyzer API key. See Create and manage API keys in Splunk Attack Analyzer in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
- Create an events index for the data from Splunk Attack Analyzer. See Create events indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Steps
- Configure a connection to Splunk Attack Analyzer.
- Configure a completed jobs input.
- (Optional) Configure the adaptive response action.
Configure a connection to Splunk Attack Analyzer
Configure a connection to Splunk Attack Analyzer using the Splunk Add-on for Splunk Attack Analyzer.
- From the Splunk platform, search for and navigate to the Splunk Add-on for Splunk Attack Analyzer.
- Select the Configuration tab, then Connections, then + Add.
- In the Name field, enter a name for the connection. Don't use spaces or capital letters.
- Ensure the URL in the API URL field is the URL that you have an API key for.
- In the API Key field, enter your Splunk Attack Analyzer API key.
- Select Add.
The connection appears in the Connections table. If you have more than one Splunk Attack Analyzer tenant, configure a new connection for each tenant you want to access data from.
Configure a completed jobs input
Complete the following steps to set up a new data input for Splunk Attack Analyzer jobs and other data, such as forensics.
- From the Splunk platform, search for and navigate to the Splunk Add-on for Splunk Attack Analyzer.
- Select Inputs, then Create New Input.
- In the Name field, enter a name for the input. Don't use spaces or capital letters.
- In the Interval field, enter an interval for the job in seconds.
The interval you choose depends on your volume requirements and how often you want your data to refresh. A tighter interval causes more load on the instance running the input. Don't enter a value less than 300.
- In the Index field, select the name of the index that you previously created for the data from Splunk Attack Analyzer. See Create events indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
The Splunk App for Splunk Attack Analyzer contains dashboards that use the macro saa_indexes. The default macro definition uses the index name saa. You can use any index name you choose, but you will need to reconfigure the macro in the Splunk App for Splunk Attack Analyzer. See Configure macros in the Splunk App for Splunk Attack Analyzer.
- In the Connection field, select the name of the connection that you previously created to a Splunk Attack Analyzer tenant. See Configure a connection to Splunk Attack Analyzer.
- (Optional) Expand the Query Configuration section to add any of the following optional fields to define the parameters of your data ingestion.
Field name Description Source Select which source you want the data to come from based on how it was submitted to Splunk Attack Analyzer. Available options are UI or API. Start Time Enter a start time for data collection. If you don't enter a start time, the add-on ingests all jobs and forensics available for querying from Splunk Attack Analyzer. Set this value according to your actual requirements.
Username Enter a username to only collect information submitted by that username. API Key ID Enter an API Key ID to only collect information submitted using that API Key. Backfill Select the time in days from which to backfill jobs. By default, the input only pulls in future jobs. - (Optional) Expand Forensics Configuration to configure whether or not you want to index the forensics corresponding to the ingested jobs.
- Check the Ingest Forensics box to ingest the normalized forensics that correspond to the ingested jobs.
- From the Forensics Components field, select the forensics components that you want to ingest. Don't ingest screenshots or images.
- Select Add.
After you add a completed jobs input, the splunk:aa:job
, splunk:aa:job:resource
, and splunk:aa:job:task
source types are ingested from Splunk Attack Analyzer. If you decide to configure forensic components, forensic source types are ingested as well depending on what components you selected to ingest.
The dashboards in the Splunk App for Splunk Attack Analyzer are created from the completed jobs input.
You can configure multiple inputs for one instance if you want to ingest more than one type of data from Splunk Attack Analyzer to the Splunk App for Splunk Attack Analyzer.
(Optional) Configure the adaptive response action
When using Splunk Enterprise Security, the Splunk Add-on for Splunk Attack Analyzer provides an adaptive response action to submit URLs to Attack Analyzer. You can optionally configure the Submit URL to Attack Analyzer adaptive response action if you want to submit URLs from the Splunk platform to Splunk Attack Analyzer in response to a triggered alert from a correlation search. You must have the list_storage_passwords capability to configure the adaptive response action.
- From Splunk Enterprise Security on the Splunk platform menu bar, select Configure, then Content, then Content Management.
- Select an existing correlation search, or select Create New and then Correlation Search.
- Select Add New Response Action and then select Submit URL to Attack Analyzer.
- In the Connection field, select your API key.
- In the URL field, enter the token to get the URL from the detected events and automatically submit it to Splunk Attack Analyzer. For more information, see Use tokens in email notifications in the Splunk Enterprise Alerting Manual.
- Select Save to save all changes to the correlation search.
For more information, see Set up adaptive response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
When using Submit URL to Attack Analyzer from the adaptive response actions through Incident Review, token replacement is not supported based on event fields. For example, you cannot use an email subject such as "Splunk Alert: $name$", where $name$ is the correlation search name. Since this is an ad-hoc adaptive response action rather than a scheduled saved search, the $name$ token does not apply. Token replacement is supported from the adaptive response actions through the correlation search editor.
After you configure the adaptive response action, you can view job information in Splunk Enterprise Security. See View Attack Analyzer job information in Splunk Enterprise Security.
Install the Splunk Add-on for Splunk Attack Analyzer | View Attack Analyzer job information in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Add-on for Splunk Attack Analyzer: 1.1.0, 1.1.1, 1.2.0
Feedback submitted, thanks!