Splunk® Security Essentials

Develop Custom Content in Splunk Security Essentials

Integrate third-party content in Splunk Security Essentials

As a third-party developer, you can integrate and publish your own custom content such as searches, detections, and use cases into Splunk Security Essentials (SSE) environments. After you integrate custom content for users, users can analyze that content in the same way as the other content that ships with SSE. For information on how to incorporate custom data sources into SSE, see Configure the products you have in your environment with the Data Inventory dashboard.

SSE also supports the Splunk partner ecosystem. If you are a commercial security partner or an open-source provider, you can add your content into SSE. Users can then track the content they have and showcase how the content helps them meet their needs.

Add content in SSE

To add content in SSE, complete the following steps:

  1. Convert the content into the SSE format.
  2. Post the content for download.
  3. Add the content to Splunkbase.

Convert the content into the SSE format

To convert content that exists as active searches in the savedsearches.conf file into the SSE format, see Configure Splunk Security Essentials in the Install and Configure Splunk Security Essentials manual. If the content exists in a different repository, such as a database, you can create custom code that converts the content into the SSE format.


Post the content for download

SSE downloads new content through the browser. There are no requirements for proxy configurations within Splunk Enterprise. Every time a page loads, a user's browser performs a lookup using the external_content_lookup file to determine when content was last updated. If more than one day has passed since the last lookup, Splunk Enterprise updates the content automatically.

If build_url and build_field are configured, SSE performs a GET request of build_url, expecting a JSON object, and looks for the buildnum. If the buildnum is not equal to the last buildnum received, the download proceeds. If no build_url exists, SSE still downloads all the content. To download content, SSE performs a GET request from the content_download_url and expects all the content to be contained within a JSON object.

If you store the content in GitHub, use the raw URL format. If you store the content in S3, configure the bucket to allow Cross-Origin Resource Sharing (CORS). For information about configuring CORS in Amazon S3, search on "How Do I Allow-Cross-Domain Resource Sharing with CORS" in the AWS documentation or "Access-Control-Allow-Origin Header" in StackOverflow.

Add the content to Splunkbase

To direct SSE to your add-on, create a stanza in the essentials_updates.conf file in the add-on.

Here is an example of what the configuration in the default/essentials_updates.conf file looks like: 


[ButtercupLabs]
channel=ButtercupLabs
name=Buttercup Labs
description=Buttercup Labs produces quality security analytics run through the Splunk platform. Although Buttercup Labs sells a commercial threat analytics app, the company has also released community content. All that content is available through Splunk Security Essentials.
type=app
app_context=Splunk_Security_Essentials
content_download_url=https://go.splunksecurityessentials.com/myContentLocation

Follow these guidelines when you create the stanza and the channel:

  • Make sure the stanza name is unique to your organization.
  • Make sure nothing else references the stanza name.
  • Don't use spaces in either the stanza name or the channel name.
  • Consider matching the stanza name with the channel name to help keep them organized.

The channel is configured on the back end and doesn't affect users.

The name of the stanza appears in filters on the Security Content page as well as when users view the content. The description appears only in the app configuration, where users can activate and deactivate different content sources..

Make sure the following is also true:

  • The type must be an app.
  • The app_context must be Splunk_Security_Essentials.
  • The content_download_url must be the URL to where users can download the app.

When you test in your own environment, restart Splunk Enterprise after making any changes to the essentials_updates.conf file so that Splunk Enterprise rereads that file.

Create an entry in the metadata/default.meta file within your environment. By default, Splunk Enterprise doesn't share configurations to all systems in the app, but the default.meta file allows you to set configurations.

Add this content to the bottom of the configuration in the Metadata/default.meta file: 


[essentials_updates]
export = system
Last modified on 01 October, 2024
Get started integrating custom content in Splunk Security Essentials   Add custom fields to Splunk Security Essentials

This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters