Configure Splunk
Getting AWS Access key
To get data from and to S3, the Apps for Splunk would require Access keys from AWS. Follow the steps below to get Access key. If you already have Access key and corresponding Secret key, you can skip to Getting data from Splunk to S3
Navigate to AWS console and search for
IAM
.On the left hand side panel, under
Access Management
, selectUsers
Click on the user for whom you want to create Access key. Select the tab
Security credentials
and findAccess keys
section. Click onCreate access key
button on top right of the section.On the
Access key best practices & alternatives
page, selectOther
and click onNext
.Set an optional description tag for the access key and click on
Create access key
.Make note of the
Access key
andSecret access key
to use in later steps. You may also download .csv file by clicking onDownload .csv file
.
Getting data from Splunk to S3
To get search results of Splunk to AWS S3. Follow the steps below:
Login to the splunk instance. Click on the
Apps
drop down from the top panel. SelectFind More Apps
Search for
Amazon S3 Uploader
, and find theAmazon S3 Uploader for Splunk
app from the list. Click onInstall
, and enter your credentials to install the app.Note
More details for the Amazon S3 Uploader for Splunk app can be found here
After installing the app, move to the home page, and click on
Apps
again. You should now seeAmazon S3 Uploader for Splunk
in the list. Click on the app and a configuration page will appear.On the configuration page. Click on the
Account
tab, and click onAdd
to add an AWS account.In the
Logging
tab, theLog level
is set toINFO
by default, modify it as required.Now move to the search tab, and write a query
Verify that you have received the desired events. And then click on the
Save As
button on top of the search bar, and selectAlert
.Next, add the
Title
andDescription
for the alert, setup alert schedule and trigger conditions as required. And under the Trigger Actions section, click onAdd Actions
button. SelectUpload to Amazon S3
option.Add the
Bucket name
which was created using the CloudFormation template to save the results. ForObject key
, entersplunk_input/input/%d-%b-%Y %H:%M:%S.json
. SelectAccount
that you created on the configuration page from the dropdown. Finally clickSave
.Note
The user-provided object key is passed to Python’s
datetime.strftime()
function, which encodes the time the search started. Format codes are extremely similar to Splunk’s, please refer to the official documentation.To debug logs from the app, search with the query
index=_internal source="/opt/splunk/var/log/splunk/amazon_s3_upload_modalert.log"
. The default logging level isINFO
, but it can be increased or decreased from the configuration dashboard.
Getting data from S3 to Splunk
To get results of cypienta product from S3 to Splunk. Follow the steps below:
Login to the splunk instance. Click on the
Apps
drop down from the top panel. SelectFind More Apps
Search for
S3
, and find theSplunk Add-on for Amazon Web Services (AWS)
app from the list. Click onInstall
, and enter your credentials to install the app.Note
More details for the Splunk Add-on for Amazon Web Services (AWS) app can be found here
After installing the app, move to the home page, and click on
Apps
again. You should now seeSplunk Add-on for AWS
in the list. Click on the app and click on theConfiguration
tab to get configuration page for the app.On the configuration page. Click on the
Account
tab, and click onAdd
to add an AWS account.In the
Logging
tab, theLog level
is set toINFO
by default, modify it as required.Now move to the
Inputs
tab. Click onCreate New Input
button, selectS3 Access Logs
, then selectIncremental S3
.On the
Add Incremental S3
page, give a name to the configuration. Select theAWS Account
that was created in the previous step. Select theS3 Bucket
which was created using the CloudFormation template, and provide theLog File Prefix
ofsplunk/
. UnderSplunk-related Configuration
configure theLog Start Date
andIndex
of your choice and click onAdd
.Now click on the search tab, and write a query
Configure integration with JIRA
Integrate the JIRA management to Splunk SOAR to create event for each JIRA issue created.
Install JIRA add-on app for Splunk SOAR. Go to the
Apps
page on splunk SOAR.Click on the
New Apps
button and then search forjira
. There will be a result forJIRA
, appearing for the add-on app. Click onInstall
button to install the add-on app.To configure the app, click on
Configure New Asset
Initially the app will be listed under
Unconfigured apps
.In
Asset name
field, add a name of your choice.- Move to
Asset Settings
tab. Give a JIRA URL, username, API token and project key from which you want to poll and sync Splunk SOAR events from. Select the
Maximum tickets (issue) to poll first time
as a number greater than the total number of JIRA issues present in the JIRA management at the time of configuring the add-on. Select theMaximum ticket (issues) for scheduling polling
as a number of latest issues that you want to poll each time.
- Move to
Move to
Ingest Settings
tab. For theLabel to apply to objects from this source
field, selectevents
and set theSelect a polling interval or schedule to configure polling on this asset
toInterval
. Select polling intervalPolling interval (minutes)
of your choice.Click on
Save
button to save the config for the add-on. Wait for the interval minutes set to allow Splunk SOAR to start polling JIRA issues to Splunk SOAR events.Use the
poll now
button to poll the JIRA issues right now. Set theMaximum containers
as the same value as set forMaximum tickets (issue) to poll first time
. Setmaximum artifacts
to a desired value, and click onPoll Now
button.