Configure Splunk
Getting AWS Access key
To get data from and to S3, the Apps for Splunk would require Access keys from AWS. Follow the steps below to get Access key. If you already have Access key and corresponding Secret key, you can skip to Getting data from Splunk to S3
Navigate to AWS console and search for
IAM.On the left hand side panel, under
Access Management, selectUsers
Click on the user for whom you want to create Access key. Select the tab
Security credentialsand findAccess keyssection. Click onCreate access keybutton on top right of the section.
On the
Access key best practices & alternativespage, selectOtherand click onNext.
Set an optional description tag for the access key and click on
Create access key.Make note of the
Access keyandSecret access keyto use in later steps. You may also download .csv file by clicking onDownload .csv file.
Getting data from Splunk to S3
To get search results of Splunk to AWS S3. Follow the steps below:
Login to the splunk instance. Click on the
Appsdrop down from the top panel. SelectFind More Apps
Search for
Amazon S3 Uploader, and find theAmazon S3 Uploader for Splunkapp from the list. Click onInstall, and enter your credentials to install the app.Note
More details for the Amazon S3 Uploader for Splunk app can be found here
After installing the app, move to the home page, and click on
Appsagain. You should now seeAmazon S3 Uploader for Splunkin the list. Click on the app and a configuration page will appear.
On the configuration page. Click on the
Accounttab, and click onAddto add an AWS account.In the
Loggingtab, theLog levelis set toINFOby default, modify it as required.
Now move to the search tab, and write a query
Verify that you have received the desired events. And then click on the
Save Asbutton on top of the search bar, and selectAlert.
Next, add the
TitleandDescriptionfor the alert, setup alert schedule and trigger conditions as required. And under the Trigger Actions section, click onAdd Actionsbutton. SelectUpload to Amazon S3option.
Add the
Bucket namewhich was created using the CloudFormation template to save the results. ForObject key, entersplunk_input/input/%d-%b-%Y %H:%M:%S.json. SelectAccountthat you created on the configuration page from the dropdown. Finally clickSave.Note
The user-provided object key is passed to Python’s
datetime.strftime()function, which encodes the time the search started. Format codes are extremely similar to Splunk’s, please refer to the official documentation.To debug logs from the app, search with the query
index=_internal source="/opt/splunk/var/log/splunk/amazon_s3_upload_modalert.log". The default logging level isINFO, but it can be increased or decreased from the configuration dashboard.
Getting data from S3 to Splunk
To get results of cypienta product from S3 to Splunk. Follow the steps below:
Login to the splunk instance. Click on the
Appsdrop down from the top panel. SelectFind More Apps
Search for
S3, and find theSplunk Add-on for Amazon Web Services (AWS)app from the list. Click onInstall, and enter your credentials to install the app.Note
More details for the Splunk Add-on for Amazon Web Services (AWS) app can be found here
After installing the app, move to the home page, and click on
Appsagain. You should now seeSplunk Add-on for AWSin the list. Click on the app and click on theConfigurationtab to get configuration page for the app.
On the configuration page. Click on the
Accounttab, and click onAddto add an AWS account.In the
Loggingtab, theLog levelis set toINFOby default, modify it as required.
Now move to the
Inputstab. Click onCreate New Inputbutton, selectS3 Access Logs, then selectIncremental S3.
On the
Add Incremental S3page, give a name to the configuration. Select theAWS Accountthat was created in the previous step. Select theS3 Bucketwhich was created using the CloudFormation template, and provide theLog File Prefixofsplunk/. UnderSplunk-related Configurationconfigure theLog Start DateandIndexof your choice and click onAdd.
Now click on the search tab, and write a query
Configure integration with JIRA
Integrate the JIRA management to Splunk SOAR to create event for each JIRA issue created.
Install JIRA add-on app for Splunk SOAR. Go to the
Appspage on splunk SOAR.
Click on the
New Appsbutton and then search forjira. There will be a result forJIRA, appearing for the add-on app. Click onInstallbutton to install the add-on app.To configure the app, click on
Configure New Asset
Initially the app will be listed under
Unconfigured apps.In
Asset namefield, add a name of your choice.
- Move to
Asset Settingstab. Give a JIRA URL, username, API token and project key from which you want to poll and sync Splunk SOAR events from. Select the
Maximum tickets (issue) to poll first timeas a number greater than the total number of JIRA issues present in the JIRA management at the time of configuring the add-on. Select theMaximum ticket (issues) for scheduling pollingas a number of latest issues that you want to poll each time.
- Move to
Move to
Ingest Settingstab. For theLabel to apply to objects from this sourcefield, selecteventsand set theSelect a polling interval or schedule to configure polling on this assettoInterval. Select polling intervalPolling interval (minutes)of your choice.
Click on
Savebutton to save the config for the add-on. Wait for the interval minutes set to allow Splunk SOAR to start polling JIRA issues to Splunk SOAR events.Use the
poll nowbutton to poll the JIRA issues right now. Set theMaximum containersas the same value as set forMaximum tickets (issue) to poll first time. Setmaximum artifactsto a desired value, and click onPoll Nowbutton.