This design document serves to provide an overview of the DeCYFIR Add-on & App for Splunk.
DeCYFIR is a cloud-based threat discovery and cyber-intelligence platform, designed to defend organizations by uncovering attack surfaces, building digital risk profiles & using personalized insights to predict imminent attacks and decode cyber threats before a cyberattack hits.
The Splunk add-on will help in collecting DeCYFIR alert events data using the events API and sending it to Splunk events. It will also ingest DeCYFIR IOC data as lookup data in Splunk Enterprise.
The Splunk app will have searches based on Alerts & IOC data. Dashboards are created based on Splunk searches.
Installation of Splunk Enterprise
To install the Splunk enterprise, follow this manual Splunk Installation Manual.
Installation for both APP & Add-on
Login to Splunk Enterprise.
Click on Apps > Search for App.
Search for “CYFIRMA DeCYFIR Add-on for SPLUNK.
Search for “CYFIRMA DeCYFIR app for SPLUNK.
Search for Apps & enter the app name to search for.
Check the prerequisites and details.
Click on Install.
Account
Splunk Add-on > Configuration
After installation of DeCYFIR Add-on, set up the account by following the steps below:
On the left panel of Splunk Enterprise click on the TA-CIP.
Click on the Configuration tab.
In the Accounts Sub tab click on Add.
Give a unique name to the configuration and add the URL of the product & API key generated from the Product.
Click on Add.
Proxy
Splunk Add-on > Configuration
To set up the proxy for API data collection, follow the steps here:
Go to Add-on by clicking on DeCYFIR from the left bar.
Click on the Configuration tab.
Click on the Proxy tab under the configuration tab.
Fill in all the necessary details.
Click on Save.
Parameters
Required
Description
Enable
No
Enablement of proxy
Proxy Type
No
Type of the Proxy. Available options are https
Host
Yes
Server Address of Proxy Host
Port
Yes
Port to the proxy server
User Name
No
Username for the Proxy Server
Password
No
Password for the above Username
DNS Resolution
No
Keep DNS Resolution on or off
Logging
Splunk Add-on > Configuration
To log API data collection, follow the steps here:
Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
Click on the Configuration tab.
Click on the Logging tab under the configuration tab.
Select the log level. Available log levels are Debug, Info, Warning, Error and Critical.
Click on Save.
Parameters
Required
Description
Log Level
No
Log level for the logging, default to INFO
Additional Parameters
Splunk Add-on > Configuration
To set up additional parameters for API calls and retry mechanism, follow the steps here:
Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
Click on the Configuration tab.
Click on the Add-on Settings tab under the configuration tab.
Number of Retries.
Sleep Time.
Page Size.
Click on Save.
Parameters
Required
Description
Number of Retries
Yes
Number of attempts to be made, default to 3
Sleep Time
Yes
Wait time in seconds between consecutive retries, default to 100
Page Size
Yes
Data to fetch in a single rest API call. [Text Wrapping Break]Default to 100
DeCYFIR Alerts
Inputs
To create input and API data collection, the steps are as follow:
Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
Click on the Inputs tab.
Click on Create New Input -> Select DeCYFIR Alerts.
Fill in all the necessary details.
Click on Save.
Parameters
Required
Description
Name
Yes
The unique name for DeCYFIR Alerts data input
Interval
Yes
Interval time of input in seconds. Minimum is 0
Index
Yes
Name of the index in which data will be indexed in Splunk. This index should be present on the Indexer in case of a distributed environment
Global Account
Yes
Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab
DeCYFIR IOCs
Inputs
To create input and collection of API data, follow the below-mentioned steps:
Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
Click on the Inputs tab.
Click on Create New Input -> Select DeCYFIR IOC.
Fill in all the necessary details.
Click on Save.
Parameters
Required
Description
Name
Yes
The unique name for DeCYFIR Alerts data input
Interval
Yes
Interval time of input in seconds. Minimum is 0
Lookup Name
Yes
Name of the lookup file in which data will be stored in Splunk
Global Account
Yes
Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab
Splunk App
Once the app is installed, it would need to be setup. To complete the setup, please follow the steps here:
Go to DeCYFIR App for Splunk.
Click on “Continue to app setup page”.
Enter the URL for CYFIRMA. Example: decyfir.cyfirma.com.
Enter the API Key for the above URL.
Click Save.
DeCYFIR Alert Details
Splunk App > Dashboard
Show details of the DeCYFIR Alerts.
Shows the count of alerts of all the categories.
Trend of counts of all categories.
Details of all categories.
Splunk App > Dashboard
Clicking on any single value will highlight that panel and below will show the trend for the selected category.
Splunk App > Dashboard
Splunk App > Dashboard
Select the alert details you want to see by clicking on the arrow in the first column.
DeCYFIR IOCs
Splunk App > Dashboard
Show the details of DeCYFIR IOCs.
Shows the count of IOC of all the Indicator Types.
Trend of counts of selected indicator types.
The detailed table of IOC.
Clicking on any IOC Data table row will open a pop-up window with additional information.
Splunk App > Dashboard
Splunk App > Dashboard
Clicking on any single value will highlight that panel and below will show the trend for the selected indicator type.
Splunk App > Dashboard
By clicking on any row in the table, a pop-up window will display additional details related to the selected value.
Splunk Alerts
Splunk App > Dashboard
Shows the details of the alerts configured in Splunk.
Total number of alerts created by the Alerts Configured in Splunk.
Trend by the selected alerts.
Table of Splunk alert details.
Clicking on view details in the table will shows that events because of which the alert is triggered.
Splunk App > Dashboard
Your iFrame Code
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.