Products
PRODUCTS
- DeCYFIRExternal Threat Landscape Management
- DeTCTDigital Risk Discovery
- DeFNCECyber Defence Mobile App
Solutions
Role
- Security OperationsSwift tactical remediation to secure your assets
- CISOBuild a robust cybersecurity strategy
- CROManage risk with external threat intelligence
- CMOBuild Brand and Reputation
purpose
Case Studies
Partners
Partner
Resources
RESOURCES
- Early WarningsAdvanced cybersecurity alerts and advisories
- Out-of-BandNotifications on Cyber Threats and Risks
- Datasheets and WhitepapersRead CYFIRMA's Thought Leadership Research
- Videos and WebinarsStay up to date with the latest topics in cyber
Company
About Us
Follow Us
- NewsroomStay updated with our latest news
- CareerJoin our growing team
Contact Us
- Start Now
- Get a Free Demo
Ask for Demo

External Threat Landscape Management

CYFIRMA App for Splunk

Download

Introduction
Installation for APP & Add-on
Splunk Add-on
- Configuration
- Inputs
  - DeCYFIR Alerts
  - DeCYFIR IOC
Splunk App
- Dashboard

Introduction

This design document serves to provide an overview of the DeCYFIR Add-on & App for Splunk.

DeCYFIR is a cloud-based threat discovery and cyber-intelligence platform, designed to defend organizations by uncovering attack surfaces, building digital risk profiles & using personalized insights to predict imminent attacks and decode cyber threats before a cyberattack hits.

The Splunk add-on will help in collecting DeCYFIR alert events data using the events API and sending it to Splunk events. It will also ingest DeCYFIR IOC data as lookup data in Splunk Enterprise.

The Splunk app will have searches based on Alerts & IOC data. Dashboards are created based on Splunk searches.

Installation of Splunk Enterprise

To install the Splunk enterprise, follow this manual Splunk Installation Manual.

Installation for both APP & Add-on

Login to Splunk Enterprise.
Click on Apps > Search for App.
- Search for “CYFIRMA DeCYFIR Add-on for SPLUNK.
- Search for “CYFIRMA DeCYFIR app for SPLUNK.
Search for Apps & enter the app name to search for.
Check the prerequisites and details.
Click on Install.

Account

Splunk Add-on > Configuration

After installation of DeCYFIR Add-on, set up the account by following the steps below:

On the left panel of Splunk Enterprise click on the TA-CIP.
Click on the Configuration tab.
In the Accounts Sub tab click on Add.
Give a unique name to the configuration and add the URL of the product & API key generated from the Product.
Click on Add.

Proxy

Splunk Add-on > Configuration

To set up the proxy for API data collection, follow the steps here:

Go to Add-on by clicking on DeCYFIR from the left bar.
Click on the Configuration tab.
Click on the Proxy tab under the configuration tab.
Fill in all the necessary details.
Click on Save.

Parameters	Required	Description
Enable	No	Enablement of proxy
Proxy Type	No	Type of the Proxy. Available options are https
Host	Yes	Server Address of Proxy Host
Port	Yes	Port to the proxy server
User Name	No	Username for the Proxy Server
Password	No	Password for the above Username
DNS Resolution	No	Keep DNS Resolution on or off

Logging

Splunk Add-on > Configuration

To log API data collection, follow the steps here:

Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
Click on the Configuration tab.
Click on the Logging tab under the configuration tab.
Select the log level. Available log levels are Debug, Info, Warning, Error and Critical.
Click on Save.

Parameters	Required	Description
Log Level	No	Log level for the logging, default to INFO

Additional Parameters

Splunk Add-on > Configuration

To set up additional parameters for API calls and retry mechanism, follow the steps here:

Go to Add-on by clicking on DeCYFIR Add-on from the left bar.
Click on the Configuration tab.
Click on the Add-on Settings tab under the configuration tab.
Number of Retries.
Sleep Time.
Page Size.
Click on Save.

Parameters	Required	Description
Number of Retries	Yes	Number of attempts to be made, default to 3
Sleep Time	Yes	Wait time in seconds between consecutive retries, default to 100
Page Size	Yes	Data to fetch in a single rest API call. [Text Wrapping Break]Default to 100

DeCYFIR Alerts

Inputs

To create input and API data collection, the steps are as follow:

Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
Click on the Inputs tab.
Click on Create New Input -> Select DeCYFIR Alerts.
Fill in all the necessary details.
Click on Save.

Parameters	Required	Description
Name	Yes	The unique name for DeCYFIR Alerts data input
Interval	Yes	Interval time of input in seconds. Minimum is 0
Index	Yes	Name of the index in which data will be indexed in Splunk. This index should be present on the Indexer in case of a distributed environment
Global Account	Yes	Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab

DeCYFIR IOCs

Inputs

To create input and collection of API data, follow the below-mentioned steps:

Go to Add-on by clicking on DeCYFIR Add-On for Splunk from the left bar.
Click on the Inputs tab.
Click on Create New Input -> Select DeCYFIR IOC.
Fill in all the necessary details.
Click on Save.

Parameters	Required	Description
Name	Yes	The unique name for DeCYFIR Alerts data input
Interval	Yes	Interval time of input in seconds. Minimum is 0
Lookup Name	Yes	Name of the lookup file in which data will be stored in Splunk
Global Account	Yes	Select DeCYFIR Account from the dropdown. It will show all the accounts configured in Configurations-> Accounts tab

Splunk App

Once the app is installed, it would need to be setup. To complete the setup, please follow the steps here:

Go to DeCYFIR App for Splunk.
Click on “Continue to app setup page”.
Enter the URL for CYFIRMA. Example: decyfir.cyfirma.com.
Enter the API Key for the above URL.
Click Save.

DeCYFIR Alert Details

Splunk App > Dashboard

Show details of the DeCYFIR Alerts.

Shows the count of alerts of all the categories.
Trend of counts of all categories.
Details of all categories.

Splunk App > Dashboard

Clicking on any single value will highlight that panel and below will show the trend for the selected category.

Splunk App > Dashboard

Select the alert details you want to see by clicking on the arrow in the first column.

DeCYFIR IOCs

Splunk App > Dashboard

Show the details of DeCYFIR IOCs.

Shows the count of IOC of all the Indicator Types.
Trend of counts of selected indicator types.
The detailed table of IOC.
Clicking on any IOC Data table row will open a pop-up window with additional information.

Splunk App > Dashboard

Clicking on any single value will highlight that panel and below will show the trend for the selected indicator type.

Splunk App > Dashboard

By clicking on any row in the table, a pop-up window will display additional details related to the selected value.

Splunk Alerts

Splunk App > Dashboard

Shows the details of the alerts configured in Splunk.

Total number of alerts created by the Alerts Configured in Splunk.
Trend by the selected alerts.
Table of Splunk alert details.

Clicking on view details in the table will shows that events because of which the alert is triggered.