Splunk Search

Splunk captures a wide variety of security data, including system logs, network traffic, security events, application logs, cloud logs, vulnerability scanner data, and threat intelligence feeds. Once configured, Salem can access this data using user-created queries, further customization of the integration can be managed in the Splunk ActionDefinition.

Description: In the default case, Salem retrieves data from a Splunk endpoint by authenticating using a secret stored in a digital key vault and returning data based on a user-defined query. The user can then process the output using an eval string to build Salem ActionConfs.

The ActionDefinition name must be the the name referenced by a corresponding ActionConf, or the request will fail.

A 1 or 0 value for whether the action is currently in operation. By default, the ActionConf is disabled (value of "1") and must be updated by a Salem admin.

The target Splunk endpoint to integrate with Salem.

By default, the Splunk ActionDefinition expects a key vault resource that contains a client secret. This secret is passed as part of the poll_request. To match this configuration, create a secret value in a key vault resource Salem can access.

In the default case, the Splunk ActionDefinition expects only one parameter, output_mode, which will most likely take the value of json.

The default Splunk ActionDefinition includes 3 fields for the user to define as part of the request generation:

  • search - Splunk search string, should begin with the key word 'search', or a '|' if using a command such as '|inputlookup'

  • earliest_time - how far Splunk should look back for matching events

  • latest_time - latest search time, typically set to 'now'

The polling_params dictate how the request will be made to Splunk and how the response will be handled.

Last updated