Splunk Search

Splunk captures a wide variety of security data, including system logs, network traffic, security events, application logs, cloud logs, vulnerability scanner data, and threat intelligence feeds. Once configured, Salem can access this data using user-created queries, further customization of the integration can be managed in the Splunk ActionDefinition.

Splunk - Webhook Action

Description: In the default case, Salem retrieves data from a Splunk endpoint by authenticating using a secret stored in a digital key vault and returning data based on a user-defined query. The user can then process the output using an eval string to build Salem ActionConfs.

Configuring Splunk Search

1. Id

The ActionDefinition name must be the the name referenced by a corresponding ActionConf, or the request will fail.

2. Disabled

A 1 or 0 value for whether the action is currently in operation. By default, the ActionConf is disabled (value of "1") and must be updated by a Salem admin.

3. Splunk URL

The target Splunk endpoint to integrate with Salem.

4. Credentials/Authentication

By default, the Splunk ActionDefinition expects a key vault resource that contains a client secret. This secret is passed as part of the poll_request. To match this configuration, create a secret value in a key vault resource Salem can access.

5. Static Keys

In the default case, the Splunk ActionDefinition expects only one parameter, output_mode, which will most likely take the value of json.

6. Input Keys - User input

The default Splunk ActionDefinition includes 3 fields for the user to define as part of the request generation:

• search - Splunk search string, should begin with the key word 'search', or a '|' if using a command such as '|inputlookup'

• earliest_time - how far Splunk should look back for matching events

• latest_time - latest search time, typically set to 'now'

7. polling_params - HTTP requests

The polling_params dictate how the request will be made to Splunk and how the response will be handled.