Splunk Enterprise Security

Overview

This document provides a detailed guide to integrating Splunk Enterprise Security with Callgoose SQIBS for real-time Incident Management, Incident Auto Remediation, Event-Driven Automation, and other Automation purposes. The integration enables automatic creation, updating, and resolution of incidents in Callgoose SQIBS based on alerts generated in Splunk Enterprise Security. The guide includes steps for setting up alerts in Splunk Enterprise Security, configuring webhook notifications, creating API filters in Callgoose SQIBS, and troubleshooting.

Prerequisites

• Splunk Enterprise Security Account: Access to Splunk Enterprise Security for creating alerts and managing notifications.
• Callgoose SQIBS Account: With valid privileges to set up API filters and receive notifications.
• Webhook/API Endpoint: Available in Callgoose SQIBS to receive alerts from Splunk Enterprise Security.

1. Obtain API Token and Endpoint Details

To integrate with Callgoose SQIBS, you first need to obtain an API token and find the API endpoint details.

1. Generate an API Token:

• Follow the guide on How to Create API Token in Callgoose SQIBS.

2. Find the API Endpoint:

• Refer to the Callgoose SQIBS API Endpoint Documentation to get the endpoint details where the JSON payloads from Splunk Enterprise Security will be sent.

2. Debugging and Troubleshooting

You can enable debugging in the API tokens used with Splunk Enterprise Security notifications for troubleshooting purposes.

• Enable Debugging:

• You can update the debug value when adding or updating an API token.
• When API tracking is enabled, logs are stored in the API log section for your review. The debugging option will automatically disable after 48 hours.
• When API tracking is turned off, no logs are saved in the API log.

• Using API Log for Troubleshooting:

• The API log provides detailed information on all API calls made to Callgoose SQIBS.
• You can check the JSON values in each API log entry for troubleshooting purposes.
• Use the information in the API log to create or refine API filters to ensure incidents are created correctly based on the API payloads received.
• Callgoose SQIBS creates incidents according to your API filter configuration, giving you full control over how alerts from different services trigger incidents and alerts for your support team or automation processes.

3. Configuring Splunk Enterprise Security to Send JSON Payloads

To configure Splunk Enterprise Security to generate the JSON payloads similar to the examples provided, follow the steps outlined below. These steps will guide you through setting up the necessary alerts and webhook notifications within Splunk Enterprise Security to ensure that the JSON payloads match those expected by Callgoose SQIBS.

3.1 Setting Up Alerts in Splunk Enterprise Security

To generate the required JSON payloads, you first need to set up alerts within Splunk Enterprise Security.

1. Log in to the Splunk Enterprise Security Console:

• Access the Splunk Enterprise Security platform using your account credentials.\

1. Navigate to the Alerts Section:

• Go to the Content Management section, and then click on Correlation Searches to view and manage existing alerts or create new ones.

1. Create a New Alert:

• Click on New to create a new correlation search.
• Define the Search: Specify the search query that will identify events of interest.
• Set Alert Conditions: Define conditions such as the frequency of events, thresholds, and other criteria that will trigger the alert.

1. Configure Alert Actions:

• Webhook Action: Add a webhook action to send the alert data to an external endpoint (e.g., Callgoose SQIBS).
• Configure the Webhook: Enter the webhook URL provided by Callgoose SQIBS where the JSON payload should be sent.

3.2 Configuring the Webhook Notification

To ensure that the JSON payload sent matches the examples provided, follow these steps when configuring the webhook:

1. Add Webhook URL:

• In the Webhook URL field, enter the endpoint provided by Callgoose SQIBS.
• Ensure the protocol is HTTPS for secure data transmission.

1. Customize Payload Format:

• Ensure that the payload includes key fields like "result", "sid", "search_name", "severity", "owner", "app", and others as shown in the example payloads.

• Example Payload Setup:

json

{
  "result": {
    "source": "{{source}}",
    "host": "{{host}}",
    "sourcetype": "{{sourcetype}}",
    "timestamp": "{{_time}}",
    "event": "{{_raw}}"
  },
  "sid": "{{sid}}",
  "search_name": "{{search_name}}",
  "severity": "{{severity}}",
  "owner": "{{owner}}",
  "app": "{{app}}"
}

• Placeholder Explanation:

• "{{source}}": Replaces with the source of the event.
• "{{host}}": Replaces with the hostname where the event was detected.
• "{{sourcetype}}": Replaces with the sourcetype of the event.
• "{{_time}}": Replaces with the timestamp when the event was logged.
• "{{_raw}}": Replaces with the raw event data.
• "{{sid}}": Replaces with the search ID of the correlation search.
• "{{search_name}}": Replaces with the name of the correlation search.
• "{{severity}}": Replaces with the severity level of the alert.
• "{{owner}}", "{{app}}": Replaces with the owner and app context of the search.

1. Test the Webhook Configuration:

• Before activating the webhook, perform a test to ensure that the JSON payload is correctly formatted and is being sent to the Callgoose SQIBS API endpoint as expected.
• Review the payload in Callgoose SQIBS to confirm that it matches the expected structure.

3.3 Finalizing and Testing

1. Save and Activate the Alert:

• Once the alert and webhook are correctly configured, save the alert configuration and activate it.

1. Validate the Integration:

• Trigger the alert condition manually if possible to verify that the correct JSON payload is sent to Callgoose SQIBS.
• Resolve the alert to ensure the resolved state payload is also correctly sent and processed.

3.4 Additional Considerations

• Permissions: Ensure that the webhook has the necessary permissions to send alerts to the Callgoose SQIBS API endpoint.
• Security: Implement security measures such as HTTPS and API tokens to protect the data being transmitted between Splunk Enterprise Security and Callgoose SQIBS.
• Logging and Debugging: Use the debugging and logging features in Callgoose SQIBS to monitor incoming payloads and troubleshoot any issues with the integration.

4. Configuring Callgoose SQIBS

4.1 Create API Filters in Callgoose SQIBS

To correctly map incidents from the Splunk Enterprise Security alerts, you need to create API filters based on the JSON payloads received.

4.1.1 Example JSON Payloads from Splunk Enterprise Security

Alert Triggered (severity: "high")

json

{
  "result": {
    "source": "WinEventLog:Security",
    "host": "server1.example.com",
    "sourcetype": "xmlwineventlog",
    "timestamp": "2024-08-05T12:00:00.000Z",
    "event": "<event_data>"
  },
  "sid": "search12345",
  "search_name": "Critical Security Event",
  "severity": "high",
  "owner": "admin",
  "app": "SplunkEnterpriseSecuritySuite"
}

Alert Resolved (severity: "info")

json

{
  "result": {
    "source": "WinEventLog:Security",
    "host": "server1.example.com",
    "sourcetype": "xmlwineventlog",
    "timestamp": "2024-08-05T12:30:00.000Z",
    "event": "<resolved_event_data>"
  },
  "sid": "search12345",
  "search_name": "Critical Security Event",
  "severity": "info",
  "owner": "admin",
  "app": "SplunkEnterpriseSecuritySuite"
}

4.2 Configuring API Filters

4.2.1 Integration Templates

If you see a Splunk Enterprise Security integration template in the "Select Integration Template" dropdown in the API filter settings, you can use it to automatically add the necessary Trigger and Resolve filters along with other values. The values added by the template can be modified to customize the integration according to your requirements.

4.2.2 Manually Add/Edit the Filter

There are two filters that you can manually edit: Trigger and Resolve.

• Trigger Filter (For Creating Incidents):
• Payload JSON Key: "severity"
• Key Value Contains: [high]
• Map Incident With: "sid"
• This corresponds to the unique sid (Search ID) from the Splunk Enterprise Security alert payload.
• Incident Title From: "search_name"
• This will use the name of the search as the incident title in Callgoose SQIBS.
• Incident Description From: Leave this empty unless you want to use a specific key-value from the JSON payload. If a key is entered, only the value for that key will be used as the Incident Description instead of the full JSON. By default, the Incident Description will include the full JSON values.
• Example: If you use the "result"."event" key in the Incident Description From field, the incident description will be the value of the "event" key. In the example JSON payload provided earlier, this would result in a description like "<event_data>".
• Resolve Filter (For Resolving Incidents):
• Payload JSON Key: "severity"
• Key Value Contains: [info]
• Incident Mapped With: "sid"
• This ensures the incident tied to the specific sid is resolved when the alert severity is lowered to "info" or another specified state.

Refer to the API Filter Instructions and FAQ for more details.

4.3 Finalizing Setup

1. Save the API Filters:

• Ensure that the filters are correctly configured and saved in Callgoose SQIBS.

1. Test the Integration:

• Manually trigger a Splunk Enterprise Security alert to test if incidents are created in Callgoose SQIBS.
• Resolve the alert in Splunk Enterprise Security and verify that the corresponding incident in Callgoose SQIBS is resolved.

5. Testing and Validation

5.1 Triggering Alerts

1. Simulate a Security Event:

• Generate a security event in your monitored environment that will trigger the Splunk Enterprise Security alert.
• Verify that an incident is created in Callgoose SQIBS with the correct title and urgency.

5.2 Resolving Alerts

1. Acknowledge and Resolve the Security Event:

• Once the security event is resolved or acknowledged in Splunk Enterprise Security, the alert severity should be downgraded, triggering the resolve filter in Callgoose SQIBS.
• Verify that the incident in Callgoose SQIBS is marked as resolved.

6. Security Considerations

• API Security: Ensure that the Callgoose SQIBS API endpoint is correct and that you are using the correct API token.
• Splunk Enterprise Security Permissions: Restrict access to your Splunk Enterprise Security alerts and notifications with appropriate roles and permissions to ensure that only authorized actions can be performed.

7. Troubleshooting

• No Incident Created: Verify that the Splunk Enterprise Security webhook is correctly set up and that the JSON payload structure matches the API filters configured in Callgoose SQIBS.
• Incident Not Resolved: Ensure the resolve filter is correctly configured and that the payloads from Splunk Enterprise Security are being received and processed by Callgoose SQIBS.

8. Conclusion

This guide provides a comprehensive overview of how to integrate Splunk Enterprise Security with Callgoose SQIBS for effective incident management. By following the steps outlined, you can ensure that alerts from Splunk Enterprise Security are automatically reflected as incidents in Callgoose SQIBS, with proper resolution tracking when the issues are resolved.

For further customization or advanced use cases, refer to the official documentation for both Splunk Enterprise Security and Callgoose SQIBS:

• Splunk Enterprise Security Documentation
• Callgoose SQIBS API Token Documentation
• Callgoose SQIBS API Endpoint Documentation
• API Filter Instructions and FAQ
• How to Send API

This documentation will guide you through the integration process, ensuring that your incidents are managed effectively within Callgoose SQIBS based on real-time alerts from Splunk Enterprise Security.