Skip to main content

Cyware Orchestrate

Splunk Enterprise

App Vendor: Splunk

Connector Category: SIEM and Log Management

Connector Version: 1.8.0

API Version: 9.0.0 and later

About App

Splunk Enterprise app allows security teams to communicate with the Splunk Enterprise application to gather events and alert logs to gain organization-wide visibility over cyber threats.

The Splunk Enterprise app is configured with Orchestrate application to perform the below actions:

Permissions 

Some of the actions may require special permissions to execute them. Refer to the official documentation of the app for details. Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user in the Splunk Enterprise app, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

Action Name 

Description 

Add Item in KV Store Collection 

This action adds items to KV store collection data.

Custom Search 

This action searches using a custom query in the Splunk Enterprise application.

Delete Item from KV Store Collection 

This action deletes items from KV store collection data.

Fetch Triggered Alerts 

This action returns all the triggered alerts till the time.

Get Alert Summary 

This action lists all unexpired triggered instances of an alert.

Get App KV Store Collections 

This action retrieves KV store collection data.

Get Lookup Table Data 

This action returns data of the lookup table for the given lookup table name.

Get Lookup Table Files 

This action provides access to lookup table files in Splunk Enterprise.

Post Event 

This action allows posting an event to Splunk.

Search Events 

This action searches for events using Search ID (SID) in the Splunk Enterprise application.

Search Logs of an Alert 

This action extracts logs of an alert from the Splunk Enterprise application.

Search Splunk Event Database

This action can be used to lookup IOCs in the Splunk Database.

Update Lookup Table 

This action updates the lookup table in Splunk.

Generic Action 

This action makes a generic request to the Splunk Enterprise API.

Configuration Parameters

Create an instance by configuring the following parameters to communicate with the Splunk Enterprise app. To know more on how to add an instance for an app, see Add Instances.

Parameter

Description 

Field Type 

Required/Optional 

Comments

Base URL 

Enter the base URL to access the Splunk Enterprise application.

Example:

"https://splunk.domain.tld:8089"

Text

Required

Username 

Enter the username to access Splunk.

Text

Optional

Password 

Enter the password to authenticate with Splunk.

Password

Optional

Version

Enter the Splunk Enterprise version being used.

Example:

8.0.0

Text

Optional

Auth Token 

Enter the API token for authorization.

Password

Optional

Verify 

To verify SSL certificates while making requests, select this option. If this option is not selected, it may result in connectivity issues, potentially causing it to become broken.

Example:

yes

Boolean

Optional

Default value:

No

Timeout 

Enter the timeout value in seconds. This is the number of seconds requests will wait to connect with Splunk Enterprise.

Integer

Optional

Available range:

15-120 seconds

Default value:

15 seconds

Action: Add Item in KV Store Collection

This action adds an item to the app Key Value (KV) store collection.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Collection Name 

Enter the name of the collection in which the item must be added.

Example:

"ip_ list"

Text

Required

Item Data 

Enter the items to be added in the form of key-value pairs.

Example:

"name":"abc"

Key Value

Required

Make sure that the item to add is a JSON-formatted document.

App 

Enter the app name.

Example:

"splunk"

Text

Optional

Owner 

Enter the owner's name.

Example:

"Anna"

Text

Optional

Default value: Nobody

Example Request

[
  {
    "collection_name": "ip_list",
    "item_data":
    {
      "name": "abc"
    },
    "app": "splunk",
    "owner": "Anna"
  }
]

Action Response Parameters

Parameter

Type

Description

_key

String

The unique identifier key, e.g., '5410be5441ba15298e4624d1'

Action: Delete Item from KV Store Collection

This action deletes the item from the specified KV store collection data.

Action Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Collection Name

Enter the name of the collection in which the item must be deleted from the KV store. Example:

"_tab_internal_monitor_inputs_"

Text

Required

Item ID

Enter the ID of the item that needs to be deleted.

Example:

"5410be5441ba15298e4624d1"

Text

Required

You can retrieve the ID of the item from the action Add Item in KV Store Collection.

App

Enter the name of the app.

Example:

"Splunk"

Text

Optional

Owner

Enter the name of the owner.

Example:

"JohnDoe"

Text

Optional

Default value:

nobody

Example Response

[
    {
        "collection_name": "_tab_internal_monitor_inputs_",
        "key": "5410be5441ba15298e4624d1"
    }
]

Action Response Parameters

Parameter

Type

Description

Status Code

Unknown

If the action is successfully executed, it returns a 204 status code.

Action: Fetch Triggered Alerts

This action returns all the triggered alerts.

Action Input Parameters

This action does not require any input parameters.

Action Response Parameters

Parameter

Type

Description

app_instance/feed/title

String

The title of the feed, which is 'alerts'

app_instance/feed/id

URL

The unique identifier URL of the feed

app_instance/feed/updated

DateTime

The last updated timestamp of the feed

app_instance/feed/generator/version

String

The version of the feed generator

app_instance/feed/author/name

String

The author of the feed, which is 'Splunk'

app_instance/entry/title

String

The title of the entry, which is '-'

app_instance/entry/id

URL

The unique identifier URL of the entry

app_instance/entry/updated

DateTime

The last updated timestamp of the entry

app_instance/entry/link/@href

URL

The URL link related to the entry

app_instance/entry/author/name

String

The author of the entry, which is 'admin'

app_instance/content/type

String

The type of content inside the entry, which is 'text/xml'

app_instance/content/s:dict/s:key/@name

String

The name of the key in the dictionary

app_instance/content/s:dict/s:key

Integer

The value of the key 'triggered_alert_count'

Action: Get Alert Summary

This action lists all unexpired triggered instances of this alert.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert Name 

Enter the alert name to get the summary.

Example:

"Phishing Incident"

Text

Required

Example Request

[
    {
        "alert_name": "Phishing Incident"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}  

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response  

JSON Object

Includes the response received from the app action.

app_instance.response.entry  

Array of JSON Objects

List of all alerts found in Splunk.

app_instance.response.entry.acl 

JSON Object

The details of configured permissions for a resource.

app_instance.response.entry.author 

Array

Author of the alert.

app_instance.response.entry.id 

String

Unique ID of the alert.

app_instance.response.entry.links 

JSON Object

Reference links to the alert.

app_instance.response.entry.name 

String

Name of the alert.

app_instance.response.entry.published 

String

Published date and time of the alert.

app_instance.response.entry.updated 

String

Last updated date and time of the alert.

app_instance.response.entry.content 

JSON Object

Details of the alert.

app_instance.response.entry.content.actions 

Unknown

Any additional alert actions triggered by this alert.

app_instance.response.entry.content.alert_type 

String

Indicates if the alert was historical or real-time.

app_instance.response.entry.content.digest_mode 

Boolean

Returns true if the digest mode is enabled.

app_instance.response.entry.content.eai:acl 

Unknown

Unknown

app_instance.response.entry.content.expiration_time_rendered 

String

Unknown

app_instance.response.entry.content.savedsearch_name 

String

Name of the saved search that triggered the alert.

app_instance.response.entry.content.severity 

Integer

Indicates the severity level of an alert.

Severity level ranges from Info, Low, Medium, High, and Critical. 

Default: Medium

app_instance.response.entry.content.sid 

String

The search ID of the search that triggered the alert.

app_instance.response.entry.content.trigger_time 

Integer

The time the alert was triggered.

app_instance.response.entry.content.trigger_time_rendered 

String

Unknown

app_instance.response.entry.content.triggered_alerts 

Integer

Unknown

app_instance.status_code 

Integer

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Get App KV Store Collections

This action fetches the app key value (KV) store collection data.

Action Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Collection Name

Enter the name of the collection to retrieve KV store collections data.

Example:

"_tab_internal_monitor_inputs_"

Text

Required

App

Enter the name of the app to retrieve KV store collections data.

Example:

"splunk_app_addon-builder"

Text

Optional

Owner

Enter the owner name.

Example:

"john"

Text

Optional

Default value:

nobody

Example Response

[
    {
        "collection_name": "_tab_internal_monitor_inputs_"
    }
]

Action Response Parameters

Parameter

Type

Description

app_instance/title

String

The title of the configuration, e.g., 'collections-conf'

app_instance/id

URL

The unique identifier URL of the configuration

app_instance/updated

DateTime

The last updated timestamp of the configuration

app_instance/generator/build

String

The build number of the generator

app_instance/generator/version

String

The version of the generator

app_instance/author/name

String

The author of the configuration, e.g., 'Splunk'

app_instance/link[@rel='create']/@href

URL

The URL link to create a new configuration

app_instance/link[@rel='_reload']/@href

URL

The URL link to reload the configuration

app_instance/entry/title

String

The title of the entry, e.g., 'kvstoredemo' or 'test'

app_instance/entry/id

URL

The unique identifier URL of the entry

app_instance/entry/updated

DateTime

The last updated timestamp of the entry

app_instance/entry/link[@rel='alternate']/@href

URL

The alternate URL link for the entry

app_instance/entry/author/name

String

The author of the entry, e.g., 'admin'

app_instance/entry/link[@rel='list']/@href

URL

The URL link to list related content for the entry

app_instance/entry/link[@rel='_reload']/@href

URL

The URL link to reload the entry

app_instance/entry/link[@rel='edit']/@href

URL

The URL link to edit the entry

app_instance/entry/link[@rel='remove']/@href

URL

The URL link to remove the entry

app_instance/entry/link[@rel='disable']/@href

URL

The URL link to disable the entry

app_instance/content/type

String

The type of content inside the entry, which is 'text/xml'

app_instance/content/s:key[@name='disabled']

Integer

Indicates if the entry is disabled (0 or 1)

app_instance/content/s:key[@name='eai:acl']

String

Access Control List details (elided)

app_instance/content/s:key[@name='eai:appName']

String

The name of the application, e.g., 'search'

app_instance/content/s:key[@name='eai:userName']

String

The user name, e.g., 'nobody'

app_instance/content/s:key[@name='profilingEnabled']

Boolean

Indicates if profiling is enabled (true or false)

app_instance/content/s:key[@name='profilingThresholdMs']

Integer

The profiling threshold in milliseconds

Action: Get Lookup Table Data

This action returns data about a lookup table using its name.

Action Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Lookup Table Name

Enter the name of the lookup table to retrieve details. Example:

"ip_mal.csv"

Text

Required

Example Response

[
    {
        "lookup_table_name": "ip_mal.csv"
    }
]

Action Response Parameters

Parameter

Type

Description

app_instance/init_offset

Integer

The initial offset value

app_instance/messages/text

String

The text message

app_instance/messages/type

String

The type of message, e.g., 'DEBUG'

app_instance/preview

Boolean

Indicates if the results are a preview (true or false)

app_instance/results/index

String

The index name, e.g., '_internal'

app_instance/results/source

String

The source path, e.g., '/Applications/splunk/var/log/splunk/metrics.log'

app_instance/results/sourcetype

String

The sourcetype, e.g., 'splunkd'

Action: Get Lookup Tables Files

This action provides access to lookup table files in Splunk Enterprise.

Action Input Parameters

Parameters

Description

Field Type

Required/Optional

Comments

Lookup Table Name

Enter the name of the lookup table to retrieve the details.

Example:

"ip_mal.csv"

Text

Optional

Leave the field blank to get the details of all Lookup tables

Example Response

[
    {
        "lookup_table_name": "ip_mal.csv"
    }
]
Action: Post Event

This action posts an event to Splunk Enterprise.

Action Input Parameters 

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Host 

Enter the host for the Splunk application.

Example:

"tenant.sampledomain.com"

Text

Optional

Index 

Enter the index value for the Splunk application.

Example:

"sample_cyware"

Text

Optional

Source 

Enter the source of the event data to post to Splunk Enterprise.

Example:

http-simple

Text

Required

Source Type 

Enter the source type of the event data to post to Splunk Enterprise.

Example:

json

Text

Required

Payload 

Enter a JSON object containing the event data.

Example:

name: johndoe

Key Value

Required

Example Request 

[
    {
        "host": "tenant.sampledomain.com",
        "index": "sample_cyware",
        "source": "www.sampledomain.com",
        "source_type": "url_event"
        "payload": {
            "name": "john"
        },
    }
]
Action: Search Events

This action searches for events using search ID (SID) in the Splunk Enterprise application.

Note

This action is supported by Splunk Enterprise version 9.0.1 onwards.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

SID 

Enter the search ID (SID) as an input to be searched for.

Example:

011f117a9f3002002920bde8132e7020

Text

Required

Example Request

[
    {
        "sid": "011f117a9f3002002920bde8132e7020"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance/results/meta/fieldOrder/field

String

The order of fields in the results

app_instance/results/result/field[@k='arch']/value/text

String

The architecture type, e.g., 'i686'

app_instance/results/result/field[@k='build']/value/text

String

The build number, e.g., '98164'

app_instance/results/result/field[@k='connectionType']/value/text

String

The type of connection, e.g., 'cooked'

app_instance/results/result/field[@k='date_hour']/value/text

Integer

The hour part of the date, e.g., '19'

Action: Search Logs of an Alert

This action extracts logs of an alert from the Splunk Enterprise application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert Name 

Enter the alert name as an input to search.

Example:

"Phishing Incident"

Text

Required

From Date 

Enter the date from which the logs need to be searched.

Example:

"1648557776"

Text

Optional

Note: Enter the date in EPOCH format.

End Date 

Enter the date until which the logs need to be searched.

Example:

"1651795200"

Text

Optional

Note: Enter the date in EPOCH format.

Example Request

[
    {
        "from_date": "1648557776",
        "end_date": "1651795200",
        "alert_name": "Phishing Incident"
    }
]

Action Response Parameters

Parameter

Type

Description

app_instance/results/meta/fieldOrder/field

String

The order of fields in the results

app_instance/results/result/field[@k='arch']/value/text

String

The architecture type, e.g., 'i686'

app_instance/results/result/field[@k='build']/value/text

String

The build number, e.g., '98164'

app_instance/results/result/field[@k='connectionType']/value/text

String

The type of connection, e.g., 'cooked'

app_instance/results/result/field[@k='date_hour']/value/text

Integer

The hour part of the date, e.g., '19'

Action: Search Splunk Event Database

This action looks up for IOCs in the Splunk Database.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOCs

Enter the list of IOCs to look up in the Splunk database. 

Example: 

[203.95.8.98, 203.95.9.54]

List

Required

Earliest Time

Enter the timestamp to start the query run. 

Example:

-30d

Text

Optional

Index Name

Enter the index name search for IOCs in a specific index.

Example:

sample_index_name

Text

Optional

Example Request

[
    {
        "iocs": [
            "203.95.8.98",
            "203.95.9.54"
        ],
        "earliest": "-60d",
        "index_name": "sample_index_name"
    }
]

Action Response Parameters

Parameter

Type

Description

app_instance_init_offset

Integer

Initial offset value

app_instance.messages

Array

An array of message objects.

app_instance.messages.text

String

The text content of the message.

app_instance.messages.type

String

Type of the message.

Example:

DEBUG

app_instance.preview

Boolean

Indicates a preview

app_instance.results

Array

An array of result objects.

app_instance.results.index

String

Index name of the result.

app_instance.results.source

String

Source path of the result.

app_instance.results.sourcetype

String

Source type of the result.

Action: Update Lookup Table

This action updates a lookup table in Splunk Enterprise.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Lookup Table Name 

Enter the name of the lookup table that needs to be updated.

Example:

"Watchlist"

Text

Required

New Data 

Enter the key-value pairs that need to be added to the lookup table.

Example:

{'ip_address' : '123.234.456.7'}

Key Value

Required

Example Request

[
    {
        "new_data": {
            "ip_address": "123.234.456.7"
        },
        "lookup_table_name": "Watchlist"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}  

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response  

JSON Object

Includes the response received from the app action.

app_instance.response.fields  

Array

List of event fields retrieved.

app_instance.response.init_offset 

Integer

Indicates the offset value passed to retrieve events.

app_instance.response.sid 

String

ID of the search event job.

app_instance.response.results 

Array

The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.

app_instance.status_code 

Integer

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Generic Action

This action transcends other actions by making a request to any ContraForce-related endpoint

Action Input Parameters 

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Method 

Enter the HTTP method to make the request.

Text

Required

Allowed values:

  • GET

  • POST

  • PUT

  • DELETE

Query Params 

Enter the query parameters to pass to the API.

Text

Required

Endpoint 

Enter the endpoint to make the request.

Example:

/incidents

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Example:

{\"apiKey\": socmdcoimsd}

Key Value

Optional

Extra Fields 

Enter the extra fields to pass to the API.

Key Value

Optional

Example Request 

[
    {
        "method": "GET",
        "endpoint": "services/alerts/fired_alerts/"
        
    }
]