Splunk Enterprise
App Vendor: Splunk
Connector Category: SIEM and Log Management
Connector Version: 1.8.0
API Version: 9.0.0 and later
About App
Splunk Enterprise app allows security teams to communicate with the Splunk Enterprise application to gather events and alert logs to gain organization-wide visibility over cyber threats.
The Splunk Enterprise app is configured with Orchestrate application to perform the below actions:
Permissions
Some of the actions may require special permissions to execute them. Refer to the official documentation of the app for details. Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user in the Splunk Enterprise app, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
Action Name | Description |
Add Item in KV Store Collection | This action adds items to KV store collection data. |
Custom Search | This action searches using a custom query in the Splunk Enterprise application. |
Delete Item from KV Store Collection | This action deletes items from KV store collection data. |
Fetch Triggered Alerts | This action returns all the triggered alerts till the time. |
Get Alert Summary | This action lists all unexpired triggered instances of an alert. |
Get App KV Store Collections | This action retrieves KV store collection data. |
Get Lookup Table Data | This action returns data of the lookup table for the given lookup table name. |
Get Lookup Table Files | This action provides access to lookup table files in Splunk Enterprise. |
Post Event | This action allows posting an event to Splunk. |
Search Events | This action searches for events using Search ID (SID) in the Splunk Enterprise application. |
Search Logs of an Alert | This action extracts logs of an alert from the Splunk Enterprise application. |
Search Splunk Event Database | This action can be used to lookup IOCs in the Splunk Database. |
Update Lookup Table | This action updates the lookup table in Splunk. |
Generic Action | This action makes a generic request to the Splunk Enterprise API. |
Configuration Parameters
Create an instance by configuring the following parameters to communicate with the Splunk Enterprise app. To know more on how to add an instance for an app, see Add Instances.
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Base URL | Enter the base URL to access the Splunk Enterprise application. Example: "https://splunk.domain.tld:8089" | Text | Required | |
Username | Enter the username to access Splunk. | Text | Optional | |
Password | Enter the password to authenticate with Splunk. | Password | Optional | |
Version | Enter the Splunk Enterprise version being used. Example: 8.0.0 | Text | Optional | |
Auth Token | Enter the API token for authorization. | Password | Optional | |
Verify | To verify SSL certificates while making requests, select this option. If this option is not selected, it may result in connectivity issues, potentially causing it to become broken. Example: yes | Boolean | Optional | Default value: No |
Timeout | Enter the timeout value in seconds. This is the number of seconds requests will wait to connect with Splunk Enterprise. | Integer | Optional | Available range: 15-120 seconds Default value: 15 seconds |
Action: Add Item in KV Store Collection
This action adds an item to the app Key Value (KV) store collection.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Collection Name | Enter the name of the collection in which the item must be added. Example: "ip_ list" | Text | Required | |
Item Data | Enter the items to be added in the form of key-value pairs. Example: "name":"abc" | Key Value | Required | Make sure that the item to add is a JSON-formatted document. |
App | Enter the app name. Example: "splunk" | Text | Optional | |
Owner | Enter the owner's name. Example: "Anna" | Text | Optional | Default value: Nobody |
Example Request
[ { "collection_name": "ip_list", "item_data": { "name": "abc" }, "app": "splunk", "owner": "Anna" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
_key | String | The unique identifier key, e.g., '5410be5441ba15298e4624d1' |
Action: Custom Search
This action performs a search using a custom query in the Splunk Enterprise application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Search Query | Enter the search query. Example: 'search index=_internal source=*/metrics.log', '| inputlookup co_table' | Text | Required | |
Earliest Time | Enter the timestamp to start the query run. Example: 2023-10-15T07:30:00 | Text | Required | |
Latest Time | Enter the timestamp to end the query run. Example, 2023-10-15T08:00:00 | Text | Required | |
Time Delay | Enter the time delay (in seconds) between creating search jobs and retrieving their search results. Example: 300 | Integer | Optional | Default: 300. |
Additional Data | Enter the extra params. Example: $JSON[{max_count: 10}] | Key Value | Optional |
Example Request
[ { "to_time": "2024-04-29T10:53:51", "from_time": "2024-04-25T10:53:51", "search_query": "search index=_internal" } ]
Action Response Parameters
Parameter | Field Type | Description |
---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array | List of event fields retrieved. |
| Integer | Indicates the offset value passed to retrieve events. |
| String | ID of the search event job. |
| Array | The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event. |
| Integer | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Delete Item from KV Store Collection
This action deletes the item from the specified KV store collection data.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Collection Name | Enter the name of the collection in which the item must be deleted from the KV store. Example: "_tab_internal_monitor_inputs_" | Text | Required | |
Item ID | Enter the ID of the item that needs to be deleted. Example: "5410be5441ba15298e4624d1" | Text | Required | You can retrieve the ID of the item from the action Add Item in KV Store Collection. |
App | Enter the name of the app. Example: "Splunk" | Text | Optional | |
Owner | Enter the name of the owner. Example: "JohnDoe" | Text | Optional | Default value: nobody |
Example Response
[ { "collection_name": "_tab_internal_monitor_inputs_", "key": "5410be5441ba15298e4624d1" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
Status Code | Unknown | If the action is successfully executed, it returns a 204 status code. |
Action: Fetch Triggered Alerts
This action returns all the triggered alerts.
Action Input Parameters
This action does not require any input parameters.
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance/feed/title | String | The title of the feed, which is 'alerts' |
app_instance/feed/id | URL | The unique identifier URL of the feed |
app_instance/feed/updated | DateTime | The last updated timestamp of the feed |
app_instance/feed/generator/version | String | The version of the feed generator |
app_instance/feed/author/name | String | The author of the feed, which is 'Splunk' |
app_instance/entry/title | String | The title of the entry, which is '-' |
app_instance/entry/id | URL | The unique identifier URL of the entry |
app_instance/entry/updated | DateTime | The last updated timestamp of the entry |
app_instance/entry/link/@href | URL | The URL link related to the entry |
app_instance/entry/author/name | String | The author of the entry, which is 'admin' |
app_instance/content/type | String | The type of content inside the entry, which is 'text/xml' |
app_instance/content/s:dict/s:key/@name | String | The name of the key in the dictionary |
app_instance/content/s:dict/s:key | Integer | The value of the key 'triggered_alert_count' |
Action: Get Alert Summary
This action lists all unexpired triggered instances of this alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Alert Name | Enter the alert name to get the summary. Example: "Phishing Incident" | Text | Required |
Example Request
[ { "alert_name": "Phishing Incident" } ]
Action Response Parameters
Parameter | Field Type | Description |
---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. |
app_instance.response.entry | Array of JSON Objects | List of all alerts found in Splunk. |
app_instance.response.entry.acl | JSON Object | The details of configured permissions for a resource. |
app_instance.response.entry.author | Array | Author of the alert. |
app_instance.response.entry.id | String | Unique ID of the alert. |
app_instance.response.entry.links | JSON Object | Reference links to the alert. |
app_instance.response.entry.name | String | Name of the alert. |
app_instance.response.entry.published | String | Published date and time of the alert. |
app_instance.response.entry.updated | String | Last updated date and time of the alert. |
app_instance.response.entry.content | JSON Object | Details of the alert. |
app_instance.response.entry.content.actions | Unknown | Any additional alert actions triggered by this alert. |
app_instance.response.entry.content.alert_type | String | Indicates if the alert was historical or real-time. |
app_instance.response.entry.content.digest_mode | Boolean | Returns true if the digest mode is enabled. |
app_instance.response.entry.content.eai:acl | Unknown | Unknown |
app_instance.response.entry.content.expiration_time_rendered | String | Unknown |
app_instance.response.entry.content.savedsearch_name | String | Name of the saved search that triggered the alert. |
app_instance.response.entry.content.severity | Integer | Indicates the severity level of an alert. Severity level ranges from Info, Low, Medium, High, and Critical. Default: Medium |
app_instance.response.entry.content.sid | String | The search ID of the search that triggered the alert. |
app_instance.response.entry.content.trigger_time | Integer | The time the alert was triggered. |
app_instance.response.entry.content.trigger_time_rendered | String | Unknown |
app_instance.response.entry.content.triggered_alerts | Integer | Unknown |
app_instance.status_code | Integer | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Get App KV Store Collections
This action fetches the app key value (KV) store collection data.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Collection Name | Enter the name of the collection to retrieve KV store collections data. Example: "_tab_internal_monitor_inputs_" | Text | Required | |
App | Enter the name of the app to retrieve KV store collections data. Example: "splunk_app_addon-builder" | Text | Optional | |
Owner | Enter the owner name. Example: "john" | Text | Optional | Default value: nobody |
Example Response
[ { "collection_name": "_tab_internal_monitor_inputs_" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance/title | String | The title of the configuration, e.g., 'collections-conf' |
app_instance/id | URL | The unique identifier URL of the configuration |
app_instance/updated | DateTime | The last updated timestamp of the configuration |
app_instance/generator/build | String | The build number of the generator |
app_instance/generator/version | String | The version of the generator |
app_instance/author/name | String | The author of the configuration, e.g., 'Splunk' |
app_instance/link[@rel='create']/@href | URL | The URL link to create a new configuration |
app_instance/link[@rel='_reload']/@href | URL | The URL link to reload the configuration |
app_instance/entry/title | String | The title of the entry, e.g., 'kvstoredemo' or 'test' |
app_instance/entry/id | URL | The unique identifier URL of the entry |
app_instance/entry/updated | DateTime | The last updated timestamp of the entry |
app_instance/entry/link[@rel='alternate']/@href | URL | The alternate URL link for the entry |
app_instance/entry/author/name | String | The author of the entry, e.g., 'admin' |
app_instance/entry/link[@rel='list']/@href | URL | The URL link to list related content for the entry |
app_instance/entry/link[@rel='_reload']/@href | URL | The URL link to reload the entry |
app_instance/entry/link[@rel='edit']/@href | URL | The URL link to edit the entry |
app_instance/entry/link[@rel='remove']/@href | URL | The URL link to remove the entry |
app_instance/entry/link[@rel='disable']/@href | URL | The URL link to disable the entry |
app_instance/content/type | String | The type of content inside the entry, which is 'text/xml' |
app_instance/content/s:key[@name='disabled'] | Integer | Indicates if the entry is disabled (0 or 1) |
app_instance/content/s:key[@name='eai:acl'] | String | Access Control List details (elided) |
app_instance/content/s:key[@name='eai:appName'] | String | The name of the application, e.g., 'search' |
app_instance/content/s:key[@name='eai:userName'] | String | The user name, e.g., 'nobody' |
app_instance/content/s:key[@name='profilingEnabled'] | Boolean | Indicates if profiling is enabled (true or false) |
app_instance/content/s:key[@name='profilingThresholdMs'] | Integer | The profiling threshold in milliseconds |
Action: Get Lookup Table Data
This action returns data about a lookup table using its name.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Lookup Table Name | Enter the name of the lookup table to retrieve details. Example: "ip_mal.csv" | Text | Required |
Example Response
[ { "lookup_table_name": "ip_mal.csv" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance/init_offset | Integer | The initial offset value |
app_instance/messages/text | String | The text message |
app_instance/messages/type | String | The type of message, e.g., 'DEBUG' |
app_instance/preview | Boolean | Indicates if the results are a preview (true or false) |
app_instance/results/index | String | The index name, e.g., '_internal' |
app_instance/results/source | String | The source path, e.g., '/Applications/splunk/var/log/splunk/metrics.log' |
app_instance/results/sourcetype | String | The sourcetype, e.g., 'splunkd' |
Action: Get Lookup Tables Files
This action provides access to lookup table files in Splunk Enterprise.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
Lookup Table Name | Enter the name of the lookup table to retrieve the details. Example: "ip_mal.csv" | Text | Optional | Leave the field blank to get the details of all Lookup tables |
Example Response
[ { "lookup_table_name": "ip_mal.csv" } ]
Action: Post Event
This action posts an event to Splunk Enterprise.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Host | Enter the host for the Splunk application. Example: "tenant.sampledomain.com" | Text | Optional | |
Index | Enter the index value for the Splunk application. Example: "sample_cyware" | Text | Optional | |
Source | Enter the source of the event data to post to Splunk Enterprise. Example: http-simple | Text | Required | |
Source Type | Enter the source type of the event data to post to Splunk Enterprise. Example: json | Text | Required | |
Payload | Enter a JSON object containing the event data. Example: name: johndoe | Key Value | Required |
Example Request
[ { "host": "tenant.sampledomain.com", "index": "sample_cyware", "source": "www.sampledomain.com", "source_type": "url_event" "payload": { "name": "john" }, } ]
Action: Search Events
This action searches for events using search ID (SID) in the Splunk Enterprise application.
Note
This action is supported by Splunk Enterprise version 9.0.1 onwards.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
SID | Enter the search ID (SID) as an input to be searched for. Example: 011f117a9f3002002920bde8132e7020 | Text | Required |
Example Request
[ { "sid": "011f117a9f3002002920bde8132e7020" } ]
Action Response Parameters
Parameter | Field Type | Description |
---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance/results/meta/fieldOrder/field | String | The order of fields in the results |
app_instance/results/result/field[@k='arch']/value/text | String | The architecture type, e.g., 'i686' |
app_instance/results/result/field[@k='build']/value/text | String | The build number, e.g., '98164' |
app_instance/results/result/field[@k='connectionType']/value/text | String | The type of connection, e.g., 'cooked' |
app_instance/results/result/field[@k='date_hour']/value/text | Integer | The hour part of the date, e.g., '19' |
Action: Search Logs of an Alert
This action extracts logs of an alert from the Splunk Enterprise application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Alert Name | Enter the alert name as an input to search. Example: "Phishing Incident" | Text | Required | |
From Date | Enter the date from which the logs need to be searched. Example: "1648557776" | Text | Optional | Note: Enter the date in EPOCH format. |
End Date | Enter the date until which the logs need to be searched. Example: "1651795200" | Text | Optional | Note: Enter the date in EPOCH format. |
Example Request
[ { "from_date": "1648557776", "end_date": "1651795200", "alert_name": "Phishing Incident" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance/results/meta/fieldOrder/field | String | The order of fields in the results |
app_instance/results/result/field[@k='arch']/value/text | String | The architecture type, e.g., 'i686' |
app_instance/results/result/field[@k='build']/value/text | String | The build number, e.g., '98164' |
app_instance/results/result/field[@k='connectionType']/value/text | String | The type of connection, e.g., 'cooked' |
app_instance/results/result/field[@k='date_hour']/value/text | Integer | The hour part of the date, e.g., '19' |
Action: Search Splunk Event Database
This action looks up for IOCs in the Splunk Database.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
IOCs | Enter the list of IOCs to look up in the Splunk database. Example: [203.95.8.98, 203.95.9.54] | List | Required | |
Earliest Time | Enter the timestamp to start the query run. Example: -30d | Text | Optional | |
Index Name | Enter the index name search for IOCs in a specific index. Example: sample_index_name | Text | Optional |
Example Request
[ { "iocs": [ "203.95.8.98", "203.95.9.54" ], "earliest": "-60d", "index_name": "sample_index_name" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance_init_offset | Integer | Initial offset value |
app_instance.messages | Array | An array of message objects. |
app_instance.messages.text | String | The text content of the message. |
app_instance.messages.type | String | Type of the message. Example: DEBUG |
app_instance.preview | Boolean | Indicates a preview |
app_instance.results | Array | An array of result objects. |
app_instance.results.index | String | Index name of the result. |
app_instance.results.source | String | Source path of the result. |
app_instance.results.sourcetype | String | Source type of the result. |
Action: Update Lookup Table
This action updates a lookup table in Splunk Enterprise.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Lookup Table Name | Enter the name of the lookup table that needs to be updated. Example: "Watchlist" | Text | Required | |
New Data | Enter the key-value pairs that need to be added to the lookup table. Example: {'ip_address' : '123.234.456.7'} | Key Value | Required |
Example Request
[ { "new_data": { "ip_address": "123.234.456.7" }, "lookup_table_name": "Watchlist" } ]
Action Response Parameters
Parameter | Field Type | Description |
---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. |
app_instance.response.fields | Array | List of event fields retrieved. |
app_instance.response.init_offset | Integer | Indicates the offset value passed to retrieve events. |
app_instance.response.sid | String | ID of the search event job. |
app_instance.response.results | Array | The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event. |
app_instance.status_code | Integer | HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes. |
Action: Generic Action
This action transcends other actions by making a request to any ContraForce-related endpoint
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values:
|
Query Params | Enter the query parameters to pass to the API. | Text | Required | |
Endpoint | Enter the endpoint to make the request. Example: /incidents | Key Value | Optional | |
Payload | Enter the payload to pass to the API. Example: {\"apiKey\": socmdcoimsd} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Example Request
[ { "method": "GET", "endpoint": "services/alerts/fired_alerts/" } ]