Splunk Enterprise Security Manager
App Vendor: Splunk
App Category: Analytics & SIEM
App version: 1.0.0
API version: 6.2.0
Product version: 6.2.0
Default Port: 8089
About App
The Splunk Enterprise Security app allows security teams to integrate with the enterprise application to proactively track and mitigate internal and external infra cyber attacks.
The Splunk Enterprise Security app in the Orchestrate application can perform the below listed actions:
Action Name | Description |
|---|---|
Create threat intelligence collection item | This action can be used to create a threat intel item in the threat intelligence collection. |
Delete threat intelligence collection item | This action can be used to remove a particular threat intelligence collection item. The delete operation does not delete the row from the KV Store. Instead, the entry is disabled from participating in threat intelligence matching. |
Fetch threat intelligence collection item | This action can be used to fetch a threat intelligence collection item. |
Update Notable Events | This action can be used to update the Notable Events. |
Prerequisites
All the actions configured in the Splunk Enterprise Security app relate to private APIs. Splunk Enterprise Security Enterprise subscription is required to access the private APIs.
Configuration parameters
The following configuration parameters are required for the Splunk Enterprise Security Manager app to communicate with Splunk Enterprise Security Manager enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for accessing the Splunk REST API as “https://<host>.<tld>:<port>”. | Text | Required | |
Username | Enter the username for authenticating the Splunk REST API Service. | Text | Required | |
Password | Enter the password for authenticating the Splunk REST API Service. | Text | Required |
Action: Create threat intelligence collection item
This action can be used to create a threat intel item in the threat intelligence collection.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Collection | Enter the Collection name. For example, ip_intel | Text | Required | Allowed values:
|
Item | Enter the item to be added in the Collection. For example, {"ip": "41.41.41.41"} | Key value | Required |
Example Request
[
{
"item": {
"ip": "41.41.41.41"
},
"collection": "ip_intel"
}
]Action: Delete threat intelligence collection item
This action can be used to remove a particular threat intelligence collection item.
The delete operation does not delete the row from the KV Store. Instead, the entry is disabled from participating in threat intelligence matching.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Collection | Enter the Collection name. For example, ip_intel | Text | Required | Allowed values:
|
Collection Key | Enter the collection item key to delete. | Any | Required |
Example Request
[
{
"collection": "ip_intel"
}
]Action: Fetch threat intelligence collection item
This action can be used to fetch a threat intelligence collection item.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Collection | Enter the Collection name. | Text | Required | Allowed values:
|
Item | Enter the item that needs to be fetched from the threat intel collection. For example, {"ip":"5.5.5.5"}, {"domain":"example.com"} | Any | Required |
Example Request
[
{
"item": "{\"ip\":\"7.7.7.7\"}",
"collection": "ip_intel"
}
]Action: Update Notable Events
This action can be used to update the Notable Events.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Status | Enter a status ID matching a status in the “reviewstatuses.conf” configuration file. | Text | Required | Allowed values:
Only required if you are changing the status of the event. |
Urgency level | Enter an Urgency level. | Text | Optional | Allowed values:
Only required if you are changing the urgency of the event. |
New owner | Enter a new owner. For example, “Anna”. | Text | Optional | Only required if you are reassigning the Event. |
Rule ID | Enter the Rule IDs to update. | Any | Optional | |
Search ID | Enter the search ID. | Any | Optional | All Events associated with this search will be modified unless a list of rule UIDs are provided that limit the scope to a subset of the results. |
Example Request
[
{
"urgency": "medium",
“newOwner”: “Anna”,
“Status”: “True”
}
]