Splunk Enterprise Security
App Vendor: Splunk
App Category: Analytics & SIEM
Connector Version: 2.0.0
API Version: 7.1.0
About App
The Splunk Enterprise Security connector app allows security teams to integrate with the enterprise application, an analytics-driven siem solution to quickly detect and respond to internal and external attacks.
The Splunk Enterprise Security app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Generic Action | This generic action transcends the actions implemented by making a request to any endpoint. |
Create Threat Intel Collection Item | This action creates one or more rows in a collection. |
Delete Threat Intel Collection Item | This action deletes one or more rows from a collection. |
Fetch Threat Intel Collection Item | This action fetches threat intelligence collection. |
Update Notable Events | This action updates the notable events. |
Configuration Parameters
The following configuration parameters are required for the Splunk Enterprise Security app to communicate with the Splunk Enterprise Security enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Splunk enterprise security. Example: https://host:import | Text | Required |
|
Username | Enter the username. | Text | Required |
|
Password | Enter the password. | Password | Required |
|
Verify | Enter the ssl/tls certification status. | Boolean | Optional | Default: True |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Splunk Enterprise Security Manager. | Integer | Optional | Available range: 15-120 seconds Default value: 15 seconds |
Action: Generic Action
This is a generic action used to transcend the actions implemented by making a request to any endpoint
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make a request | Text | Required |
|
Endpoint | Enter the endpoint to make the request. Example: /services/notable_update | Text | Required |
|
Query params | Enter the query parameters to pass to the API. | Key Value | Optional |
|
Payload | Enter the payload to pass to the API. | Any | Optional |
|
Additional fields | Enter the additional parameters to pass. For available keys refer to the document. Example: {'download':true,'custoum_output':'this is a custom output'} | Key Value | Optional |
|
Action: Create Threat Intel Collection Item
This action creates one or more rows in a collection.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Collection | Enter the threat intel collection name. | Text | Required | Available values:
For more details, refer to the api documentation. |
Item | Enter the value pairs to insert as a new row in a collection. Example: {'file_name':'threat.trt', 'file_extension':'trt'}. | Any | Required | For more details, refer to the api documentation. |
Action: Delete Threat Intel Collection Item
This action deletes one or more rows from a collection.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Collection | Enter the threat intel collection name. | Text | Required | Available values:
For more details, refer to the api documentation. |
Key | Enter the values of the rows you intend to delete in a threat collection. Example: $list[{"_key":"2e58177235804a739d4d768c26077b24"},{"_key":"2e58177235804a739d4d768c26077bd4"}] | List | Required |
|
Action: Fetch Threat Intel Collection Item
This action fetches threat intelligence collection.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Collection | Enter the threat intel collection name. | Text | Required | Available values:
For more details please refer to the api documentation. |
Item | Enter the JSON-encoded string to filter the data. Example: {'ip':'41.41.41.41'} returns rows that have ip=41.41.41.41 or [{"ip":"5.5.5.5"},{"domain":"example.com"}] | Any | Required |
|
Action: Update Notable Events
This action updates the notable events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Status | Enter the status ID. Example: 5 | Text | Optional | Only required if you are changing the status of the event. |
Urgency | Enter the urgency. Example: High | Text | Optional | Only required if you are changing the urgency of the event. Allowed values:
|
New owner | Enter the new owner. Example: anna | Text | Optional | only required if the event is being reassigned. |
Rule ids | Enter the rule IDs to update. Example: ['29439fbc-ffcb-45ff-93c2-420202012e1e@@notable@@75ecb6a3938d114b29c095f7ee9278b0'] | List | Optional |
|
Search id | Enter the search ID. | Text | Optional | All the events associated with this search will be modified unless a list of rule IDs is provided that limit the scope to a subset of the results. |
Comment | Enter the description of the change or some information about the notable events. | Text | Optional |
|