Skip to main content

Quarterback AI

Splunk Enterprise

Splunk Enterprise is software that enables you to search, analyze, and visualize data gathered from the components of your IT infrastructure or business.

Supported Actions and Example Prompts

The following table lists the supported actions and prompt examples for an action:

Action Name

Description

Prompt Example

Custom Search

This action searches using a custom query in the Splunk Enterprise application. For more information, see Action: Custom Search.

Search for search index=_internal source=*/metrics.log', '| inputlookup co_table' between the timestamps 2023-10-15T07:30:00 and 2023-10-15T08:00:00 in Splunk Enterprise.

Search Events

This action searches for events using Search ID (SID) in the Splunk Enterprise application. For more information, see Action: Search Events.

Search events for SID 011f117a9f3002002920bde8132e7020 in Splunk Enterprise.

Search Splunk Event Database

This action can be used to look up IOCs in the Splunk Database. For more information, see Action: Search Splunk Event Database.

Search for the IOCs 203.95.8.98 and 203.95.9.54 in the Splunk Database.

Install and Configure the App

Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.

Before you Start

Ensure that you have the API token to authenticate with the Splunk Enterprise app.

Steps

To install and configure an app, follow these steps:

  1. Go to the application, in the left pane, select Quarterback AI.

  2. In Apps, select Splunk Enterprise and click Install.

  3. After the app is installed, click Configure and enter the following details to create an instance:

    • Instance Name: Enter a name for the instance.

    • Instance Description: Enter a description for the instance.

    • Expiry: Select an expiry date for the instance.

    • Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.

    • Base URL: Enter the base URL to access the Splunk Enterprise application. For example, https://splunkdomain.com/.

    • Username: Enter the username to access Splunk.

    • Password: Enter the password to authenticate with Splunk.

    • Version: Enter the Splunk Enterprise version being used. For example, 8.0.0.

    • Auth Token: Enter the API token for authorization.

    • Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.

    • Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Splunk Enterprise. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.

  4. Click Done.

The instance is created, and you can view it in Instances. To create another instance, click Add Instance.

Action: Custom Search

This action performs a search using a custom query in the Splunk Enterprise application.

Action Input Parameters 

Parameter 

Description 

Field Type 

Required/Optional 

Comments 

Search Query 

Enter the search query. 

Example: 

'search index=_internal source=*/metrics.log', '| inputlookup co_table'

Text 

Required

Earliest Time 

Enter the timestamp to start the query run.

Example:

2023-10-15T07:30:00

Text

Required

Latest Time 

Enter the timestamp to end the query run.

Example, 2023-10-15T08:00:00

Text

Required

Time Delay 

Enter the time delay (in seconds) between creating search jobs and retrieving their search results. 

Example:

300

Integer

Optional

Default value:

300

Additional Data 

Enter the extra parameters to search.

Example:

$JSON[{max_count: 10}]

Key Value

Optional

Example Request 

[
    {
        "to_time": "2024-04-29T10:53:51",
        "from_time": "2024-04-25T10:53:51",
        "search_query": "search index=_internal"
    }
]

Action Response Parameters 

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.fields

Array

List of event fields retrieved.

app_instance.response.init_offset 

Integer

Indicates the offset value passed to retrieve events.

app_instance.response.sid 

String

ID of the search event job.

app_instance.response.results 

Array

The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.

app_instance.status_code 

Integer

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Search Events

This action searches for events using the search ID (SID) in the Splunk Enterprise application.

Note

This action is supported by Splunk Enterprise version 9.0.1 onwards.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

SID 

Enter the search ID (SID) as input to be searched for.

Example:

011f117a9f3002002920bde8132e7020

Text

Required

Example Request

[
    {
        "sid": "011f117a9f3002002920bde8132e7020"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance/results/meta/fieldOrder/field

String

The order of fields in the results

app_instance/results/result/field[@k='arch']/value/text

String

The architecture type, e.g., 'i686'

app_instance/results/result/field[@k='build']/value/text

String

The build number, e.g., '98164'

app_instance/results/result/field[@k='connectionType']/value/text

String

The type of connection, e.g., 'cooked'

app_instance/results/result/field[@k='date_hour']/value/text

Integer

The hour part of the date, e.g., '19'

Action: Search Splunk Event Database

This action looks up for IOCs in the Splunk Database.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOCs

Enter the list of IOCs to look up in the Splunk database. 

Example: 

[203.95.8.98, 203.95.9.54]

List

Required

Accepted ioc value type: sha1, sha512, sha224, sha384, sha256, md5, domain, ipv4, ipv6, url

Earliest Time

Enter the timestamp to start the query run. 

Example:

-30d

Text

Optional

Index Name

Enter the index name to search for IOCs in a specific index.

Example:

sample_index_name

Text

Optional

Example Request

[
    {
        "iocs": [
            "203.95.8.98",
            "203.95.9.54"
        ],
        "earliest": "-60d",
        "index_name": "sample_index_name"
    }
]

Action Response Parameters

Parameter

Type

Description

app_instance_init_offset

Integer

Initial offset value

app_instance.messages

Array

An array of message objects.

app_instance.messages.text

String

The text content of the message.

app_instance.messages.type

String

Type of the message.

Example:

DEBUG

app_instance.preview

Boolean

Indicates a preview

app_instance.results

Array

An array of result objects.

app_instance.results.index

String

Index name of the result.

app_instance.results.source

String

Source path of the result.

app_instance.results.sourcetype

String

Source type of the result.