-
1
SlashNext Automated Data Enrichment GuideSplunk Enterprise
USER GUIDE V 1 . 0 . 0
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 1
TABLE OF CONTENTS
1 | INSTALLATION
.................................................................................................................................................................................................................................................2
2 | CONFIGURATION
..................................................................................................................................................................................................................................3
3 | CUSTOM SEARCH COMMANDS
....................................................................................................................................................................................................4
4 | ENRICHMENT DASHBOARDS
....................................................................................................................................................................................................6
snxhostreputation
............................................................................................................................................................................................................................4
snxhosturls
..........................................................................................................................................................................................................................................4
snxhostreport
....................................................................................................................................................................................................................................5
snxurlscan
............................................................................................................................................................................................................................................5
snxurlscansync
..................................................................................................................................................................................................................................5
snxurlscanreport
...............................................................................................................................................................................................................................6
-
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 2
1 | INSTALLATION
In order to install the SlashNext App for Splunk please follow
the following steps:
1. Download the SlashNext App for Splunk from Splunkbase. The
app will be downloaded as tar.gz file
2. Click on the gear icon under the Apps sidebar on your Splunk
home to go the Manage Apps page
3. On the Manage Apps page, click on Install app from file
button to upload the app file.
4. Choose the app file that you downloaded earlier and click on
the Upload button to upload the file
5. Splunk will ask you to Restart your instance. Click on the
Restart Now button to restart the Splunk instance
-
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 3
2 | CONFIGURATION
Once the app is installed, you need to configure the app with
API credentials provided to you by SlashNext. In order to configure
the app, follow the steps below:
26. After restart is done, login back to your instance and
SlashNext App for Splunk will now appear under your Apps sidebar.
At this
point, the app has been installed successfully
1. Click on SlashNext App for Splunk to launch the app.
2. Click on Setup button on the app menu bar to go to App Setup
page for configurations
3. Enter the API key provided to you by SlashNext in the API Key
field. If you do not have an API key then contact at
[email protected]. Optionally, you can also specify an
alternate API Base URL, if and only if, specifically specified by
SlashNext otherwise leave it empty. Finally, click on the Save
button to finish your configuration.
-
At this point, the configuration for the app is complete and is
ready to be used. In case any error occurs, contact Splunk Support
for further assistance.
SlashNext App for Splunk provides custom Splunk Search Commands
that enable Splunk users to leverage SlashNext's On-demand Threat
Intelligence Cloud platform within the Splunk Platform. The syntax
of the search commands and their output is elaborated below
Search in SlashNext Cloud database and retrieve reputation of a
host.
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 4
3 | CUSTOM SEARCH COMMANDS
3.1 | SNXHOSTREPUTATION
Syntaxsnxhostreputation host= / host_field=
Execute Host Reputation on Domain: "www.slashnext.com"
Examples:| snxhostreputation host=www.slashnext.com
Execute Host Reputation on IP: "11.22.33.44"
| snxhostreputation host=11.22.33.44
Execute Host Reputation on "domains" field in all the passed
events
| snxhostreputation host_field=domains
Search in SlashNext Cloud database and retrieve list of all URLs
associated with the specified host.
3.2 | SNXHOSTURLS
Syntaxsnxhosturls host= urls_limit=
Retrieve at maximum 10 URLs with Domain:"www.slashnext.com"
Examples:| snxhosturls host=www.slashnext.com urls_limit=10
Retrieve at maximum 10 URLs with IP: "11.22.33.44"
| snxhosturls host=11.22.33.44 urls_limit=10
-
Queries the SlashNext Cloud database and retrieves a detailed
report for a host and associated URL.
3.3 | SNXHOSTREPORT
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 5
Syntaxsnxhostreport host=
Retreive Host Report for Domain: "www.slashnext.com"
Examples:|| snxhostreport host=www.slashnext.com
Retreive Host Report for IP: "11.22.33.44"
| snxhostreport host=11.22.33.44
Perform a real-time URL reputation scan with SlashNext
cloud-based SEER Engine.
3.4 | SNXURLSCAN
Syntaxsnxurlscan url= | url_field=
Execute URL Scan on URL: www.slashnext.com/about/
Examples:| snxurlscan url=www.slashnext.com/about/
Execute URL Scan on "urls" field in all the passed events
| snxurlscan url_field=urls
Perform a real-time URL scan with SlashNext cloud-based SEER
Engine in a blocking mode.
3.5 | SNXURLSCANSYNC
Syntaxsnxurlscansync url=
Execute a Synchronous URL Scan on URL:
www.slashnext.com/about/
Examples:| snxurlscansync url=www.slashnext.com/about/
-
Queries the SlashNext Cloud database and retrieves a detailed
report for a Scan ID.
SlashNext App for Splunk also provides Splunk users customized
dashboards, that use the above mentioned custom search commands, to
get enrichment information for IPs, Domains and URLs. To view these
enrichment dashboards, follow the steps below:
3.6 | SNXURLSCANREPORT
4 | ENRICHMENT DASHBOARDS
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 6
Syntaxsnxurlscanreport scan_id= extended_info=
Retrieve Scan Report against Scan ID:
3b8f8a58-837a-4b81-8a0b-4654ab1e304b
Examples:| snxurlscanreport
scan_id=3b8f8a58-837a-4b81-8a0b-4654ab1e304b
Retrieve Scan Report against Scan ID:
3b8f8a58-837a-4b81-8a0b-4654ab1e304b with Extended Information
(Screenshot, HTML and Text data)
| snxurlscanreport scan_id=3b8f8a58-837a-4b81-8a0b-4654ab1e304b
extended_info=true
1. Click on the Enrich button on the app menu-bar and a
drop-down menu will appear. Select IP-Enrichment, Domain-Enrichment
or URL-Enrichment for IPs, Domains and URLs respectively.
2. Let us first show the output of IP Enrichment, Click on
IP-Enrichment to show its dashboard. Enter the IP against which the
enrichment is to be performed and click on the Submit button. It
will submit the request to SlashNext's On-demand Threat
Intelligence Cloud .
-
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 7
3. On successful execution, the dashboard will show all the
threat information against the scanned IP, as shown below:
-
SLASHNEXT.COM
SLASHNEXT AUTOMATED DATA ENRICHMENT GUIDE SPLUNK ENTERPRISE |
USER GUIDE 1.0.0 8
4. On successful execution, the dashboard will show all the
threat information against the scanned IP, as shown below: