Splunk SIEM

overview the nile service block (nsb) integrates with splunk via splunk’s http event collector (hec), to export nsb security events – audit logs and user device events – to splunk for log analysis and archiving by the customer prerequisites cloud splunk instance, or an on premises splunk instance, with access from nile cloud administrative log in to spunk instance administrative log in to nile portal nile service block supports only signed ssl certificates, or http access with no ssl self signed https certificates are not acceptable splunk configuration create splunk http event collector log in to splunk instance as an administrator navigate to settings then select data inputs from the data section click on the + add new link to create a new http event collector (hec) type a descriptive name for the collector – in this example, we will use “nile test” keep all other values at their default value (“optional”) the, click the next button keep the source type as automatic;keep the index as “main” note hec data will be stored at by default in the main index; you can create a specific index by clicking on the create a new index this can be changed at any time this example uses the main index; in production, use a sandbox index first then change the setting later the, click the review button verify the http event collector configuration then, click the submit button copy the contents of token value , and save it in a text file for later use in the nile portal network setup (example here is “ 55344676 48db 4a9a a522 23b95c ” ), then click the start searching button enter a search string; in this example, source=”http test” (index=”main”) configure the splunk http event collector after creating the http event collector, enable the collector, and configure the url port and ssl options from the data section, click the data inputs link, then click on http event collector link in the http event collector page, click on global settings button enter these values into the form all tokens click on enabledenable ssl check (https) or uncheck (http) the checkbox http port number 8088 (default) keep all other settings in their default value click the save button this example shows that ssl is disabled, and the port number is the default value important note the ssl and port number setting is a global setting, and will affect all http event collectors nile portal configurations add splunk collector to nile portal login to nile portal — https //u1 nile global cloud/ https //u1 nile global cloud/ — using an admin account then, navigate to → global settings → integration subtab click on ⊕; a new popup window will open, then click on splunk fill out splunk information token copy and paste the token saved when creating the splunk hec url enter the splunk cloud url plus the port number click the next button select, by clicking on the checkboxes, if audit, user device events, and/or alerts need to be sent to splunk click the save button to save the settings click on splunk, then click on ↔, to test the connection if the test is successful, the collector status will change to up (green) if it fails it will show up as down (red) to modify splunk url or token, click on (pen); to delete splunk integration, click on (trash) verify nile events under splunk search and report login to splunk instance as administrator in the top menu, click on search elementuse the hec name as a source,the index name for the specific index, andthe filter for searching for specific data for this example, the hec name is “nile test”, the index name is “main”, and the filter is source=”http test” (index=”main”) use a topic name to display only audits or user device events examples source=”http test” (index=”main” , topic”audit”)source=”http test” (index=”main” , topic”userdeviceevents”)