Category Archives: Security Information and Event Management (SIEM)

Retrieving data from Splunk Dashboard Panels via API

Fist of all, why might someone want to get data from the panels of a dashboard in Splunk? Why it might be useful? Well, if the script can process everything that human analyst sees on a Splunk dashboard, all the automation comes very natural. You just figure out what routine operations the analyst usually does using the dashboard and repeat his actions in the script as is. It may be the anomaly detection, remediation task creation, reaction on various events, whatever. It really opens endless possibilities without alerts, reports and all this stuff. I’m very excited about this. ­čÖé

Exporting data from Splunk dashboard

Let’s say we have a Splunk dashboard and want to get data from the table panel using a python script. The problem is that the content of the table that we see is not actually stored anywhere. In fact it is the results of some search query, from the XML representation of the dashboard, executed by Splunk web GUI. To get this data we should execute the same search request.

That’s why we should:

  1. Get XML code of the dashboard
  2. Get the search query for each panel
  3. Process searches based on other searches and get complete search query for each panel
  4. Launch the search request and get the results

First of all, we need to create a special account that will be used for getting data from Splunk. In Web GUI “Access controls -> Users”.

Continue reading

Creating Splunk Alerts using API

As I mentioned in “Accelerating Splunk Dashboards with Base Searches and Saved Searches“, Splunk Reports are basically the Saved Searches. Moreover, Splunk Alerts are also the same Saved Searches with some additional parameters.

Creating Splunk Alerts using API

The question is what parameters you need to set to get the right Alert.

Continue reading

VB-Trend 2018 Splunk Conference

Today I attended VB-Trend 2018 Splunk conference organized by system integrator VolgaBlob.

VB-Trend 2018

Video fragments from the event:

Comparing to “Splunk Discovery Day“, the conference was much smaller (less than 100 people), focused on┬átechnical aspects, Information Security and informal communication. And I need to say that there really was a lot of talks with colleagues from different companies, not only about Splunk, but also about Vulnerability Management, Application Security and Container Security.

Continue reading

Splunk Discovery Day Moscow 2018

Today I attended the Splunk Discovery Day 2018 conference. It is something like a local equivalent of the famous Splunk .conf. More than 200 people have registered. The event was held in the luxury Baltschug Kempinski hotel in the very center of Moscow with a beautiful view of the Red Square and St. Basil’s Cathedral.

Recently, I have been working more and more with Splunk: I develop connectors, write searches and dashboards, optimize them. Splunk has become the main data visualization tool for me.

Splunk Discovery Day Moscow 2018

Video from the event (27 minutes). This is NOT a complete recording of speeches, but rather some fragments and slides.

At the same time, I make most of data analysis with my own Python scripts. Currently this approach seems more effective. But as for providing final results in a beautiful way and making various notifications, in this sphere Splunk is really convenient and useful. Of course, I can make own a Web GUI application that will do something similar for my tasks, it doesn’t make sense if there is an Enterprise level tool that is very good for this.

My tasks are not quite typical for Splunk clients from Security Teams who look at it in the context of SIEM and SOC mainly. Asset Inventory is actually similar to Business Intelligence: almost all connectors are non-standard, and there are no strict requirements for real time (we operate with days and months, not seconds). We have same approach: “Bring some data to Splunk and get insights from it.” And in this sense, it is great that this event was NOT for the information security experts mainly.

It was mentioned a lot that Splunk is primarily a tool for Business Intelligence. And it’s not just for geeks. Splunk is preparing a mobile application with augmented reality, technologies for recognizing requests in natural language and voice. I think this is all mainly for fun, but the trend for casualty is clear.

Continue reading

Accelerating Splunk Dashboards with Base Searches and Saved Searches

Let’s say we have a Splunk dashboard with multiple panels. Each panel has its own search request and all of these requests work independently and simultaneously. If they are complex enough, rendering the dashboard may take quite a long time and some panels may even fall by timeout.

Accelerating Splunk Dashboards

How to avoid this? The first step is to understand how the searches are related. May be it is possible to select some base searches, and reuse their results in other child-searches. It’s also possible to get cached results from the “Saved Searches” (another name of Reports in Splunk GUI).

Continue reading

How to create and manage Splunk dashboards via API

In the previous post “How to correlate different events in Splunk and make dashboards” I mentioned that Splunk dashboards can be presented in a simple XML form. You can generate it with some script and then copy-past it in Splunk GUI.

Splunk dashboard manage api

However, this manual operations can make the process of debugging dashboards really annoying. It would be much easier to send dashboard XML content to Splunk using Splunk API. And it is actually possible. ­čÖé

Continue reading

CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam

Two weeks ago I was speaking at a very interesting information security event – CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.

CyberThursday 2018 Asset Inventory

These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.

Continue reading