-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from SEKOIA-IO/feat-splunk-new-version
feat: new splunk app
- Loading branch information
Showing
4,463 changed files
with
18,175 additions
and
1,321,297 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,32 @@ | ||
# SEKOIA.IO-for-Splunk | ||
# SEKOIA.IO App for Splunk | ||
|
||
Increase your Splunk capabilities with SEKOIA.IO Integration | ||
This application detects threats in your logs by looking for Indicators of Compromise produced by SEKOIA.IO. | ||
|
||
## Fetch IOC database | ||
|
||
When launching the application for the first time, you will have to fill the Application Setup Page with your SEKOIA.IO API Key. | ||
|
||
This will automatically create a configuration using modular input `sekoia_indicators` to fetch IOCs from SEKOIA.IO's Intelligence Center | ||
and store them in separate KV-stores: | ||
|
||
* sekoia_iocs_ipv4 | ||
* sekoia_iocs_domain | ||
* sekoia_iocs_url | ||
* sekoia_iocs_md5 | ||
* sekoia_iocs_sha1 | ||
* sekoia_iocs_sha256 | ||
|
||
Cleanup jobs are also created and scheduled every night to make sure that expired indicators are no longer used to detect threats. | ||
|
||
## Perform lookups | ||
|
||
Configure IOC lookups to actually compare incoming log events to IOCs. You can set up as many lookups as you would like by specifying: | ||
|
||
* The query to select events from your logs. A typical query would be `index=* sourcetype=<YOUR_SOURCETYPE>` | ||
* The field from your logs to compare with the IOC value | ||
|
||
For each lookup, a saved search is automatically created and scheduled to run once every hour. | ||
|
||
Sightings are stored in the `sekoia_alerts` KV-store and listed on the home Dashboard. | ||
|
||
Clicking on the `matched_ioc` will open the Intelligence Center to see context aroung matched indicator. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[sekoia_indicators://<name>] | ||
|
||
interval = 1800 | ||
api_key = <value> | ||
feed_id = <value> |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.