DEPRECATED - Please see the Digital Shadows SearchLight Add-on for Splunk v1.0.0 (https://splunkbase.splunk.com/app/6680)
Digital Shadows monitors and manages an organization’s digital risk across the widest range of data sources within the visible, deep, and dark web to protect an organization’s business, brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks associated with an organization’s brand exposure, VIP exposure, cyber threat, data loss, infrastructure exposure, physical threat, and third party risk. SearchLight creates an up-to-the minute view of an organization’s external digital risk with tailored threat intelligence.
Technology Add-on for Digital Shadows is used to fetch data from SearchLight portal from Digital Shadow and indexes it in Splunk for further analysis.
**Active subscription to Digital Shadows SearchLight service is required. API credentials can be provided upon request.
Technology Add-on for Digital Shadows
The Technology Add-on for Digital Shadows is used to fetch data from SearchLight portal from Digital Shadow and indexes it in Splunk for further analysis. This Add-on uses Splunk KV store for checkpoint mechanism.
This is an add-on powered by the Splunk Add-on Builder.
- Author: Digital Shadows
- Version: 3.1.0
- Creates Index: False
Compatibility
- Splunk Enterprise version: 8.2.x, 8.1.x, 8.0.x
- OS: Platform independent
- Browsers tested: Chrome and Firefox
Application Setup
- Splunk forwarder system should have 12 GB of RAM and a six-core CPU to run this Technology Add-on smoothly.
Topology and setting up Splunk environment
This Add-On can be set up in two ways:
- Standalone Mode: Install the Add-on app on a single machine. This single machine would serve as a Search Head + Indexer + Heavy forwarder for this setup
- Distributed Environment: Install Add-on on search head and Add-on on Heavy forwarder (for REST API).
- Add-on resides on the search head machine and accounts need to be configured here.
- Add-on needs to be installed and configured on the Heavy forwarder system.
- Execute the following command on Heavy forwarder to forward the collected data to the indexer.
$SPLUNK_HOME/bin/Splunk add forward-server <indexer_ip_address>:9997
- On Indexer machine, enable event listening on port 9997 (recommended by Splunk).
- Add-on needs to be installed on search head for CIM mapping and Adaptive Response actions.
** Note: By default, all data is indexed to the main index. If you want to use a custom index then kindly update "get_digitalshadows_index" macro in Technology Add-on for Digital Shadows.
The account needs to be configured with an account which has admin access on Splunk.
Installation
This Add-on can be installed through UI using "Manage Apps" or extract zip file directly into $SPLUNK_HOME/etc/apps/ folder.
Configuration
To configure Digital Shadows API credentials:
- Navigate to Digital Shadows Add-on
- click on the "Configuration" page
- go to "Account" tab and then click "Add"
- fill in "Account Name", "Address", "Access Key" and "Secret Key".
To configure ingestion of data from Digital Shadows' API:
- Navigate to Digital Shadows Add-on
- click on "Create New Input"
- fill the "Name", "Interval", "Index", "DS Account", "Since", "Incident Types", "Verbose Details" and "Global Incidents" fields.
Upgrading to version 3.1.0
Follow the below steps to upgrade the Add-on to 3.1.0
- Disable all the inputs from the Inputs page of Digital Shadows.
- Install the Digital Shadows Add-on v3.1.0
- Restart Splunk if required and if prompted by Splunk.
- Navigate to the Digital Shadows Add-on for Splunk.
- From the Inputs page, delete the old input. You can also delete the index since we will need a new index due to index-time field changes.
- Now, create a new index and use the new index for creating new input.
- Note: We have added data collection of private incidents with
alerted=true in addition to incidents with alerted=false. Creating a new input as described above will pull previously missed incidents due to this filter parameter.
Uninstall & Cleanup steps
- Remove
$SPLUNK_HOME/etc/apps/TA-digital-shadows
- Remove
$SPLUNK_HOME/var/log/splunk/ta_digital_shadows_digital_shadows_searchlight.log
- Remove
$SPLUNK_HOME/var/log/splunk/update_digital_shadows_incident_status_modalert.log
- To reflect the cleanup changes in UI, Restart Splunk Enterprise instance
Support
