The Team Cymru Scout App For Splunk pulls Indicators from the Team Cymru Scout platform. The integration does correlation and provides dashboards for visualization.
Team Cymru Scout App For Splunk can be installed through UI as shown below. Alternatively, .tar or .spl file can also be extracted directly into $SPLUNK_HOME/etc/apps/folder.
Install app from file.Choose file and select the Team Cymru Scout App For Splunk App installation file.Upload.This App can be set up in two ways:
App Setup section to configure the App.App Setup section on Heavy Forwarder.App Setup section on Search Head.App Setupare configured only on single search head. In such cases, the configuration will not be visible on other search heads. This is recommended approach.App Setup section on Search Head. Following these steps will replicate the configuration on all search heads.Configure Team Cymru Scout App For Splunk
Account section.Proxy or Logging in their respective sections.KV Lookup Rest and Correlation Settings section respectively. KV Lookup Rest and Correlation Settings, users can configure the inputs by specifying the required parameters.Correlation Settings section.NOTE : There might be some delay for the dashboards to populate, as these dashboards are based on savedsearches.
To configure the Account,
Configuration.Add.| Team Cymru Scout App Account parameters | Mandatory or Optional | Description |
|---|---|---|
| Account name | Mandatory | Enter a unique name for this account. |
| Authentication Type | Mandatory | Select the type of Authentication. Available options are Basic Auth and Api Key |
| Username | Mandatory (Basic Auth) | Enter the username for this account. |
| Password | Mandatory (Basic Auth) | Enter the password for this account. |
| API Key | Mandatory (Api Key) | Enter the API Key for this account. |
To configure the Proxy,
Configuration.Proxy tab. Save.| Proxy Parameters | Mandatory or Optional | Description |
|---|---|---|
| Enable | Optional | To enable the proxy |
| Proxy Type | Optional | Type of the Proxy. Available options are http and socks5. Default is http. |
| Host | Optional | Host or IP of the proxy server |
| Port | Optional | Port for proxy server |
| Username | Optional | Username of the proxy server |
| Password | Optional | Password of the proxy server |
To configure the Logging,
Configuration.Logging tab.Save. By default the log level is set to 'INFO'.To configure the Splunk KVStore,
Configuration.KV Lookup Rest tab.| KVStore Parameters | Mandatory or Optional | Description |
|---|---|---|
| Collection Type | Mandatory | Select mode to create lookups. (Defult: Index) |
| Indicator Indices | Mandatory (index) | Master lookup for indicators will be updated based on the indicators data in the selected indices. |
| Splunk Rest Host URL | Mandatory (lookup) | Enter the Splunk rest host or localhost (without http(s) scheme) to collect data.(Default: localhost) |
| Port | Mandatory (lookup) | Enter the management port of the Splunk.(Default: 8089) |
| Splunk Username | Mandatory (lookup) | Not required if Splunk Rest Host URL is localhost or 127.0.0.1. Configured user should have at least power role capabilities |
| Splunk Password | Mandatory (lookup) | Enter the password for Splunk account. No need to provide a Password if Splunk Rest Host URL is localhost or 127.0.0.1 |
NOTE : If using Cluster environment then make sure that all fields are configured and splunkd port 8089 of Splunk Management is open for storing lookups.
To configure the Correlation Settings,
Configuration.Correlation Settings tab.| Correlation Parameters | Mandatory or Optional | Description |
|---|---|---|
| Enabled Indicator Types | Optional | Select the indicator types you want to enable correlation for. Available options are Domain and IP. |
| Search Matching Algorithm | Optional | Select the method for correlating indicators. Available options are Raw search and Datamodel Search |
| Select Datamodels | Optional | Select the data models from the list |
| IP: Target Query | Optional | Splunk query to get events from target events for correlation with IP Indicators |
| IP: Target Fields | Optional | Comma separated list of fields from target events to be used in correlation |
| Domain: Target Query | Optional | Splunk query to get events for correlation with Domain Indicators |
| Domain: Target Fields | Optional | Comma separated list of fields to be used in correlation |
To configure the Upload Indicators,
Upload Indicators.| Input Parameter | Mandatory or Optional | Description |
|---|---|---|
| File to upload the indicators | Mandatory | Select a csv file to upload the indicators |
| File Overwrite | Optional | Check this checkbox to overwrite the existing IP/Domain indicators. By default the indicators will be appended to the existing ones |
| API Type | Mandatory | Select the type of API to collect initially selected Foundation |
| Team Cymru Scout Account | Mandatory | Select the Team Cymru Scout Account for which you want to collect data. |
| Interval | Mandatory | Time interval of input in seconds. Default=86400 |
| Index | Optional | Select the index in which data should be collected. Only required if "Collection Type" is set to "Index". |
To configure the Inputs,
Inputs.Create New Input.Add to configure the input.| Input Parameter | Mandatory or Optional | Description |
|---|---|---|
| Name | Mandatory | A name to uniquely identify the input |
| Interval | Mandatory | Time interval of input in seconds. Default=86400 |
| Index | Mandatory | Select the index in which data should be collected. Only required if "Collection Type" is set to "Index". |
| Team Cymru Scout Account | Mandatory | Select the Team Cymru Scout Account for which you want to collect data. |
| API Type | Mandatory | Select the type of API to collect |
| Indicator Types | Mandatory | Select the type of indicators to collect. |
| Indicators | Mandatory | Enter the comma seperated indicators. |
team_cymru_indicators_foundation_ip: This lookup contains foundation data for IP .team_cymru_indicators_details_ip: This lookup contains details data for IP.team_cymru_indicators_details_domain: This lookup contains details data for Domain .team_cymru_matched_indicators_domain: This lookup contains the matched indicator data for Domain.team_cymru_matched_indicators_ip: This lookup contains the matched indicator data for IP.User can check data in lookup by running following SPL query in Splunk search: | inputlookup <NAME OF LOOKUP>
This application contains the following saved searches:
team_cymru_indicators_foundation_ipteam_cymru_indicators_details_ip team_cymru_indicators_details_domain .team_cymru_matched_indicators_ip and team_cymru_indicators_foundation_ip - IPs older than specified time will be deleted from team_cymru_indicators_foundation_ip and team_cymru_matched_indicators_ip lookups.team_cymru_matched_indicators_ip and team_cymru_indicators_details_ip - IPs older than specified time will be deleted from team_cymru_indicators_details_ip and team_cymru_matched_indicators_ip lookups.team_cymru_matched_indicators_domain and team_cymru_indicators_details_domain - Domains older than specified time will be deleted from team_cymru_indicators_details_domain and team_cymru_matched_indicators_domain lookups.This application contains the following custom commands:
teamcymrumatchindicators
teamcymruaccountusage
teamcymruscoutsectionsearch
teamcymruscoutsearch
This application contains the following alert actions:
Search tab. Search `team_cymru_indicator_indices` sourcetype=*team_cymru_*.$SPLUNK_HOME/var/log/Splunk/ta_team_cymru_scout*.log or user can search index="_internal" source=*ta_team_cymru_scout_*.log* query to see all the logs in UI. Also, user can use index="_internal" source=*ta_team_cymru_scout*.log* ERROR query to see ERROR logs in the Splunk UI.$SPLUNK_HOME/var/log/Splunk/ directory.team_cymru_indicators_details_ip, team_cymru_indicators_details_domain and team_cymru_indicators_foundation_ip respectively.ta_team_cymru_scout*.log* file for Team Cymru Scout App For Splunk data collection for any relevant error messages.ta_team_cymru_scout_correlation_command.log file for further analysis.team_cymru_indicators_<indicator_type> lookup, then execute the savedsearch update_TeamCymruScoutAppForSplunk_<indicator_type>_indicator_master_lookup manually over a larger time range to refill the lookup.Indicator Indices parameter of correlation settings.team_cymru_matched_indicators_<indicator_type> lookup is not empty and also ensure that team_cymru_correlate_<indicator_type> savedsearch is enabled.ta_team_cymru_scout_correlation_command.log file for further analysis.ta_team_cymru_scout_enrichment_command.log file for further analysis.ta_team_cymru_scout_section_search_command.log file for further analysis.ta_team_cymru_scout_search_command.log file for further analysis.Panel not populating:
ta_team_cymru_scout_search_command.log file for further analysis.ta_team_cymru_scout_section_search_command.log file for further analysis.team_cymru_matched_indicators_<indicator_type> lookup is filled with the latest data.team_cymru_correlate_IPs_indicators_<indicator_type> savedsearches are enabled.Live investigation if you click on Live investigation cell it will redirect to Live investigation dashboard with the indicator of that row.Local investigation if you click on Local investigation cell it will redirect to Search page with its ip and index.team_cymru_indicators_details_domain or team_cymru_indicators_details_ip or team_cymru_indicators_foundation_ip lookup is filled with the latest data.update_TeamCymruScoutAppForSplunk_<indicator_type>_indicator_master_lookup savedsearches are enabled.As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.