Cisco Splunk Connector

overview the cisco splunk connector enables seamless integration between swimlane turbine and splunk, allowing users to create, search, and manage events within splunk through automated workflows cisco splunk is a powerful platform for searching, monitoring, and analyzing machine generated data, which is vital for security and operational intelligence this connector allows swimlane turbine users to automate various splunk actions such as event creation, searches, and editing notable events directly within their security workflows by integrating with cisco splunk, users can streamline incident response, enhance threat hunting, and leverage splunk's analytics capabilities to enrich security events and alerts in swimlane turbine the connector simplifies complex data analysis, enabling users to focus on strategic security decisions rather than manual data handling limitations none to date supported versions splunk enterprise splunk cloud v1 or v2 endpoints will be called based on the version in the asset configuration defaults to 9 0 1 additional docs splunk's rest api reference https //docs splunk com/documentation/splunk/latest/restref/restprolog configuration prerequisites typically, resources that affect search activities have an app/user context that is the namespace use the /servicesns/ with user and app nodes namespace to force the app context you want for shared application resources, use nobody for the 'user' node to indicate all users, all apps, or resources shared by all users, use the wildcard dash ( ) symbol, as in /servicesns/ / /saved/searches you can also access resources by using the /services node the system processes the request using the active user/app context more info can be found in splunk's documentation on namespace https //docs splunk com/documentation/splunk/latest/restum/restusing#namespace authentication methods to effectively utilize the cisco splunk connector with swimlane turbine, ensure you have the following prerequisites http basic authentication url endpoint for the splunk api username your splunk account username password your splunk account password http bearer token authentication url endpoint for the splunk api token a valid bearer token such as a jwt for authenticating api requests note the port must be set to 8089 when connecting to splunk capabilities create event create search edit notable events get saved search get search get search results one shot search create event create events from the contents contained in the http body the edit tcp capability is additionally required for this endpoint create search this action will return the search id but not the search results it is important to note that searches in splunk might take some time, and the results might not be immediately available for fetching data body examples search for notable events in the last 5 minutes search 'search index=notable earliest= 5m' count http 200 responses grouped by uri path search 'search sourcetype=access combined status=200 | stats count by uri path' lookup data from a csv file search '| inputlookup mylookup' splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/latest/restref/restsearch#search 2fjobs edit notable events splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/es/7 3 2/api/notableeventapireference get saved search access the named saved search splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#saved 2fsearches 2f 7bname 7d get search the user id is implied by the authentication to the call the dispatchstate field can have the following values queued parsing running finalizing done pause internal cancel user cancel bad input cancel quit failed splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d get search results the output mode parameter for this action supports json (default) csv xml raw json cols json rows row atom splunk's documentation for this endpoint can be found here https //docs splunk com/documentation/splunk/9 3 1/restref/restsearch#search 2fjobs 2f 7bsearch id 7d 2fresults one shot search this action will run a search and return the results in a single call search retrieve the first 10 events from the internal index search string 'index= internal | head 10' find and count 404 errors by uri path search string 'search sourcetype=access combined status=404 | stats count by uri path' use tstats to count events by host search string '| tstats count where index= by host' add search if set to true , the keyword search will be prepended to your search string unless it already starts with a pipe (|) or another generating command add search true search string 'index=main error' \# the executed search will be 'search index=main error' if set to false , no keyword will be prepended add search false search string '| inputlookup my lookup table' \# the executed search will be '| inputlookup my lookup table' earliest time and latest time set the earliest time earliest time ' 1h' set the latest time latest time '2023 07 01t00 00 00z app parse json due to a known splunk issue with malformed json outputs, setting this to true will attempt to correct and parse the json respons