Overview¶
Splunk App for Shared Alerting gives both security and IT teams insights into what the other team is aware of and working on, allowing cross team collaboration and faster time to resolve/recover. It gives these teams better visibility of what is happening in their environment, regardless of it being a security or IT event. It does this by sharing relevant information like Enterprise Security (ES) findings and IT Service Intelligence (ITSI) episodes with the different operations teams. All while allowing each operation team to remain in the tool they are used to working out of (ES and ITSI).
This app is primarily composed of backend searches that extract ES findings and ITSI episodes and share them via an index. Detections in ES and correlation searches in ITSI are run against these shared indexes to create new findings/notables in the appropriate premium application.
Installation¶
The Splunk App for Shared Alerting is available on Splunkbase
Dependencies¶
Both Enterprise Security (ES) and IT Service Intelligence (ITSI) with a shared Indexer or Indexer cluster
Location¶
This app can be used with either on premise or Splunk Cloud instances. The app has been tested against Splunk Enterprise/Cloud 9.0.x and greater.
Components¶
The app needs to be installed on both the Enterprise Security and IT Service Intelligence (ITSI) search head or search head cluster. These search heads need to share an indexer or indexer cluster.
Install¶
The app installs like any other app from Splunkbase. If you are installing in a Splunk Cloud environment, you can follow the Splunk Cloud app install directions.
If you are installing in an on-premise instance, you can use the Install app from file feature in the Manage Apps page in Splunk Web to install the package or install manually using the command line.
Configuration¶
Indexes¶
The app requires that two indexes be created. In your environment create the following two indexes:
- share_with_es
- share_with_itsi
The size and retention of these indexes does not need to be large or long. A very small amount of information is shared between the two premium apps and stored in these indexes. These indexes are mostly used to move the data between ES and ITSI and the data does not need to be kept for more than 90 days. More details of how the app moves data can be found in the App components page
ES Finding Filtering¶
The filter_share_itsi macro limits what ES findings are saved to the share_with_itsi index. This macro can be customized to share more or less findings from ES to ITSI. By default, the macro has two items:
NOT risk_object_type IN (user,"")- filter user-based entities as ITSI only correlates with systemsNOT urgency=informational- share findings that are low and higher
ITSI Episode Filtering¶
The filter_share_es macro limits what ITSI episodes are saved to the share_with_es index. This macro can be customized to share more or less episodes from ITSI to ES. By default, the macro has three items:
itsi_group_severity>2- share episodes that are low and higherentity_title=*- share only episodes that have an entity for correlation with assets in ESNOT itsi_policy_id="itsi_default_policy"- do no share episodes that are generated by the default ITSI NEAP as it is too broad
ES Detection¶
The app ships with an analytic story with a single detection. Once the app is loaded and Splunk is restarted, the ITSI Episode detection should appear in ES Content Management. By default, the detection is not scheduled to run. Enable the detection and adjust the scheduled time if necessary. The detection will generate a finding and also create an intermediate finding for the entity involved. Adjust the risk score if neccesary.
ITSI Correlation Search¶
The app ships with a content pack (Shared Alerting) that contains a single correlation search. Once the app is loaded and Splunk is restarted, the content pack will show in ITSI under Configuration > Data Integrations. Then select Content library. From there you will be able to import the ES Alert correlation search, adjust its parameters if necessary, and enable. The correlation search will generate a Notable with a title starting with ES Alert.
The Notable Event Aggregation Policies (NEAP) that you are leveraging will need to be adjusted to include the Notable events that are generated by the default correlation search. You can use an OR in your NEAP rule and title matches ES Alert for the Notable selection criteria. You may need to review the split events by criteria to ensure the ES Alert Notable gets captured into the proper episode.
Usage¶
ES¶
Once everything is installed and enabled, users will see new ES finding with a title of ITSI Alert - rule. The rule will be replaced with the ITSI Notable Event Aggregation Policy (NEAP) that created the episode. The detection will make every attempt to correlate the entity that came from ITSI with a valid asset in ES. The finding in ES includes helpful pieces of information from ITSI. Below maps the fields from ITSI to ES to help the teams collaborate and view the same alert
| ES Field | ITSI Field |
|---|---|
| Reason | itsi_group_title |
| Rule Identifier | itsi_policy_id |
| Source | entity_title |
| View | itsi_group_id (unique episode ID) |
| Severity | itsi_group_severity |
| Description | itsi_group_description |
ITSI¶
In ITSI users will see new notables with a title of ES Alert - rule. The rule will be replaced with the ES detection (rule) that created the notable. Once an organizations NEAPs are adjusted, these notables should become part of larger episodes to help raise visibility that a security alert is affecting the same entity as the episode. Correlation is done on the asset from ES to the ITSI entity title. The notable in ITSI includes helpful pieces of information from ES. Below maps the fields from ES to ITSI to help the teams collaborate and view the same alert
| ITSI Field | ES Field |
|---|---|
| entity_title | risk_object,dest_asset,src_asset,dest,src |
| notable_description | rule_title |
| notable_id | rule_id (unique notable ID) |
| rule | source (detection) |
| urgency | urgency |
| Drilldown Link | Direct link to the finding in ES |
App Components¶
This page describes the various different components that ship as part of the app and their functions.
Searches¶
es_is_installed- Checks to see if ES is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert actionitsi_is_installed- Checks to see if ITSI is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert actiones_share_itsi- Runs a scheduled search to pull information from ES findings to populate the share_with_itsi indexitsi_share_es- Runs a scheduled search to pull information from ITSI episodes to populate the share_with_es indexITSI Episode- Scheduled detection to create ES findings based on data in share_with_esES Alert- Scheduled correlation search to create ITSI notables based on data in share_with_itsi
Indexes¶
share_with_es- Index that holds specific data from ITSI episodes, used to generate ES findingsshare_with_itsi- Index that holds specific data from ES findings, used to generate ITSI notables
Alert Actions¶
enable_searches- Makes REST calls to enable and disable the proper searches based on the SH(C) it is installed on
Macros¶
filter_share_itsi- Limits which ES findings are saved to the share_with_itsi indexfilter_share_es- Limits which ITSI episodes are saved to the share_with_es indexitsi_severvity_description- Maps a number to a string for severity