Table of Contents
Overview¶
Splunk App for Shared Alerting gives both security and IT teams insights into what the other team is aware of and working on, allowing cross team collaboration and faster time to resolve/recover. It gives these teams better visibility of what is happening in their environment, regardless of it being a security or IT event. It does this by sharing relevant information like Enterprise Security (ES) notables and IT Service Intelligence (ITSI) episodes with the different operations teams. All while allowing each operation team to remain in the tool they are used to working out of (ES and ITSI).
This app is primarily composed of backend searches that extract ES notables and ITSI episodes and share them via an index. Correlation searches in ES and ITSI are run against these shared indexes to create new notables in the appropriate premium application.
Installation¶
The Splunk App for Shared Alerting is available on Splunkbase
Dependencies¶
Both Enterprise Security (ES) and IT Service Intelligence (ITSI) with a shared Indexer or Indexer cluster
Location¶
This app can be used with either on premise or Splunk Cloud instances. The app has been tested against Splunk Enterprise/Cloud 9.0.x and greater.
Components¶
The app needs to be installed on both the Enterprise Security and IT Service Intelligence (ITSI) search head or search head cluster. These search heads need to share an indexer or indexer cluster.
Install¶
The app installs like any other app from Splunkbase. If you are installing in a Splunk Cloud environment, you can follow the Splunk Cloud app install directions.
If you are installing in an on premise instance, you can use the Install app from file feature in the Manage Apps page in Splunk Web to install the package, or install manually using the command line.
Configuration¶
Indexes¶
The app requires that two indexes be created. In your environment create the following two indexes:
- share_with_es
- share_with_itsi
The size and retention of these indexes does not need to be large or long. A very small amount of information is shared between the two premium apps and stored in these indexes. These indexes are mostly used to move the data between ES and ITSI and the data does not need to be kept for more than 90 days. More details of how the app moves data can be found in the App components page
ES Notable Filtering¶
The filter_share_itsi macro limits what ES notables are saved to the share_with_itsi index. This macro can be customized to share more or less notables from ES to ITSI. By default the macro has two items:
NOT risk_object_type IN (user,"")
- filter user based risk objects as ITSI only correlates with systemsNOT urgency=informational
- share notables that are low and higher
ITSI Episode Filtering¶
The filter_share_es macro limits what ITSI episodes are saved to the share_with_es index. This macro can be customized to share more or less episodes from ITSI to ES. By default the macro has three items:
itsi_group_severity>2
- share episodes that are low and higherentity_title=*
- share only episodes that have an entity for correlation with assets in ESNOT itsi_policy_id="itsi_default_policy"
- do no share episodes that are generated by the default ITSI NEAP as it is too broad
ES Correlation Search¶
The app ships with an analytic story with a sinlge correlation search. Once the app is loaded and Splunk is restarted, the ITSI Episode correlation search should appear in ES Content Management. By default the search is not scheduled to run. Enable the search and adjust the scheduled time if necessary. The correlation search will generate a Notable and also use the risk analysis action to adjust the risk score for the asset involved. Adjust the risk score if neccesary.
ITSI Correlation Search¶
The app ships with a content pack (Shared Alerting) that contains a sinlge correlation search. Once the app is loaded and Splunk is restarted, the ES Alert correlation search should appear in ITSI Correlation Searches. By default the search is not scheduled to run. Enable the search and adjust the scheduled time if necessary. The correlation search will generate a Notable with a title starting with ES Alert.
The Notable Event Aggregation Policies (NEAP) that you are leveraging will need to be adjusted to include the Notable events that are generated by the default correlation search. You can use an OR in your NEAP rule and title matches ES Alert for the Notable selection criteria. You may need to review the split events by criteria to ensure the ES Alert Notable gets captured into the proper episode.
Usage¶
ES¶
Once everything is installed and enabled, users will see new ES notables with a title of ITSI Alert - rule. The rule will be replaced with the ITSI Notable Event Aggregation Policy (NEAP) that created the episode. The correlation search will make every attempt to correlate the entity that came from ITSI with a valid asset in ES. The notable in ES includes helpful pieces of information from ITSI. Below maps the fields from ITSI to ES to help the teams collaborate and view the same alert
ES Field | ITSI Field |
---|---|
Reason | itsi_group_title |
Rule Identifier | itsi_policy_id |
Source | entity_title |
View | itsi_group_id (unique episode ID) |
Severity | itsi_group_severity |
Description | itsi_group_description |
ITSI¶
In ITSI users will see new notables with a title of ES Alert - rule. The rule will be replaced with the ES correlation search (rule) that created the notable. Once an organizations NEAPs are adjusted, these notables should become part of larger episodes to help raise visibility that a secuirty alert is affecting the same entity as the episode. Correlation is done on the asset from ES to the ITSI entity title. The notable in ITSI includes helpful pieces of information from ES. Below maps the fields from ES to ITSI to help the teams collaborate and view the same alert
ITSI Field | ES Field |
---|---|
entity_title | risk_object,dest_asset,src_asset,dest,src |
notable_description | rule_title |
notable_id | rule_id (unique notable ID) |
rule | source (correlation search) |
urgency | urgency |
Drilldown Link | Direct link to the notable in ES |
App Components¶
This page describes the various different compoents that ship as part of the app and their functions.
Searches¶
es_is_installed
- Checks to see if ES is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert actionitsi_is_installed
- Checks to see if ITSI is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert actiones_share_itsi
- Runs a scheduled search to pull information from ES notables to populate the share_with_itsi indexitsi_share_es
- Runs a scheduled search to pull information from ITSI episodes to populate the share_with_es indexITSI Episode
- Scheduled correlation search to create ES notables based on data in share_with_esES Alert
- Scheduled correlation search to create ITSI notables based on data in share_with_itsi
Indexes¶
share_with_es
- Index that holds specific data from ITSI episodes, used to generate ES notablesshare_with_itsi
- Index that holds specific data from ES notables, used to generate ITSI notables
Alert Actions¶
enable_searches
- Makes REST calls to enable and disable the proper searches based on the SH(C) it is installed on
Macros¶
filter_share_itsi
- Limits which ES notables are saved to the share_with_itsi indexfilter_share_es
- Limits which ITSI episodes are saved to the share_with_es indexitsi_severvity_description
- Maps a number to a string for severity