Integrate ASMS with Splunk

The AlgoSec Splunk App V2 for Security Incident Response provides the ability to better analyze security incidents, understand their impact, and quickly accomplish remediation.

Note: See the AlgoSec Splunk App V2 page on Splunkbase for product compatibility details and download.

Install the AlgoSec App

Do the following:

  1. Download the AlgoSec Splunk App V2 from the AlgoSec Splunk App V2 page on Splunkbase .
  2. Configure the AlgoSec App V2, by doing the following:

    1. Under Manage Applications look for the AlgoSec App line and click set up.
    2. Provide the AlgoSec server IP Address, username and password.

The AlgoSec Incident Response App is now ready for use.

View business impact and internet exposure data

The AlgoSec App V2 provides the ability to retrieve business application information and internet exposure information for a specific server. This information includes:

Business Application context from AlgoSec AppViz

Names of affected applications, indication as to whether the application is critical, and more details about the applications, including a link to the AppViz Web Interface with a list of the relevant applications.

Network Connectivity (exposure to the Internet) AlgoSec Traffic Simulation Query results to indicate whether the server is open to the Internet

Do either of the following:

Note: Accessing the App from the IP address will pre-populate the server field.

View business impact and internet exposure information from the IP address

Do the following:

  1. Search the logs for the desired IP address.
  2. Click the Actions arrow for the desired IP, and select one of the following options in the menu:

    • Find Affected Business Applications. Chose this option to link directly to AppViz to view a list of affected applications along with all of the information AppViz provides.
    • Analyze in AlgoSec Incident Analysis. Chose this option to view business context information and internet exposure information from the Security Incident Analysis tab of the App.

Details shown include:

Business Impact area

The Business Impact area includes:

  • A list of affected applications.
  • A notification indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz in the More details field.
Exposure to the Internet area

The Exposure to the Internet area includes:

  • Information about the connectivity between the server and the internet.
  • A link to the specifics of the traffic query in AFA in the More details field.

View business impact and internet exposure information directly from the App

Do the following:

  1. Click on the AlgoSec Security Handling App.

  2. Go to the Security Incident Analysis tab in the AlgoSec App. This is the home page by default.

  3. In the Server IP field, type the name of the IP address.

  4. Click Submit.

Information about the server appears:

Business Impact area

The Business Impact area includes:

  • A list of affected applications.
  • A notification indicating whether any of the affected applications are a part of a critical process.
  • A link to the list of affected applications in AppViz in the More details field.
Exposure to the Internet area

The Exposure to the Internet area includes:

  • Information about the connectivity between the server and the internet.
  • A link to the specifics of the traffic query in AFA in the More details field.

Isolate a server

You can open a FireFlow change request to block all traffic to and from a risky server.

To customize the change request, see Customize the Isolate Server change request.

Do one of the following:

Note: Accessing the App from the IP address will pre-populate the server field.

Isolate a server from the IP address

Do the following:

  1. Search the logs for the desired IP address.

  2. Click the Actions arrow for the desired IP, and select Isolate server from the network.

    A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. The Security Incident Response tab appears with a link to the change request in FireFlow, allowing you to track implementation progress.

Isolate a server directly from the App

Do the following:

  1. Click on the AlgoSec Security Handling App.
  2. Click on the Security Incident Response tab in the AlgoSec App.

  3. Complete the IP of Server to Isolate, Change Request Title, and Details fields.

  4. Click Submit.

A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server. A link to the change request appears in the page to allow you to track implementation progress.

Customize the AlgoSec App

The AlgoSec App supports the following customizations:

Customize the fields supporting AlgoSec workflow actions

Do the following:

  1. Go to Settings -> Fields and choose Workflow actions.
  2. Click one of the AlgoSec actions (ABFAppLookup, algosec_incident_analysis, algosec_isolate_server) and add the needed field names under Apply only to the following fields.

  3. Click Save.

  4. Repeat for the other actions, as desired.

Configure the 'Find Affected Business Applications' workflow action

In order to use the Find Affected Business Applications action, you must configure the App with the IP address of your AlgoSec server.

Do the following:

  1. Go to Settings -> Fields and choose Workflow actions.

  2. Choose ABFAppLookup.

  3. Update the URL field with your AlgoSec Server IP address.

Customize the parameters used to calculate internet exposure

The Security Incident Analysis page includes a box which details Exposure to the Internet. This information is based on traffic simulation query results performed by AlgoSec Firewall Analyzer. By default, the query runs with the chosen IP address as the source, '8.8.8.8' (representing the Internet) as the destination, and 'any' as the service.

If desired, you can customize these parameters. For example, you may want to check connectivity from the internet to the chosen server, you may want to choose a different IP address to represent the Internet, or you may want to check the connectivity for other areas of the network (critical internal networks, etc.).

Do the following:

  1. Open the AlgoSec App, choose Edit, and then click Edit Source (XML).

  2. Scroll down to the last panel and edit the following line to represent the traffic simulation query you prefer.

    <query>| afaquery src="$ip$" dst="8.8.8.8"</query>

  3. To add additional queries, do the following:

    1. Duplicate the panel by copying all the lines from the <panel> start tag to its end </panel>.
    2. Modify the panels to represent the traffic simulation queries you prefer.

  4. Click Save.

Customize the Isolate Server change request

By default, the Isolate Server function creates a change request with two traffic lines: one line blocks traffic from the chosen server to 'any' with 'any' service, and the other blocks traffic from 'any' to the chosen server with 'any' service. If desired, you can customize these parameters by editing the 'isolate server' script.

Do the following:

  1. Go to the following path in your Splunk server file system: \etc\apps\TA-AlgoSec_Incident_Handling\bin

  2. Find AFFIsolateServer.py.

  3. Edit the script and change the parameters per your needs.

Customize the conditions for Business Application Criticality

By default, a business application is marked as critical when one of the affected applications has the 'critical' label. If desired, you can specify different conditions, by editing the relevant script. Similarly, you can also extract additional information from AppViz (e.g. technical contacts/owners of the affected applications).

Do the following:

  1. Go to the following path in your Splunk server file system: \etc\apps\TA-AlgoSec_Incident_Handling\bin

  2. Find ABFSearch.py.

  3. Edit the script as desired.

AlgoSec features in other Splunk apps

AlgoSec capabilities can be activated from within other Splunk Apps (built-in or custom) by using the Workflow Actions. By default, these actions will appear in the Action menus of IP addresses in the following field names:

  • source_ip
  • dest_ip
  • ip
  • src_ip
  • dst_ip
  • source
  • destination
  • server_ip

The IP address from the chosen field will be automatically populated in the AlgoSec App pages. For more details, see Customize the fields supporting AlgoSec workflow actions.

In addition, the workflow actions also include the pre-defined Find Affected Business Applications (AlgoSec) action. Clicking on it will open an AlgoSec AppViz window with a list of all the business applications affected by the chosen IP address. For more details, see Configure the 'Find Affected Business Applications' workflow action.

You can pick and choose AlgoSec functionality, customize it, and incorporate it in your own custom Splunk Apps.

Do the following:

  1. Copy the relevant configuration parameters to your Splunk App (AlgoSec server IP, username/password, etc.).
  2. Copy the scripts and panels to your own Splunk Apps.

Tip: You can also use the scripts in the AlgoSec App as a reference.