In this guide, you will create a user account for Expel that keeps Expel activity separate from other activity in the Splunk console.

Prerequisites

1. Expel needs access to the Splunk device or instance through port 8000 (UI) and 8089 (API). For cloud instances, follow the Splunk Configure IP Allow List instructions to grant Expel these access privileges:
   • Search head API access
   • Search head UI access
2. Add Expel's six egress IP addresses to your IP allow list. All requests to rest API come from one of these six IP addresses. If you skip this step, this configuration only allows access to your Splunk environment from the Expel infrastructure.

Quick Links

1. Enable Splunk Console Access
2. Retrieve and Provide a List of Indexes and Source Types
3. Add Splunk as a Security Device in Workbench
4. Edit the Device in Workbench to Add Console Access
5. Additional Criteria for Support

Step 1: Enable Splunk Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

Note

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes.

1. Log into Splunk.
2. Navigate to Settings > Access Controls > Users.
3. Select Add new.
4. Complete the fields:
   • Name - enter "Expel".
   • Full name - enter "Expel SOC".
   • Email address - type "soc@expel.io".
   • Password - provide a password.
   • Time Zone - select GMT (or UTC).
   • Assign roles - select User.
   • Require password change on first login - clear this option.
5. Select Save.
6. Before moving on to the next section, make sure to give this newly created user permissions to view the Notable index and the Notable macro. If you need help completing this step, refer to the Splunk documentation.

Step 2: Retrieve and Provide a List of Indexes and Source Types

Providing Expel with a list of indexes and sourcetypes for your Splunk environment will allow us to query your data more efficiently.

1. From Spunk Home, select Search & Reporting in the Apps panel.
2. In the Search field, enter this string:

   | tstats values(sourcetype) where index=* by index

3. Select the Search icon to return results.
4. In the toolbar beneath the search bar, choose an option to export the search results in PDF, Raw Events, or CSV format.
   

Step 3: Add Splunk as a Security Device in Workbench

Now that you have the correct access configured and have noted the credentials, you can integrate your technology with Workbench.

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > Security Devices.
3. Select Add Security Device.
4. In the search field, type “Splunk” and then select the Splunk integration.
   
5. If your installation is on premises (On-prem), then select the Assembler connected to the Splunk device. This is the assembler you set up in Add a New Assembler. Otherwise, choose Cloud.
   
6. Complete the fields as follows:
   
   
   • Name - enter the hostname of the Splunk device.
   • Location - enter the geographic location of the appliance.
   • Username - enter "soc@expel.io".
   • Password - enter the password you created in Step 1.
     • Note: Expel manages Basic authentication by passing the Splunk username and password combination in an API request. The following code snippet shows how these values are passed:

       import splunklib.client as client
       service = client.connect(host=<host_url>, username=<username>, password=<password>, autologin=True)

       Expel also supports Splunk API tokens for non-Basic authentication support, which you can create using Splunk documentation.
   • Splunk Enterprise Security instance? - leave this blank.
     • Note: Splunk Enterprise Security alerts require review by Expel before enabling. Contact  Expel Support for details.
   • Server address:
     • Cloud - type the Splunk server address and port 8089. For example: https://<domainname>.splunkcloud.com:8089
     • On-prem - type the Splunk console IP address and port 8089. For example: https://10.10.10.10:8089/
7. Select Save.

You can determine if the device is healthy by navigating to Organization Settings > Security Devices. It may take a few minutes for the devices to report as healthy.

To check if alerts are coming through:

1. Use the sidebar to navigate to Alerts. 
2. In the upper right, switch to Grid View.
3. Use the Type column filter to select Splunk as the device type.

It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Step 4: Edit the Device in Workbench to Add Console Access

Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.

1. Open Workbench.
2. Navigate to Organization Settings > Security Devices.
3. Next to the device you just connected, select the down arrow and select Edit.
4. In the Console Login area, enter these details:
   • Console URL - enter the console URL from the Server address in the Connection Settings area above. At the end of the URL, enter "/login".
   • Username - enter "soc@expel.io".
   • Password - enter the password you created Step 1.
   • Two-factor secret key (32-character code): depending on how your organization enforces logins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, contact Expel Support.
5. Select Save.

Additional Criteria for Support

The actions below improve our ability to normalize custom alerts so they are properly presented in Workbench. They also equip our analysts with necessary context so they can make informed decisions.

CIM Compliance
To properly display alert evidence in Workbench, fields must be normalized according to Splunk's Common Information Model. Expel only uses a portion of the 500 CIM fields available for alert normalization. Expel uses version 6 of CIM Compliance.

Proper normalization also enables Ruxie to perform automated actions on the alert. We rely on proper normalization to create detections, suppressions, bloom for detections (alert deduplication), BOLOs, and in-depth DUET messages. If a CIM field isn't being used and is requested to be a part of alert normalization or DUET messages, then we typically can't support the request.

Please review the fields being returned from Splunk searches to ensure they map to what is shown in Splunk's Common Information Model Add-on Manual.

Use the Description Field
Any additional information about the custom rule that may be useful for our analysts should be included in the Description. Examples include the detection’s intent and suggested steps to triage.