In this guide, you will create a user account for Expel that keeps Expel activity separate from other activity in the Splunk console.
Prerequisites
- Expel needs access to the Splunk device or instance through port 8000 (UI) and 8089 (API). For cloud instances, follow the Splunk Configure IP Allow List instructions to grant Expel these access privileges:
- Search head API access
- Search head UI access
- Add Expel's six egress IP addresses to your IP allow list. All requests to rest API come from one of these six IP addresses. If you skip this step, this configuration only allows access to your Splunk environment from the Expel infrastructure.
Quick Start
- Enable Splunk Console Access
- Retrieve and Provide a List of Indexes and Source Types
- Add Splunk as a Security Device in Workbench
- Edit the Device in Workbench to Add Console Access
Step 1: Enable Splunk Console Access
Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes.
- Log into Splunk.
- Navigate to Settings > Access Controls > Users.
- Select Add new.
- Complete the fields:
- Name - enter "Expel".
- Full name - enter "Expel SOC".
- Email address - type "soc@expel.io".
- Password - provide a password.
- Time Zone - select GMT (or UTC).
- Assign roles - select User.
- Require password change on first login - clear this option.
- Select Save.
- Now that you have enabled console access in Splunk, you may choose to configure this integration in Workbench on your own, or you may contact Expel Support to do it for you. If you would like to do it yourself, continue with the following steps.
Step 2: Retrieve and Provide a List of Indexes and Source Types
Providing Expel with a list of indexes and sourcetypes for your Splunk environment will allow us to query your data more efficiently.
- From Spunk Home, select Search & Reporting in the Apps panel.
- In the Search field, enter this string:
| tstats values(sourcetype) where index=* by index
- Select the Search icon to return results.
- In the toolbar beneath the search bar, choose an option to export the search results in PDF, Raw Events, or CSV format.
Step 3: Add Splunk as a Security Device in Workbench
Now that you have the correct access configured and have noted the credentials, you can integrate your technology with Workbench.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Security Devices.
- Select Add Security Device.
- In the search field, type “Splunk” and then select the Splunk integration.
- If your installation is on premises (On-prem), then select the Assembler connected to the Splunk device. This is the assembler you set up in Add a New Assembler. Otherwise, choose Cloud.
- Complete the fields as follows:
- Name - enter the hostname of the Splunk device.
- Location - enter the geographic location of the appliance.
- Username - enter "soc@expel.io".
-
Password - enter the password you created in Step 1.
-
Note: Expel manages Basic authentication by passing the Splunk username and password combination in an API request. The following code snippet shows how these values are passed:
import splunklib.client as client
Expel also supports Splunk API tokens for non-Basic authentication support, which you can create using Splunk documentation.
service = client.connect(host=<host_url>, username=<username>, password=<password>, autologin=True)
-
Note: Expel manages Basic authentication by passing the Splunk username and password combination in an API request. The following code snippet shows how these values are passed:
-
Splunk Enterprise Security instance? - leave this blank.
- Note: Splunk Enterprise Security alerts require review by Expel before enabling. Contact Expel Support for details.
-
Server address:
- Cloud - type the Splunk server address and port 8089. For example: https://<domainname>.splunkcloud.com:8089
- On-prem - type the Splunk console IP address and port 8089. For example: https://10.10.10.10:8089/
- Select Save.
You can determine if the device is healthy by navigating to Organization Settings > Security Devices. It may take a few minutes for the devices to report as healthy.
To check if alerts are coming through:
- Use the sidebar to navigate to Alerts.
- In the upper right, switch to Grid View.
- Use the Type column filter to select Splunk as the device type.
It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.
Step 4: Edit the Device in Workbench to Add Console Access
Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.
- Open Workbench.
- Navigate to Organization Settings > Security Devices.
- Next to the device you just connected, select the down arrow and select Edit.
- In the Console Login area, enter these details:
- Console URL - enter the console URL from the Server address in the Connection Settings area above. At the end of the URL, enter "/login".
- Username - enter "soc@expel.io".
- Password - enter the password you created Step 1.
- Two-factor secret key (32-character code): depending on how your organization enforces logins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, contact Expel Support.
- Select Save.