Admin Guide

Synapse-Splunk Admin Guide

Configuration

Synapse-Splunk requires a Splunk API key. For information on how to obtain authentication tokens visit the Splunk documentation.

Setting API key for global use

To set-up a global API key:

> splunk.setup.apikey myapikey
Setting Splunk API key for all users.

Using per-user API keys

A user may set-up their own API key:

> splunk.setup.apikey --self myapikey
Setting Splunk API key for the current user.

Dependencies

Synapse-Splunk does not have any dependencies.

Permissions

Package (synapse-splunk) defines the following permissions:
power-ups.splunk.user            : Controls user access to Synapse-Splunk. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.splunk.user
Added rule power-ups.splunk.user to user visi.

or:

> auth.role.addrule ninjas power-ups.splunk.user
Added rule power-ups.splunk.user to role ninjas.

Exported APIs

Synapse-Splunk exports the following Storm APIs.

ingestSearch(query, mintime="-24hours", maxtime="now", dryrun=$lib.false, scrape=$lib.true)
--------------------------------------------------------------------------

    Execute a search and optionally create it:log:event nodes

    Args:
        query (str): The query string to use to execute a new search.
        mintime (time or None): The minimum time, castable to the Synapse time type.
        maxtime (time or None): The maximum time, castable to the Synapse time type.
        dryrun (bool): If true, no nodes are created, and the results are printed instead.
        scrape (bool): If true, scrape indicators from the _raw field.

    Yields:
        storm:node: it:log:event nodes if dryrun=False.


search(search_id=$lib.null, query=$lib.null)
--------------------------------------------

    Emit results from an existing search or new query.

    One of search_id or query must be provided.

    Args:
        search_id (str or None): The Splunk search id if retrieving results from an existing query
        query (str or None): The query string to use to execute a new search.

    Emits:
        dict: A dictionary of field:value for each result

Workflows

Synapse-Splunk provides the following workflows in Optic:

Title: Configuration
Title: Data explorer

Node Actions

Synapse-Splunk does not provide any node actions in Optic.

Name : Search indicator(s)
Desc : Execute a free text search for the selected indicators
Forms: hash:sha256, hash:md5, hash:sha1, inet:email, inet:fqdn, inet:ipv4, inet:ipv6, inet:mac, inet:url