.png%3Falt%3Dmedia%26token%3D3c56f135-f35f-4b1d-ad36-dca78b5c9823)
.png%3Falt%3Dmedia%26token%3D3c56f135-f35f-4b1d-ad36-dca78b5c9823)
Splunk Integration
- When Splunk generates an alert for an incident, it sends a JSON payload to the URL provided in Workflow Actions,
- The payload that is POSTed contains important information about the alert such as the Host Name, IP Address, and other alert specific details,
- Upon receiving this JSON data, AIR parses the payload and extracts IP address or Hostname from it, and automatically assigns an acquisition task to the endpoint in question. The acquisition profile that will be used for this task is provided when you create a trigger.
- Visit the Triggers page in Binalyze AIR
- Click the "+ New Trigger" button on the upper right corner
- Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, and etc.)
- Select "Splunk: Generic Splunk Webhook Parser" as the parser for this trigger
- Select an Acquisition Profile that will be used when this trigger is activated by Splunk
- Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint)
- Provide other settings such as Compression, Encryption, Evidence Repository to use or let AIR configure them automatically based on the matching policy
- Click the "Save" button
- Hover your mouse over the link below the Trigger name and click to copy (see below)
- Provide the Trigger URL you have copied above as the
URIto the newly created Workflow Action, - Make sure you have provided the Host Name or IP Address in
Post Arguments
- At this point, whenever Splunk generates an alert for an endpoint, the information will be sent to AIR for it to automatically assign an acquisition task to the endpoint in question.
Trigger URL to use for providing Splunk URI parameter
Last modified 1yr ago