Creating Splunk App for Enterprise Security Technology Add-Ons

This is a write-up for creating Technology Add-ons for the Splunk App For Enterprise Security.

This idea and blog post was spawned out of the necessity to populate Splunk dashboards in the Splunk App for Enterprise Security with data from the Web Application Firewall solution named AppWall and the DDoS Protection and Attack Mitigation solution named DefensePro offered by Radware.

Several methods exist for sending security events from the Radware platforms but in this example I chose to utilize syslog via UDP for ease of demonstration.

Creating Indexes

First I created an index for Radware events in Splunk. To keep things simple I chose "radware" for the index name. More information for creating indexes can be found here on the Splunk website.

Creating Network Inputs

I created the inputs UDP 514 for DefensePro and UDP 614 for AppWall. For the DefensePro I created radware_dp sourcetype to easily filter searches later. I did the same for AppWall using the radware_aw sourcetype. More information for creating inputs from network ports can be found here on the Splunk website.

Activate Syslog on Radware Devices

I activated the DefensePro and Appwall to send security events via syslog as their respective user guides indicate. They can be downloaded from Radware's website. I used this guide from Radware to identify the fields needed to extract the data via regular expressions for the DefensePro. Similar regular expression were used for AppWall.

Creating Splunk Add-Ons

To create a Splunk Technology Add-on for Splunk I chose to create a barebones app from the Splunk App builder. It is important you use the prefix TA for your app name. This is an example: TA-YourAppNameHere. Believe me... It will require less modification to Splunk if you follow this naming convention. More information on the Splunk App builder can be found here.

I created TA-radware_dp and TA-radware_aw which gives you a basic framework to place you configuration files. The two Technology Add-ons that I created are very basic and contain an eventtypes.conf, inputs.conf, props.conf, and a tags.conf file located in $SPLUNK_HOME/etc/apps/TA-radware_dp/local path. I have included the file contents of each below as well as a link to download the complete Technology Add-ons here. When creating Technology Add-ons make sure to normalize your data using the Common Information Model.
TA-radware_dp
eventtypes.conf
[radware_dp]
search = sourcetype=radware_dp
tags = network communicate ids

[radware_dp_attack]
search = sourcetype=radware_dp
tags = attack

inputs.conf
[udp://514]
connection_host = ip
index = radware
sourcetype = radware_dp

props.conf
[radware_dp]
TIME_PREFIX = :\s
TIME_FORMAT = %d-%m-%Y %H:%M:%S
pulldown_type = 1
EVAL-ids_type = "network"
EVAL-vendor = "Radware"
EVAL-product = "DefensePro"

[radware_dp]
EXTRACT-attack_dst_ip = (?i)^(?:[^\.]*\.){6}\d+\s+\d+\s+(?P<dest>[^ ]+)
EXTRACT-attack_source_ip = (?i)^(?:[^"]*"){2}\s+\w+\s+(?P<src>[^ ]+)
EXTRACT-action = (?i)^(?:[^/]*/){2}\w+\s+\w+\s+(?P<action>[^ ]+)
EXTRACT-attack_dst_pt = (?i)^(?:[^\.]*\.){9}\d+\s+(?P<dest_port>[^ ]+)
EXTRACT-attack_name = (?i)^[^"]*"(?P<signature>[^"]+)
EXTRACT-attack_src_pt = (?i)^(?:[^\.]*\.){6}\d+\s+(?P<src_port>[^ ]+)
EXTRACT-attack_status = (?i)^(?:[^"]*"){4}\s+(?P<attack_status>[^ ]+)
EXTRACT-context = (?i)^(?:[^\.]*\.){9}\d+\s+\d+\s+\d+\s+(?P<context>[^ ]+)
EXTRACT-phys_pt = (?i)^(?:[^\.]*\.){9}\d+\s+\d+\s+(?P<phys_pt>[^ ]+)
EXTRACT-policy_name = (?i) Regular "(?P<policy_name>[^"]+)
EXTRACT-protocol = (?i) .*?" (?P<protocol>\w+)(?= )
EXTRACT-radware_id = (?i) WARNING (?P<signature_id>[^ ]+)
EXTRACT-unique_id = (?i) drop (?P<unique_id>.+)
EXTRACT-bandwidth = (?i)^(?:[^"]*"){4}\s+\w+\s+\d+\s+(?P<bandwidth>[^ ]+)
EXTRACT-category = (?i) WARNING \d+\s(?P<category>[a-zA-Z_-]+)
EXTRACT-packet_count = (?i) ongoing (?P<packet_count>[^ ]+)
SEDCMD-radware_dp_risk = s/info/informational/g
EXTRACT-severity = \s(?<severity>high|medium|informational|low)\s

[radware_dp]
pulldown_type = 1
EVAL-ids_type = "network"

[radware_dp]
pulldown_type = 1
EVAL-vendor = "Radware"

[radware_dp]
pulldown_type = 1
EVAL-product = "DefensePro"


tags.conf
[eventtype=radware_dp]
network = enabled
communicate = enabled
ids = enabled

[eventtype=radware_dp_attack]
attack = enabled

TA-radware_aw
eventtypes.conf
[radware_aw]
search = sourcetype=radware_aw NOT Resource=Sub-System NOT Resource=Tunnel
tags = application ids

[radware_aw_attack]
search = sourcetype=radware_aw IsPassive=False NOT Resource=Sub-System NOT Resource=Tunnel
tags = attack

inputs.conf
[udp://614]
connection_host = ip
index = radware
sourcetype = radware_aw

props.conf
[radware_aw]
FIELDALIAS-radware_aw = Object AS category Priority AS severity SourceIP AS src Title AS signature WebUser AS user SourcePort AS src_port
SEDCMD-radware_aw_risk = s/High/high/g s/Medium/medium/g s/Low/low/g
pulldown_type = 1
EVAL-vendor = "Radware"
EVAL-product = "AppWall"
EVAL-ids_type = "application"
EXTRACT-dest = (?i)^[^\!]*\!\s+\w+\s+\w+\s+\[(?P<dest>[^,]+)
EXTRACT-dest_port = (?i)^[^\!]*\!\s+\w+\s+\w+\s+\[\d+\.\d+\.\d+\.\d+,(?P<dest_port>[^\]]+)


tags.conf
[eventtype=radware_aw]
application = enabled
ids = enabled

[eventtype=radware_aw_attack]
attack = enabled

The End Results

If everything goes as planned after installing the TAs your Intrusion Center dashboard should look something like this:



Happy Splunking!