Gigamon Adaptive Response Application for Splunk
====================================================
Splunk Adaptive Response helps organizations better combat advanced attacks through a unified defense by leveraging end-to-end context and automated responses to events. Advanced cyber adversaries are continuously leveraging new attack methods that span multiple domains, launching devastating attacks that often leave enterprises vulnerable. Despite advancements in security technologies, most solutions are not designed to work together out-of-the-box, making it challenging to coordinate a response. By leveraging adaptive security architecture, the Adaptive Response framework in Splunk Enterprise Security Suite provides end-to-end context and automated response across many of the world’s leading security technologies – enabling customers to quickly detect threats and execute response.
Gigamon Adaptive Response Application for Splunk provides Splunk administrators with Alert Actions to be taken on Gigamon Visibility nodes via GigaVUE® Fabric Manager (GigaVUE-FM). These actions can be bound to correlation searches on Splunk Enterprise Security for automated response or executed on an ad-hoc basis with Notable events. It leverages Splunk's Adaptive Response Framework and uses RESTful API to integrate with GigaVUE-FM® to perform response actions on Gigamon Visibility nodes.
The overall onboarding and provisioning process includes several steps. This guide assumes that the customer has already a functional installation of Splunk Enterprise Security Suite (Splunk ES). The steps to follow are:
The next sections will guide you through each step.
Prior to installing the Gigamon Adaptive Response Application for Splunk, ensure that both Splunk Enterprise and Enterprise Security Suite are installed and configured properly. Also, verify the data ingestion method either Splunk Stream or other chosen method is configured properly and ensure data is being indexed on Splunk.
It is highly recommended that you remove the previous version of the app before installing the current version. You may refer to Splunk docs to remove an app.
Download and install the Gigamon Adaptive Response Application for Splunk from Splunkbase. Refer to the below guides for installing the app on a single server or distributed installation.
To download and install the app, you will need an active Splunk account. When you click on Install on Splunkbase, a login splash screen will request you to enter the Splunk account credentials and ask you to accept the Splunk terms to proceed. A restart of Splunk service would be required post installation of the application.
Upon successful completion of installation, the Gigamon Adaptive Response Application for Splunk icon should be visible on the Splunk main page. Click on the icon to access the app. Since this is the first time we’re launching it, an App configuration page opens. Click on the "Continue to app setup page" and you should be presented with the Gigamon's End User License Agreement (EULA). Read the terms and acknowledge by checking the box in bottom of the page. By clicking Save you agree to be bound by EULA terms.
Upon acceptance of EULA, you would be navigated to the Action Setup page of Gigamon Adaptive Response Application. First time users need to to save the GigaVUE-FM® credentials for alert actions in the GigaVUE Fabric Manager Credentials section under Configuration tab. You may optionally check on Verbose to enable debug message logging. Click on Save to continue. This step needs to be repeated ONLY when the GigaVUE-FM® credentials are updated. Before proceeding ensure the GigaVUE-FM® instance is reachable from the Splunk instance.
The Adaptive Response Application allows the Splunk administrators to place a PASS or a DROP rule in an existing byRule map. An action in the context of this application defines a set of maps present on a single node/cluster that would be updated with a single pass or drop rule. Each action is identified by a unique action identifier which would be tied up to the correlation searches in Splunk ES. Below are few actions for illustration purposes.
Action Identifier | GigaVUE Fabric Manager IP | Cluster ID | FlowMap Alias | Response Action |
---|---|---|---|---|
TestRule01 | 10.10.10.10 | 10.10.10.11 | Splunk_Test_FlowMap1 | drop |
TestRule02 | 10.10.10.10 | 10.10.10.11 | Splunk_Test_FlowMap2 | pass |
TestRule03 | 10.10.10.10 | 10.10.10.12 | Splunk_Test_FlowMap3 | drop |
TestRule04 | 10.10.10.10 | 10.10.10.12 | Splunk_Test_FlowMap4 | pass |
TestRule05 | 10.10.10.10 | 10.10.10.11 | Splunk_Test_FlowMap1Splunk_Test_FlowMap2 | pass |
TestRule05 | 10.10.10.10 | 10.10.10.12 | Splunk_Test_FlowMap3Splunk_Test_FlowMap4 | drop |
NOTE: While you can club multiple maps into a single action, these maps should be present on same cluster/node. To take an action on maps located on different clusters/nodes, you may define two different actions and club both the action identifiers in the alert actions on Splunk ES. Specifying multiple action identifiers on Splunk ES will be discussed in further sections.
You can continue to add more actions by repeating the above steps or choose to view the actions configured by navigating to the View Actions tab under the Response Actions menu.
NOTE: You will need to manually clean up action identifier entries from the Splunk ES correlation searches. The delete action would only remove entries from the actions database.
Gigamon Adaptive Response actions can be bound to any correlation search that leverages Gigamon's IPFIX metadata as the source. To bind the alert action on Splunk ES follow the below instructions.
For more information on setting up adaptive response actions on Splunk ES, click here
The rules added to maps on the GigaVUE node by response actions can be made more specific by using the Action Field parameter. Below is the list of options available in the application.
Selecting the Action Field NetFlow/IPFIX are unidirectional flow records which means you would see two flows for each session. To ensure actions are taken on appropriate action field, the app would use the source and destination port numbers to try and identify the actual source of the request and the destination responding back to it. For instance, if an alert action is triggered based on DNS response flow record and if the administrator has selected destination service as action_field, the response action would flip the source and destination information and take action on the DNS service (IP + Port) even though the actual IPFIX record will have DNS server information mentioned as source.
In case of issues, bugs or queries, drop us a mail to apps@gigamon.com with all the details and "Gigamon Adaptive Response Application for Splunk" in the subject.
Installation and use of this app signifies acceptance of the Gigamon End User License Agreement(EULA) inclusive of any future updates.
Changes in 2.0.2
Minor updates for Splunk Cert
Changes in v2.0
User-defined actions
You can now define different actions and bind them to flow-maps. Each of these can then be bound to a correlation search to trigger dynamic rule updates
Multi node/cluster support
You can now define actions across multiple nodes and clusters that are managed by a GigaVUE Fabric Manager
Automatic identification of cluster ID
Alert action will dynamically identify the cluster on which action needs to be taken. So even if you have multiple nodes/clusters exporting IPFIX to single Splunk instance, just add the action IDs to a search and the action would be taken on appropriate cluster
Flexible flow-map config
Response actions can be triggered on any regular or inline byRule map. There is no predefined template for maps
Multiple actions per trigger
Using csv format bind multiple actions to a single correlation search
Multiple updates per action
Select and bind multiple maps to a single action identifier
Changes made in Version 1.0.1
[Issue] Code changes made to fix input validation error
Version 1.0.0 of Gigamon Adaptive Reponse Application for Splunk has been verified to be working with
Splunk Enterprise 6.6
Splunk Enterprise Security 4.7.1
The current version is being released as a TECH PREVIEW and several functionalities are still under development. Gigamon cannot guarantee the stability of features under development. Please be aware that the current documentation may be incomplete and that some of the features presented are subject to change. This release has been made to enable you to test functionality and provide feedback.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.