icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Gigamon End User License Agreement

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Gigamon Adaptive Response Application for Splunk
SHA256 checksum (gigamon-adaptive-response-application-for-splunk_202.tgz) f4d42f45d522738dc688008d928ec76e43497b2c55f7369e3fe438b55981d00a SHA256 checksum (gigamon-adaptive-response-application-for-splunk_101.tgz) 23c4578819137f5025a69310d5e049197e617e78f1ae4afad4fac8497b25bfbb
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Gigamon Adaptive Response Application for Splunk

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
Gigamon Adaptive Response Application for Splunk provides Splunk administrators with Alert Actions to be taken on Gigamon Visibility nodes via GigaVUE® Fabric Manager (GigaVUE-FM). These actions can be bound to correlation searches on Splunk Enterprise Security for automated response or executed on an ad-hoc basis with Notable events. It leverages Splunk's Adaptive Response Framework and uses RESTful API to integrate with GigaVUE-FM® to perform response actions on Gigamon Visibility nodes.

Gigamon Adaptive Response Application for Splunk

====================================================

Overview

Splunk Adaptive Response helps organizations better combat advanced attacks through a unified defense by leveraging end-to-end context and automated responses to events. Advanced cyber adversaries are continuously leveraging new attack methods that span multiple domains, launching devastating attacks that often leave enterprises vulnerable. Despite advancements in security technologies, most solutions are not designed to work together out-of-the-box, making it challenging to coordinate a response. By leveraging adaptive security architecture, the Adaptive Response framework in Splunk Enterprise Security Suite provides end-to-end context and automated response across many of the world’s leading security technologies – enabling customers to quickly detect threats and execute response.

Gigamon Adaptive Response Application for Splunk provides Splunk administrators with Alert Actions to be taken on Gigamon Visibility nodes via GigaVUE® Fabric Manager (GigaVUE-FM). These actions can be bound to correlation searches on Splunk Enterprise Security for automated response or executed on an ad-hoc basis with Notable events. It leverages Splunk's Adaptive Response Framework and uses RESTful API to integrate with GigaVUE-FM® to perform response actions on Gigamon Visibility nodes.

Requirement

  • Splunk Enterprise version 6.5 or later
  • Splunk Enterprise Security (ES) Suite
  • CIM version 4.8 or higher
  • GigaVUE Visibility Node running GigaVUE OS 5.0 or later
  • GigaVUE Fabric Manager (GigaVUE-FM) 5.0 or later

Operational Flow

The overall onboarding and provisioning process includes several steps. This guide assumes that the customer has already a functional installation of Splunk Enterprise Security Suite (Splunk ES). The steps to follow are:

  1. Download and install the Gigamon Adaptive Response Application for Splunk
  2. Configure the Gigamon Adaptive Response Application for Splunk
  3. Bind Gigamon Adaptive Response actions to searches in Splunk ES

The next sections will guide you through each step.

Download and install the Gigamon Adaptive Response Application for Splunk

Prior to installing the Gigamon Adaptive Response Application for Splunk, ensure that both Splunk Enterprise and Enterprise Security Suite are installed and configured properly. Also, verify the data ingestion method either Splunk Stream or other chosen method is configured properly and ensure data is being indexed on Splunk.

It is highly recommended that you remove the previous version of the app before installing the current version. You may refer to Splunk docs to remove an app.

Download and install the Gigamon Adaptive Response Application for Splunk from Splunkbase. Refer to the below guides for installing the app on a single server or distributed installation.

To download and install the app, you will need an active Splunk account. When you click on Install on Splunkbase, a login splash screen will request you to enter the Splunk account credentials and ask you to accept the Splunk terms to proceed. A restart of Splunk service would be required post installation of the application.

Configure the Gigamon Adaptive Response Application for Splunk

Upon successful completion of installation, the Gigamon Adaptive Response Application for Splunk icon should be visible on the Splunk main page. Click on the icon to access the app. Since this is the first time we’re launching it, an App configuration page opens. Click on the "Continue to app setup page" and you should be presented with the Gigamon's End User License Agreement (EULA). Read the terms and acknowledge by checking the box in bottom of the page. By clicking Save you agree to be bound by EULA terms.

Upon acceptance of EULA, you would be navigated to the Action Setup page of Gigamon Adaptive Response Application. First time users need to to save the GigaVUE-FM® credentials for alert actions in the GigaVUE Fabric Manager Credentials section under Configuration tab. You may optionally check on Verbose to enable debug message logging. Click on Save to continue. This step needs to be repeated ONLY when the GigaVUE-FM® credentials are updated. Before proceeding ensure the GigaVUE-FM® instance is reachable from the Splunk instance.

Defining Alert Actions

The Adaptive Response Application allows the Splunk administrators to place a PASS or a DROP rule in an existing byRule map. An action in the context of this application defines a set of maps present on a single node/cluster that would be updated with a single pass or drop rule. Each action is identified by a unique action identifier which would be tied up to the correlation searches in Splunk ES. Below are few actions for illustration purposes.

Action Identifier GigaVUE Fabric Manager IP Cluster ID FlowMap Alias Response Action
TestRule01 10.10.10.10 10.10.10.11 Splunk_Test_FlowMap1 drop
TestRule02 10.10.10.10 10.10.10.11 Splunk_Test_FlowMap2 pass
TestRule03 10.10.10.10 10.10.10.12 Splunk_Test_FlowMap3 drop
TestRule04 10.10.10.10 10.10.10.12 Splunk_Test_FlowMap4 pass
TestRule05 10.10.10.10 10.10.10.11 Splunk_Test_FlowMap1Splunk_Test_FlowMap2 pass
TestRule05 10.10.10.10 10.10.10.12 Splunk_Test_FlowMap3Splunk_Test_FlowMap4 drop

NOTE: While you can club multiple maps into a single action, these maps should be present on same cluster/node. To take an action on maps located on different clusters/nodes, you may define two different actions and club both the action identifiers in the alert actions on Splunk ES. Specifying multiple action identifiers on Splunk ES will be discussed in further sections.

To define a new action,

  • Go to Setup Actions tab found under the Response Actions menu
  • In the Action Setup page, enter the GigaVUE-FM® IP address and credentials
  • Click on Submit to connect to GigaVUE-FM® and load the cluster/node list
  • From the table displaying the cluster/nodes, select the cluster by clicking on it
  • From the table displaying the maps on the selected cluster/node, select the map(s) by clicking on them
  • Enter a unique ID for the Action Identifier and select the action to be tied up from the drop-down menu
  • Click on Add Action to add an entry into the actions database

You can continue to add more actions by repeating the above steps or choose to view the actions configured by navigating to the View Actions tab under the Response Actions menu.

To view the actions,

  • Go to View Actions tab found under the Response Actions menu
  • The Current Action List section will display all the actions that have been configured

To delete an action,

  • Go to View Actions tab found under the Response Actions menu
  • Select the action you wish to delete from the Current Action List
  • Under the Delete Actions, enter the Action Identifier and click on Delete Record
  • Review the current actions list to ensure the action is successfully deleted

NOTE: You will need to manually clean up action identifier entries from the Splunk ES correlation searches. The delete action would only remove entries from the actions database.

Bind Gigamon Adaptive Response actions to searches in Splunk ES

Gigamon Adaptive Response actions can be bound to any correlation search that leverages Gigamon's IPFIX metadata as the source. To bind the alert action on Splunk ES follow the below instructions.

  • On the Splunk Enterprise Security menu bar, click Configure > Content Management
  • Click an existing correlation search, or create one by clicking Create New > Correlation Search
  • Scroll down to Adaptive Response Action, click Add New Response Action and select “Gigamon Adaptive Response Actions”
  • Enter the Action Identifier. You may specify more than one identifier by separating them with a comma
  • Select the Action Field from the drop-down list
  • Click Save to save all changes to the correlation search.

For more information on setting up adaptive response actions on Splunk ES, click here

Using the Action Field

The rules added to maps on the GigaVUE node by response actions can be made more specific by using the Action Field parameter. Below is the list of options available in the application.

  • Source IP address
    • The source IP will be picked from the Splunk event and a rule will be added to the node to drop or send a copy of the specified traffic to the desired tool
    • For instance, a client querying a malicious URL can be blocked or activity from the client can be monitored and analyzed.
  • Destination IP address
    • The destination IP will be picked from the Splunk event and a rule will be added to the node to drop or send a copy of the specified traffic to the desired tool
    • For instance, a C2 server identified can be blocked or activity from that server can be monitored and analyzed.
  • Destination service
    • The destination IP + PORT will be picked from the Splunk event and a rule will be added to the node to drop or send a copy of the specified traffic to the desired tool
    • For instance, a rogue DNS service identified can be blocked or activity from that server can be monitored and analyzed.
  • Flow/Transaction
    • Source IP + Destination IP + Destination PORT will be picked from the Splunk event and a rule will be added to the node to drop or send a copy of the specified traffic to the desired tool
    • For instance, a DNS tunneling attempt can be blocked or traffic can be sent to tool for further analysis

Selecting the Action Field NetFlow/IPFIX are unidirectional flow records which means you would see two flows for each session. To ensure actions are taken on appropriate action field, the app would use the source and destination port numbers to try and identify the actual source of the request and the destination responding back to it. For instance, if an alert action is triggered based on DNS response flow record and if the administrator has selected destination service as action_field, the response action would flip the source and destination information and take action on the DNS service (IP + Port) even though the actual IPFIX record will have DNS server information mentioned as source.

Support

In case of issues, bugs or queries, drop us a mail to apps@gigamon.com with all the details and "Gigamon Adaptive Response Application for Splunk" in the subject.

End User License Agreement

Installation and use of this app signifies acceptance of the Gigamon End User License Agreement(EULA) inclusive of any future updates.

Release Notes

Version 2.0.2
June 6, 2018

Changes in 2.0.2

Minor updates for Splunk Cert

Changes in v2.0

  • User-defined actions
    You can now define different actions and bind them to flow-maps. Each of these can then be bound to a correlation search to trigger dynamic rule updates

  • Multi node/cluster support
    You can now define actions across multiple nodes and clusters that are managed by a GigaVUE Fabric Manager

  • Automatic identification of cluster ID
    Alert action will dynamically identify the cluster on which action needs to be taken. So even if you have multiple nodes/clusters exporting IPFIX to single Splunk instance, just add the action IDs to a search and the action would be taken on appropriate cluster

  • Flexible flow-map config
    Response actions can be triggered on any regular or inline byRule map. There is no predefined template for maps

  • Multiple actions per trigger
    Using csv format bind multiple actions to a single correlation search

  • Multiple updates per action
    Select and bind multiple maps to a single action identifier
Version 1.0.1
Sept. 28, 2017

Changes made in Version 1.0.1

[Issue] Code changes made to fix input validation error
Version 1.0.0 of Gigamon Adaptive Reponse Application for Splunk has been verified to be working with

Splunk Enterprise 6.6
Splunk Enterprise Security 4.7.1
The current version is being released as a TECH PREVIEW and several functionalities are still under development. Gigamon cannot guarantee the stability of features under development. Please be aware that the current documentation may be incomplete and that some of the features presented are subject to change. This release has been made to enable you to test functionality and provide feedback.
595
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Gigamon Inc.
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate App Contents: Alert Actions App Contents: Alert Actions
Compatibility
Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 7.2, 7.0 Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent CIM Versions: 4.x
Licensing
Gigamon End User License Agreement
Category & Contents
Categories: IT Operations, Security, Fraud & Compliance
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2024 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.