Overview

Details

Have you ever wanted to graph out attack paths? Or review links in your data. The Force Directed App For Splunk helps you do this. Built on D3 this app will allow you to search any form of data that has a source and target.

Force Directed App For Splunk

This app was created to allow IT Operations administrators and the security team to visualize there networks, attack paths inside an environment, connections between objects. The limits are endless. Some of the features that are supported in this app are

Customisation to Attract and Repel Forces
Selectable Dark and White Theme
Automatic Grouping and colouring of nodes
Customisation to collision forces to avoid overlapping

Also some great references for D3 below.

https://roshansanthosh.wordpress.com/2016/09/25/forces-in-d3-js-v4/
https://github.com/d3/d3-force/blob/master/README.md
https://vega.github.io/vega/docs/transforms/force/

Installation Instructions

Download the app and unzip to $SPLUNK_HOME/etc/apps on your Search Head
Restart Splunk
Generate a search that has a 'source', 'target' and optionally a count.

Search Examples

Standard Source Destination Search

index=firewall action=allowed | stats count by src_ip, dest_ip | table src_ip, dest_ip, count
sourcetype=access_combined | stats count by src_ip,uri_path

Multi Relationship Mapping

This option allows you to add as many tiers of relationship mapping as neccessary. Ensure that the number format is in XX rather than X. For example node1 will not work, but node01 will work.
- index=firewall action=allowed | stats count by src_ip, dest_ip, dest_port | rename src_ip as node00, dest_ip as node01, dest_port as node03
- index=os | stats count by hardware, operatingsystem, asset_name | rename hardware as node00, operatingsystem as node01, asset_name as node03
- Tested up to 5 nodes.

Configuration Options

Format

Theme Color - Changes background image color
Arrows - Enables direction arrows in force directed visualization
Line Stroke Width - Changes the width of the lines connecting nodes
Link Highlight Length - This number affects how many node children are higlighted when you mouseover a node. i.e If you select '2' and hover over a node. Its connected nodes are highlighted and children of those.
Circle Radius - This will change the size in pixels of the circle
Pan/Zoom - This will enable pan/zoom. Defaults to disable and is best used with embedded reports.

Force Configuration

Attract Force Strength - Strength of Attracting forces.
Attract Distance Max - The maximum distance over which attraction force acts. If two nodes exceed distanceMax, they will not exert forces on each other.
Attract Distance Min - The minimum distance over which attraction force acts. If two nodes are close than distanceMin, the exerted forces will be as if they are distanceMin apart.
Repel Force Strength - Strength of Repelling force
Repel Distance Max - The maximum distance over which repel force acts. If two nodes exceed distanceMax, they will not exert forces on each other.
Repel Distance Min - The minimum distance over which repel force acts. If two nodes exceed distanceMax, they will not exert forces on each other.
Link Distance - The shortest distance between nodes in a link.

Collision Configuration

Collision Strength - How strict collision mechanism is
Collision Radius - The radius between a center of each node that can't be overlapped with each other
Force Collide - Superfluous setting
Collision Iterations - The number of times to

Bugs / Features

If you identify any bugs or have feature requests please either contact me via twitter @MickeyPerre or post a topic under 'Questions on Splunk Answers' :)

Known - Arrows not working in IE11. This is a bug in IE not the code. To make the code flexible to exclude and include arrows I could not make this work.

Please report any other bugs to this page. I accept pull requests.

Tested on

Mac
- Safari Version 11.0
- Chrome Version 61.0.X (Official Build) (64-bit)
- Firefox 64.0

Windows Server 2012
- Internet Explorer 11

License

This app uses D3 with the following license conditions
https://github.com/d3/d3/blob/master/LICENSE

Release Notes

Version 3.1.0

June 25, 2021

Version 3.0.3

July 1, 2020

Updated app.manifest to fix cloud issues.

Version 3.0.1

April 1, 2019

Lots of updates. Read the documentation and get excited!!

Version 2.0.0

May 25, 2018

Removed vulnerable version dependency
Added option under format to enable and disable pan/zoom
Created multi relationship force
Ability to change circle size
Configuration change to allow link size adjustments
Code improvement and re-ordering

Version 1.0.3

Nov. 1, 2017

Updated Readme and app version

30,470

Downloads

Share Subscribe

Version

Built by

Splunk Inc.

Contributors

Danny Leung
Jim Schumacher
Mickey Perre
Daniel Liu
Igor Gifrin
James Brodsky

Support

Splunk Supported Questions on Splunk Answers File a case Flag as inappropriate

App Contents: Visualizations

Compatibility

This version of the app (3.0.3) is not available for Splunk Cloud. However, version 3.1.0 of this app is available for Splunk Cloud.

This version of the app (3.0.1) is not available for Splunk Cloud. However, version 3.1.0 of this app is available for Splunk Cloud.

This version of the app (2.0.0) is not available for Splunk Cloud. However, version 3.1.0 of this app is available for Splunk Cloud.

This version of the app (1.0.3) is not available for Splunk Cloud. However, version 3.1.0 of this app is available for Splunk Cloud.

Products: Splunk Enterprise, Splunk Cloud

Products: Splunk Enterprise

Splunk Versions: 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2