This add-on integrates Cyber Triage to allow you to collect and analyze endpoint data using Cyber Triage. It will send an agentless collection tool to the remote endpoint, retrieve volatile and file system data, and analyze it for evidence of an intrusion.
To use this integration, you need the Team version of Cyber Triage (and not the Standalone desktop version).
To configure the integration, you will need to enter:
After configuring the Cyber Triage add-on, you can start a collection by adding Cyber Triage as a “Trigger Action” for an Alert. You will need to specify the hostname or IP of the target endpoint.
If you configured Cyber Triage so that it uses your own SSL certificate instead of the default one, then change the verify server cert property in the Splunk app to True and place your PEM formatted cert into %SPLUNK_HOME%\etc\auth as cybertriage.pem.
You can also import your Cyber Triage results back into Splunk so that you can later do searches and correlations. You can do this with the Standard (desktop) and Team versions of Cyber Triage.
You first need to generate a JSON Report from the Cyber Triage dashboard. Next, import it into Splunk with the “Add Data” feature. Pick the JSON and and specify the Application/cybertriage source type. This will map Cyber Triage data to the following CIM data models:
If you have any problems or need an evaluation copy of Cyber Triage, then please email support@cybertriage.com.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.