Table of contents.
Integrating with Splunk using Splunk>cloud Apps (Recommended for Splunk Cloud)
Integrating using splunk application package download (Recommended for On-prem Splunk Deployments)
1. Download the application package
2. Upload the application package to the customer’s Splunk Instance
Navigate to the Splunk home page.
Click on the settings button placed on the left side of the screen, to manage apps.
On the top right corner, click on Install app from file.
Choose a file and Click on Upload.
3. Setup Application in Splunk
5. After Successful upload, the following screen will appear.
6. Click on Set up now.
7. The following screen will appear.
8. Copy token provided by Cyberready frontend for Splunk integration.
a) Log into the portal and navigate to HRM > Settings > Splunk > View configurations.
b) Once you click View configurations, click on Generate Token and then the copy icon to copy the token.
9. Paste the token into the form above and press the Submit button.
10. The following screen will appear.
Integrating with Splunk by installing the app from Splunk>cloud Apps
Find the Right-Hand app in splunk cloud
In the Splunk Console go to Apps --> Browse More Apps --> Type 'Right-hand' --> Hit Search button
Locate the App by Name "Right-hand Cybersecurity HRM App for Splunk" and click on Install after providing your splunk login credentials
Click on "Open the App" after successfully installing it
In the app configuration click on "Continue to app setup page"
You should now be navigated to this page
Generating a token and adding it in Splunk App for setup
Generate a splunk token from the Right-hand console using the steps below
In the Right-hand cybersecurity console navigate to Human Risk Management --> Settings --> Security Vendors
Locate Splunk
Click on Configure and generate and copy the token
Now copy the integration token and paste it in the Splunk Password field and click on Submit
Once the token is added the app should now appear in the installed applications in your Splunk console
Create an Alert and hook to Right-Hand Alert Action
A search query specific to logs being integrated is required here. You might need help from the SOC Team or RH Team to build this query.
NOTE: Make sure time span is set to All time (real-time)
Press the Search button, on the right corner of the search bar to verify that desired logs are appearing in the search, see the example below.
On the top-right corner, click on the Save As button and then the Alert option.
The Following Popup will appear, fill it with appropriate details.
NOTE: Set Alert type to Real-time and Expires to 365 days
Now click on the Add Actions button at the bottom. Find and select Right-Hand-Alert.
Click on the Save button.
The following screen will appear.
Click on View Alert to verify the alert settings. The following screen will appear.
NOTE: Make sure Alert is Enabled and Actions are set to Right-Hand-Alert.
Please refer to this article for the next steps in configuring the mapping attributes.
4. Events Supported by Right-Hand via Splunk integration
Fortinet Ensilo Events
Malicious File (Fortinet Ensilo)
This event is considered by Right-hand when following conditions are met in the received alerts
rules list: Dynamic Code
action: block
Netskope Events
Malicious Website (Netskope)
This event is considered by Right-hand when following conditions are met in the received alerts
alert type: malsite
action: block
Crowdstrike Events
Refer this documentation to understand the conditions used to match crowdstrike events.
Adware File (Crowdstrike)
C2 Server Alert (Crowdstrike)
Malicious Document (Crowdstrike)
Spearphishing Attack (Crowdstrike)
Ransomware (Crowdstrike)
Suspicious Login (Crowdstrike)
Suspicious Credentials File (Crowdstrike)
Malware (Crowdstrike)
Suspicious Remote Access (Crowdstrike)
Unintended Java Download (Crowdstrike)
Unintended Malicious Download via Browser (Crowdstrike)
Unintended Malicious Download (Crowdstrike)
Accidental Tool Download (Crowdstrike)
Mimecast Events
Refer this documentation to understand the conditions used to match crowdstrike events.
Data Loss Prevention (Mimecast)
Malicious Email Attachment(Mimecast)
Impersonation Email(Mimecast)
Malicious URL in Email(Mimecast)
Credential Theft(Mimecast)
BEC Email Alert(Mimecast)
HTTP Policy Blocked Content(Island Browser)
Proofpoint Events
S. no | Detection Rule Name | Conditions |
1 | Imposter Threat directed at employee |
|
2 | Malware sent to an employee via Email |
|
3 | Spam directed at employee |
|
4 | Phishing Email directed at an employee |
|
5 | Unsafe Attachments sent to an employee via email |
|
6 | URL redirecting to a site hosting malware sent to employee via Email |
|
7 | Employee clicked on a URL containing Malware sent via an email |
|
8 | Spam Containing Unsafe Attachment Detected by Proofpoint |
|
9 | Employee clicked on a URL containing Phishing Link sent via an email |
|
10 | Employee clicked on a URL in a spam email |
|
SentinelOne Events
Refer this documentation to understand the conditions used to match crowdstrike events.
Malware Found on Employee’s Device
Ransomware Found on Employee’s Device
Trojan Found on Employee’s Device
Potentially Unwanted Application Found on Employee’s Device
Adware Found on Employee’s Device
Virus Found on Employee’s Device
Cryptomining Detected on Employee’s Device
Malicious PDF Found on Employee’s Device
Malicious Office Document Found on Employee’s Device