Skip to main content
All CollectionsHRM
Splunk integration with Right-Hand
Splunk integration with Right-Hand
K
Written by Karthek S
Updated over 2 months ago

Table of contents.

  1. Download the application package

  2. Upload the application package to the customer’s Splunk Instance

  3. Setup Application in Splunk

  4. Create an Alert and hook to Right-Hand Alert Action

  5. Events Supported by Right Hand via Splunk integration

Onboarding Guide

1. Download the application package

right-hand-splunk-app.zip

2. Upload the application package to the customer’s Splunk Instance

  1. Navigate to the Splunk home page.

  2. Click on the settings button placed on the left side of the screen, to manage apps.

  3. On the top right corner, click on Install app from file.

  4. Choose a file and Click on Upload.

3. Setup Application in Splunk

5. After Successful upload, the following screen will appear.

6. Click on Set up now.

7. The following screen will appear.

8. Copy token provided by Cyberready frontend for Splunk integration.

a) Log into the portal and navigate to HRM > Settings > Splunk > View configurations.

b) Once you click View configurations, click on Generate Token and then the copy icon to copy the token.

9. Paste the token into the form above and press the Submit button.

10. The following screen will appear.

4. Create an Alert and hook to Right-Hand Alert Action

11. A search query specific to logs being integrated is required here. You might need help from the SOC Team or RH Team to build this query.

NOTE: Make sure time span is set to All time (real-time)

12. Press the Search button, on the right corner of the search bar to verify that desired logs are appearing in the search, see the example below.

13. On the top-right corner, click on the Save As button and then the Alert option.

14. The Following Popup will appear, fill it with appropriate details.

NOTE: Set Alert type to Real-time and Expires to 365 days

15. Now click on the Add Actions button at the bottom. Find and select Right-Hand-Alert.

16. Click on the Save button.

17. The following screen will appear.

18. Click on View Alert to verify the alert settings. The following screen will appear.


NOTE: Make sure Alert is Enabled and Actions are set to Right-Hand-Alert.

Please refer to this article for the next steps in configuring the mapping attributes.

5. Events Supported by Right Hand via Splunk integration

Fortinet Ensilo Events

  1. Malicious File (Fortinet Ensilo)

    This event is considered by Right hand when following conditions are met in the received alerts

    rules list: Dynamic Code
    action: block

Netskope Events

  1. Malicious Website (Netskope)

This event is considered by Right hand when following conditions are met in the received alerts

alert type: malsite
action: block

Crowdstrike Events

Refer this documentation to understand the conditions used to match crowdstrike events.

  1. Adware File (Crowdstrike)

  2. C2 Server Alert (Crowdstrike)

  3. Malicious Document (Crowdstrike)

  4. Spearphishing Attack (Crowdstrike)

  5. Ransomware (Crowdstrike)

  6. Suspicious Login (Crowdstrike)

  7. Suspicious Credentials File (Crowdstrike)

  8. Malware (Crowdstrike)

  9. Suspicious Remote Access (Crowdstrike)

  10. Unintended Java Download (Crowdstrike)

  11. Unintended Malicious Download via Browser (Crowdstrike)

  12. Unintended Malicious Download (Crowdstrike)

  13. Accidental Tool Download (Crowdstrike)

Mimecast Events

Refer this documentation to understand the conditions used to match crowdstrike events.

  1. Data Loss Prevention (Mimecast)

  2. Malicious Email Attachment(Mimecast)

  3. Impersonation Email(Mimecast)

  4. Malicious URL in Email(Mimecast)

  5. Credential Theft(Mimecast)

  6. BEC Email Alert(Mimecast)

  7. HTTP Policy Blocked Content(Island Browser)






Did this answer your question?