# Splunk

The Dropzone AI Platform integrates with Splunk Enterprise, a SIEM tool. Dropzone can perform analysis of Splunk-generated alerts, and/or use Splunk data as part of investigation analysis. Many customers ingest other alert sources into Splunk (e.g. IDPs) and integrate Dropzone into Splunk rather than the source systems.

Dropzone communicates to Splunk Enterprise using the [Dropzone Connector](https://gitlab.com/dropzone-ai/docs-gitbook/-/blob/main/docs.dropzone.ai/docs/overview/connector.md).

There are two methods to integrate with Dropzone AI: creating a Splunk User or configuring an API token. To create an API token, follow instructions in [Splunk's documentation](https://help.splunk.com/en/splunk-cloud-platform/administer/manage-users-and-security/9.3.2411/authenticate-into-the-splunk-platform-with-tokens/set-up-authentication-with-tokens).

## Create a Splunk User

To create a Splunk user, do the following:

* In the Home Menu of Splunk Enterprise, navigate to Settings > Users

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-e75b0d7b9f1cd304424866ac0c6da99984523280%2Fsplunk-api-1.png?alt=media" alt=""><figcaption><p>Navigate to Users</p></figcaption></figure>

* Click "New User"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-f96bce608f7a1df92a67a9ca57bfc4daff10f869%2Fsplunk-api-2.png?alt=media" alt=""><figcaption><p>Click New User</p></figcaption></figure>

* Name the user something memorable, such as Dropzone AI, and create a password. Save them for use later in the Dropzone UI where they are called "Username" and "Password" respectively
* In the "Assign Roles" section, assign the user the "User" role

{% hint style="info" %}
You may need to add [capabilities](https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/Rolesandcapabilities) to this role depending on the level of access you want Dropzone to have. If you would like to limit the indexes Dropzone has access to, you will need to create a custom role with inherited permissions from the user role. See the Splunk [documentation](https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/Addandeditroles) for more information on creating custom roles.
{% endhint %}

* If two-factor authentication is enabled, provide the Duo username

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-843a8f75a0d0143df79e5315ed916af71605ca97%2Fsplunk-api-3.png?alt=media" alt=""><figcaption><p>Fill out fields for New User</p></figcaption></figure>

* Click "Create"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-94876864c11f86ffe26eb8cad84d1e5dcd8fc574%2Fsplunk-api-4.png?alt=media" alt=""><figcaption><p>Create new user</p></figcaption></figure>

## Enable Splunk

To enable the Alert Source integration, you'll need the following information:

| Dropzone Field | Source                                                                        |
| -------------- | ----------------------------------------------------------------------------- |
| Server         | The hostname or IP address of your Splunk server, e.g splunk.corp.example.net |
| Password       | The username of the Splunk user you created earlier                           |
| Password       | The password of the Splunk user you created earlier                           |

{% hint style="info" %}
If you chose to create an API token instead of a Splunk user, you will need to use the API token instead.
{% endhint %}

To enable the Alert Source integration, do the following:

* Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app
* In the bottom left hand corner, navigate to Settings > Integrations

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-b3f07f902b1402dadc7abbd8bb62f9c204547390%2Fui-integrations-dropdown.png?alt=media" alt=""><figcaption><p>Integrations Dropdown</p></figcaption></figure>

* Click "Available"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-434641ec6d4e45051842f86164f485d6bd289424%2Fapp_system_integrations_available.png?alt=media" alt=""><figcaption><p>Click Available</p></figcaption></figure>

* In the Search bar, search Splunk, then click "Configure"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-2ea0df3ff09dd848b57f611ec4072f8959b57572%2Fapp_system_integrations_available_splunk.png?alt=media" alt=""><figcaption><p>The Splunk Tile</p></figcaption></figure>

* If your Splunk integration is behind an [On-premise Dropzone Connector](https://docs.dropzone.ai/platform/settings/connector), select your connector from the dropdown
* Input your Splunk Server and port

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-fe829fd39e9e02e85f899128bf23eac8997a36d4%2Fapp_system_integrations_available_splunk_alert_config_1.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 1)</p></figcaption></figure>

* If you created a Splunk User, under "Authentication Method," select Password. If you created an API token, select Token

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-18287d3816730dedea5143224eb37009fd207cd5%2Fapp_system_integrations_available_splunk_data_config_2.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 2)</p></figcaption></figure>

* Input your authentication details

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-2afe136afd980928f909e64a4bcf4b1bcbe6846d%2Fapp_system_integrations_available_splunk_data_config_3.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 3)</p></figcaption></figure>

* To enable Splunk Enterprise Security alert polling, check the box labeled "Enabled" in the "Splunk Enterprise Security" section
* Under "ES Macro," select the version of ES you are using ('notable' for ES 8.0+ or 'mc\_incidents' for version ES 7.0 and earlier)

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-1e7616626265f142def6d51f68dc68143d8a70dc%2Fapp_system_integrations_available_splunk_alert_config_2.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 4)</p></figcaption></figure>

* Under "Enabled Severities," select the severity levels you want Dropzone to investigate
* In the "Title Exclusion Patterns" section, you may exclude [notable events](https://help.splunk.com/en/splunk-enterprise-security-8/splunk-app-for-pci-compliance/installation-and-configuration-manual/6.4/configure-correlation-searches/notable-events) from investigation by title. To do so, click "Add Item," then input a python regex to filter out titles

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-84174d409252cde85996754aea6121a01e70f068%2Fapp_system_integrations_available_splunk_alert_config_3.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 5)/p></p></figcaption></figure>

* In the "Ticket Sync" sections, check the boxes to choose what comments you wish to be included with each ticket

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-4805b179d8879b570f2a3078073e8d58d2a7ef19%2Fapp_system_integrations_available_splunk_alert_config_4.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 6)/p></p></figcaption></figure>

* In the "Alert Queries" section, input your desired log ingestion delay
* Under "Splunk Alert Search," you must input a Splunk [SPL](https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutthesearchlanguage) search query to identify alerts to investigate
* If you wish for Dropzone to regularly query for alerts 24 hours in the past, check the box labeled "Advanced: Enable hourly 1 day lookback"

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-cffea1cb54c78c488dd501e39395c2751f8d04be%2Fapp_system_integrations_available_splunk_alert_config_5.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 7)/p></p></figcaption></figure>

* Input your desired log ingestion delay, poll interval and lookback

<figure><img src="https://435022081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmBVcKuiytGCsIDpL70BC%2Fuploads%2Fgit-blob-65f82bfc7e8056c603b7dddbcf23ace2dd638cc2%2Fapp_system_integrations_available_splunk_alert_config_6.png?alt=media" alt=""><figcaption><p>The Splunk Alert Source Configuration (pt 8)/p></p></figcaption></figure>

* Click "Test & Save" to finish

If you have any errors or questions, engage your Dropzone AI support representative.