| Table of Contents | ||
|---|---|---|
|
Data Theorem now supports integration with a customer's Splunk SIEM infrastructure. Data Theorem's API, Web and Cloud Secure products can send events to Splunk using Splunk's HTTP Event Collector (HEC). For more information on Splunk's HEC, see Splunk's documentation here.
The guide below will walk you through how to start receiving Data Theorem events in Splunk.
The following Data Theorem events are sent via the webhook integration:
When an API Secure policy violation was opened.
When an API Secure policy violation was resolved, or closed as "won't fix“.
...
Once you have configured your integration, you can find the find the Webhook Schema here
Configuring Splunk to receive events from Data Theorem
Step 1: Enabling HTTP Event Collector (HEC)
...
Step 2: Create an new index for HEC events from DT
Click Settings > Indexes
Click New Index
Configure Your Index
...
Index name: Whatever you want. This example uses “dtevents”
...
Step 3: Create an HEC Token
Click Settings > Data Inputs
Click HTTP Event Collector > Actions > +Add New
Add New HEC Token Page 1 of 4
...
| Code Block |
|---|
{"text":"Success","code":0} |
Step 5:
...
Email to support@datatheorem.com the following information:
Splunk HEC URL
Splunk HEC Token Value
Name Of Integration (may contain letters, numbers, dashes, underscores, and spaces)
...
Configure Your Splunk Integration
Navigate to Create New Integration Page on Data Theorem’s Portal
Name your Splunk Integration
...
3. Enter Splunk HEC Details
...
4. Select Events To Send To Splunk
...
Viewing Data Theorem Events In Splunk
...
Example Event Detail View
...
Example Splunk Queries
Public S3 Buckets
To search Splunk for Data Theorem events triggered by the discovery of public S3 buckets:
| Code Block |
|---|
event.type=API_SECURE__POLICY_VIOLATION_CREATED AND
(
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS" OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS"
) |
In the query above, the expression event.type=API_SECURE__POLICY_VIOLATION_CREATED restricts the search to events representing new policy violations. To instead search for events representing resolved(fixed) policy violations, use event.type=API_SECURE__POLICY_VIOLATION_RESOLVED like this:
| Code Block |
|---|
event.type=API_SECURE__POLICY_VIOLATION_RESOLVED AND
(
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP OR
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS OR
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS
) |
The OR'ed expressions match the different Data Theorem policy rules for S3 bucket configuration. For more information about these policies, see AWS S3 policy documentation. They can be added or eliminated as needed. Splunk also supports the use of wildcards for field values in queries, so to search for any event related to AWS S3, you could do this:
| Code Block |
|---|
event.data.violated_policy_rule_type_name=AWS_S3* |