Data Theorem now supports integration with a customer's Splunk SIEM infrastructure. Data Theorem's API, Web and Cloud Secure products can send events to Splunk using Splunk's HTTP Event Collector (HEC). For more information on Splunk's HEC, see Splunk's documentation here.

The guide below will walk you through how to start receiving Data Theorem events in Splunk.

Once you have configured your integration, you can find the find the Webhook Schema here

Configuring Splunk to receive events from Data Theorem

Step 1: Enabling HTTP Event Collector (HEC)

HEC must be enabled in your Splunk deployment to receive events from Data Theorem. Splunk functionality varies based on Splunk software type, so please follow the directions below for your Splunk deployment:

- Configure HTTP Event Collector on Splunk Enterprise

- Configure HTTP Event Collector on self-service Splunk Cloud

- Configure HTTP Event Collector on managed Splunk Cloud

Step 2: Create an new index for HEC events from DT

Click Settings > Indexes
Click New Index
Configure Your Index

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > Screen Shot 2020-09-18 at 15.53.25.png

Index name: Whatever you want. This example uses “dtevents”

Index Data Type: Events

Max raw data size: Use a value that makes sense for your deployment. This example uses 0

Searchable time: Use a value that makes sense for your deployment. This example uses 7

Step 3: Create an HEC Token

Click Settings > Data Inputs
Click HTTP Event Collector > Actions > +Add New

Add New HEC Token Page 1 of 4

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > flow-1.png

Name: Whatever you want

Source name override: Blank

Enable indexer acknowledgment: Must be unchecked

Add New HEC Token Page 2 of 4

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > flow-2.png

Source type: Automatic

App context: Search and Reporting

Select Allowed Indexes: Select the index you created earlier. This example uses “dtevents”

Add New HEC Token Page 3 of 4

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > flow-3.png

Confirm your settings and click Submit

Add New HEC Token Page 4 of 4

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > flow-4.png

Please contact Data Theorem support with your Splunk HEC Token Value to complete the integration.

Step 4: Validate Splunk configuration by sending a test event

Determine Your Splunk HEC URL

How to find your HEC URL

Send A Test Event

    curl -k "https://<your splunk server HEC URL>" \
    -H "Authorization: Splunk <your splunk token from previous step>" \
    -d '{"event": "Hello, world!", "sourcetype": "manual"}'

If the command above succeeded, and Splunk is configured correctly, the output from executing the command above should be:

{"text":"Success","code":0}

Step 5: Send Splunk information to Data Theorem

Email to support@datatheorem.com the following information:

Splunk HEC URL
Splunk HEC Token Value
Name Of Integration (may contain letters, numbers, dashes, underscores, and spaces)

Data Theorem will then enable the integration, and will start sending events to your Splunk instance.

Viewing Data Theorem Events In Splunk

To view Data Theorem events in Splunk perform a search query with index=”dtevents”

Example Search Results

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > Screen Shot 2020-09-18 at 15.31.21.png

Example Event Detail View

Public Knowledge Base > Webhook Integration: Sending Events to Splunk > Screen Shot 2020-09-18 at 16.39.43.png

Example Splunk Queries

Public S3 Buckets

To search Splunk for Data Theorem events triggered by the discovery of public S3 buckets:

event.type=API_SECURE__POLICY_VIOLATION_CREATED AND 
(
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS"
)

In the query above, the expression event.type=API_SECURE__POLICY_VIOLATION_CREATED restricts the search to events representing new policy violations. To instead search for events representing resolved(fixed) policy violations, use event.type=API_SECURE__POLICY_VIOLATION_RESOLVED like this:

event.type=API_SECURE__POLICY_VIOLATION_RESOLVED AND 
(
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS
)

The OR'ed expressions match the different Data Theorem policy rules for S3 bucket configuration. For more information about these policies, see AWS S3 policy documentation. They can be added or eliminated as needed. Splunk also supports the use of wildcards for field values in queries, so to search for any event related to AWS S3, you could do this:

event.data.violated_policy_rule_type_name=AWS_S3*