At Metron, we were tasked with building a Splunk Enterprise application that could integrate with a leading OT & IoT Security App. Learn about the process here.
At Metron, we were tasked with building a Splunk Enterprise application that could integrate with OT & IoT Security applications. Once completed, we also offered support in publishing the application to SplunkBase. In effect, our team managed the entire process from inception to publication and has since provided ongoing support for the OT-Splunk integration.
Our team was already familiar with IOT Security Co. as we have previously built a QRadar application for IOT Security Co. In the OT Security Co. QRadar app we developed a custom dashboard to show the alerts details. On the other hand for the Splunk app, the intent was to get the IOT alerts and asset data to the Splunk instance and map the IOT Security App specific data to Enterprise Security and Operational Technology data models. The mapping enables IOT data to be shown in dashboards predefined by the Splunk Enterprise Security solution. This gives an end-to-end view of organisations security posture.
Plotting the Integration: Getting data into Splunk
The process for getting data into Splunk that we mapped out is as follows:
- The app in development installed configuration files that created:
- Field extractions
- Event Types
- The app could fetch 2 types of events from the OT platform:
- For getting Alerts into Splunk an administrator then had to:
- Configured a TCP/UDP listener on the Splunk instance
- Configured a Syslog Forwarder on OT platform
- For getting Assets into Splunk an administrator also then:
- Configured a Splunk modular input with IOT API credentials
- The modular input then polled the IOT server periodically via a REST API call to fetch Assets and push them to Splunk
Note: all data was pushed from a IOT server to Splunk. The total number of events was below 100,000.
Message formats for Alerts
The OT platform we developed the integration for had multiple formats for asset events. The integration was designed to handle all the formats.
- An installation document will be provided that will show users how to install the package.
- The app package will be submitted to Splunkbase, Splunk’s App Store.
The message format for Assets
Assets were designed to be retrieved using a REST API call to the OT server, and received in JSON format.
Major Components: Splunk Enterprise Security (ES)
Splunk Enterprise Security (ES) is a premium security solution provided as an app by Splunk at and available at Splunk Enterprise Security | Splunkbase. This application integrates with Splunk ES by mapping the Splunk Common Information Model (CIM) for Alerts.
The table below entails some examples of how the alerts were mapped:
Major Components: Splunk Operational Technology (OT)
The OT Security Add-on for Splunk helps organizations to better apply Splunk Enterprise Security, as well as improve their threat detection, incident investigation, and responses. Splunk OT required Splunk EST in order to function.
Importantly for this project, the Splunk OT app has a data model “OT_Asset” that we populated using asset information from IOT Platform. By mapping to a well known model published by Splunk, customers are able to correlate data from multiple security tools to detect risk scores for a particular device.
The fields available in the OT_Asset data model are listed below:
Once we sampled the Asset JSON payload, we mapped the fields from the Asset JSON to the OT_Asset data model. After this mapping was completed, users became able to explore the Asset in the Splunk ES + OT app (The UI for the OT app will be within the ES app). Users can also go to Splunk → Data Models and use the pivot tool on the mapped models.
Publishing the App
The following list details
- Splunk Enterprise 8.0 and later are supported.
- Splunk Cloud 8.0 and later are supported.
- The application integrates with the Splunk Enterprise Security (ES) and Operational Technology (OT) apps
- The application is published on SplunkBase.
- For Splunk Enterprise (on-prem), the application is available for download and installation on SplunkBase.
- For Splunk Cloud, a Splunk customer/end-user had to request Splunk Support to certify the SplunkBase application. This is a standard process for certifying apps on Splunk Cloud. Metron ensured that the application passed the Splunk AppInspect checks and provided updates requested by the Splunk Cloud certification team.
- The same application package worked for Splunk Enterprise and Splunk Cloud, so that we did not need to maintain two separate versions.
Project deliverables and timeline
In addition: All code materials were published by our team to SplunkBase All code materials and documentation was delivered to IOT, after the acceptance test and is subject to the signed Assignment, Waiver and Release of IP rights.
Considering venturing into security automation and integration? Metron has experience integrating multiple SIEM tools with primary systems, along with setting up automation components.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to firstname.lastname@example.org.