Integrating OT & IoT Security with Splunk: An Application Case Study
At Metron, we were tasked with building a Splunk Enterprise application that could integrate with a leading OT & IoT Security App. Learn about the process here.
Recently, we were tasked with building a Splunk Enterprise application that could integrate with OT & IoT Security applications. Once completed, we also offered support in publishing the application to SplunkBase. In effect, our team managed the entire process from inception to publication and has since provided ongoing support for the OT-Splunk integration.
Background
Our team was already familiar with IoT Security Co. as we have previously built a QRadar application for IoT Security Co. In the OT Security Co. QRadar app, we developed a custom dashboard to show the alerts details. On the other hand, for the Splunk app, the intent was to get the IoT alerts and asset data to the Splunk instance and map the IoT Security App specific data to Enterprise Security and Operational Technology data models. The mapping enables IoT data to be shown in dashboards predefined by the Splunk Enterprise Security solution. This gives an end-to-end view of organisations security posture.
Plotting the Integration: Getting data into Splunk
The process for getting data into Splunk that we mapped out is as follows:
- The app in development installed configuration files that created:
- SourceTypes
- Field extractions
- Event Types
2. The app could fetch 2 types of events from the OT platform:
- Alerts
- Assets
3. For getting Alerts into Splunk, an administrator then had to:
- Configure a TCP/UDP listener on the Splunk instance
- Configure a Syslog Forwarder on OT platform
4. For getting Assets into Splunk an administrator also then:
- Configure a Splunk modular input with IoT API credentials
5. The modular input then polled the IoT server periodically via a REST API call to fetch Assets and push them to Splunk
Note: All the data was pushed from an IoT server to Splunk. The total number of events was below 100,000.
Message formats for Alerts
The OT platform, we developed the integration for, had multiple formats for asset events. The integration was designed to handle all the formats.
- An installation document will be provided that will show users how to install the package.
- The app package will be submitted to Splunkbase, Splunk’s App Store.
Message format for Assets
Assets were designed to be retrieved using a REST API call to the OT server, and received in JSON format.
Major Components: Splunk Enterprise Security (ES)
Splunk Enterprise Security (ES) is a premium security solution provided as an app by Splunk at Splunk Enterprise Security | Splunkbase and is made available here. This application integrates with Splunk ES by mapping the Splunk Common Information Model (CIM) for Alerts.
The table below entails some examples of how the alerts were mapped:
OT Platform Alert field example | Splunk CIM Alert field |
---|---|
IOT Platform | app |
Use of deprecated protocol - SMBv1 | description |
381 | id |
2 | severity |
10.33.33.18 | src |
alert | type |
Major Components: Splunk Operational Technology (OT)
The OT Security Add-on for Splunk helps organizations to better apply Splunk Enterprise Security, as well as improve their threat detection, incident investigation, and responses. Splunk OT required Splunk EST in order to function.
Importantly, for this project, the Splunk OT app has a data model “OT_Asset” that we populated using asset information from IoT Platform. By mapping to a well known model published by Splunk, customers are able to correlate data from multiple security tools to detect risk scores for a particular device.
The fields available in the OT_Asset data model are listed below:
Once we sampled the Asset JSON payload, we mapped the fields from the Asset JSON to the OT_Asset data model. After this mapping was completed, users were able to explore the Asset in the Splunk ES + OT app (The UI for the OT app will be within the ES app). Users can also go to Splunk → Data Models and use the pivot tool on the mapped models.
Publishing the App
The following list details
- Splunk Enterprise 8.0 and later are supported.
- Splunk Cloud 8.0 and later are supported.
- The application integrates with the Splunk Enterprise Security (ES) and Operational Technology (OT) apps.
- The application is published on SplunkBase.
- For Splunk Enterprise (on-prem), the application is available for download and installation on SplunkBase.
- For Splunk Cloud, a Splunk customer/end-user had to request Splunk Support to certify the SplunkBase application. This is a standard process for certifying apps on Splunk Cloud. Metron ensured that the application passed the Splunk AppInspect checks and provided updates requested by the Splunk Cloud certification team.
- The same application package worked for Splunk Enterprise and Splunk Cloud and we did not need to maintain two separate versions.
Project deliverables and timeline
Week | Milestones |
---|---|
1 | Splunk (ES+OT) development environment setup Ingest Alert events into Splunk SourceTypes Field Extractions |
2 | Modular Input to configure IOT server and credentials Polling for Modular Input to periodically fetch Asset information from IOT using their REST API |
3 | Polling for Modular Input to periodically fetch Asset information from IOTusing their REST API Mapping IOT Alert to Splunk Alert Common Information Model (CIM) |
4 | Mapping IOT Alert to Splunk Alert Common Information Model (CIM) Mapping IOT Asset to Splunk OT_Asset data model |
5 | Application packaging script Splunk AppInspect checks Internal testing Documentation |
In addition: All code materials were published by our team to SplunkBase. All code materials and documentation was delivered to IoT, after the acceptance test and is subject to the signed Assignment, Waiver and Release of IP rights.
About Metron:
Metron is a trusted provider of on-demand and effective approaches to managing third-party integrations for security ecosystems. With extensive experience in delivering automation solutions for over 200 security applications, including Spunk and other platforms, Metron has earned the trust of numerous fast-growing security companies and managed security service providers (MSSPs).
Metron’s transparent development processes, deep understanding of security products, and fixed-cost model have resulted in shorter development times and significant cost savings for clients compared to deploying internal engineering teams for similar tasks. Headquartered in Novato, CA, with development offices in Bangalore and Pune, India.
Connect with Metron at connect@metronlabs.com.