Splunk: Using the Censys Attack Surface Management Integration
Overview
Use the Censys Attack Surface Management for Splunk integration to visualize Logbook API and Risks API data on a customizable dashboard and quickly discover changes in your attack surface.
Censys also provides reports based on Attack Surface Management data, which can be used for alerting and creating dashboards in Splunk. Workflow actions provide a seamless transition between Splunk Search and Attack Surface Management.
This page explains how to use the Splunk integration. For installation instructions, see Splunk Integration Install for Censys Attack Surface Management.
Creating alerts, reports, and dashboards
Prerequisites
This page assumes that you have already followed the instructions to install the Splunk integration for Censys Attack Surface Management.
Use reports to create alerts and dashboards
To create an alert or dashboard based on a report:
- Open Splunk then click the Reports tab at the top of the page.
- Click Open in Search next to the report you want to use:
-
Optionally modify the query. When you are done, click Save As, then select one of the options in the dropdown to create an alert, add to an existing dashboard, or create a new dashboard.
- If you select Alert, you will be prompted to configure additional settings.
Use queries to create reports, alerts, and dashboards
Within Splunk, you can use a query to create a custom report, alert, or dashboard:
- From the Splunk navigation menu, click Settings > Searches, reports, and alerts.
- Locate the search you wish to use and open it.
- Optionally modify the query. When you are done, click Save As then select one of the options in the dropdown to create a report, create an alert, add to an existing dashboard, or create a new dashboard.
Working with dashboards
View the dashboards
Click the Dashboards tab at the top of the page. When you first access this page, you will see a pre-built default dashboard. Click on a card to view the query that is providing its data.
Set a default dashboard
While viewing a dashboard, click ... in the upper right corner of the page. In the dropdown that appears, click Set as Home Dashboard. This dashboard will now appear by default when you log in to Splunk.
View more information about events in the dashboard
To view more information about an event, click ... next to the asset you want to view, then click Domain, Host, Storage Asset, or Certificate in Censys ASM/Search.
Keeping the dashboard up to date
To keep the Attack Surface Management Risks dashboard up to date, enable scheduled runs of the following saved searches:
- Generate risk instances lookup
- Generate risk types lookup
- Hosts with most risks lookup
- Hosts with most risks with severities
- Hosts with most risks with types
- Web entities with most risks lookup
- Web entities with most risks with severities
- Web entities with most risks with types
Note that if you opt to not schedule the runs, you must manually run these searches each time you want to pull in the most current data while viewing the dashboard.
- From the Splunk navigation menu, click Settings > Searches, reports, and alerts.
- At the top of the page, set the Owner filter to All to ensure all searches are visible.
-
For each of the five saved searches listed above, follow these steps to edit the schedules:
- Locate the search you wish to modify.
- Click Edit > Edit Schedule.
- The "Edit Schedule" modal will appear.
- Check the box next to Schedule Report.
- Optionally, adjust the frequency of the schedule. By default, the report runs every hour.
- In the lower right corner, click Save.
- The searches will automatically run based on the schedule you set.
- Optionally, in the list of searches, click Run next to each of these searches to update the dashboard immediately rather than waiting for the next scheduled run
After you complete these steps, you will get insights about your attack surface in the Attack Surface Management Risks dashboard. Click any piece of data to view more details.
View details of searches and matching events
Click on a card to view the Splunk Search query and associated events.
On the Search page that opens, you will see the query used to obtain the card results, and a list of events organized by the specified time range.
Install and enable Splunk Event Generator (Eventgen)
Splunk Event Generator (Eventgen) is a utility that allows users to generate configurable events to simulate real-time data for testing.
Censys provides a sample eventgen.conf
file along with sample events to get you started. These are imported automatically by the app, and you can view eventgen.conf in GitHub.
-
While logged in to Splunk, click +Find More Apps in the lefthand sidebar.
- Use the search bar to locate the Eventgen app.
- On the Eventgen app card, click Install.
- From the Splunk navigation menu, click Settings > Data inputs then click Eventgen.
-
Locate the row that includes the source type
dmodinput_eventgen
. Under its status column, click Enable.
Create an index for sample events
You can create a new index for your sample events through the Splunk Web UI or the Splunk Enterprise command line.
Option 1: Create an index from the Splunk UI
- From the Splunk navigation menu, click Settings > Indexes.
- On the Indexes page, click New Index.
- For Index Name, enter
demo
-
For App, select
SA-Eventgen
from the dropdown menu. - Click Save.
- For Index Name, enter
Option 2: Create an index from Splunk Enterprise Command Line
- From the terminal (Mac or Linux), navigate to
$SPLUNK_HOME/bin
and enter the following command:
./splunk add index demo
You may be prompted to enter your Splunk username and password.
Note
To give your index a name other than demo
, edit the eventgen.conf
file.
View sample Splunk events
-
In the Censys Attack Surface Management app, click the Search tab at the top of the page.
-
Enter the search query
index=demo
to see all sample events.
Comments
0 comments
Article is closed for comments.