Skip to content

Installation Guide

Jump to bottom
my2ndhead edited this page Jul 17, 2015 · 8 revisions

Introduction

This topic provides technical explanations around the Risk Manager App.

Prerequisites

  • All indexers and search heads require Splunk Enterprise version 6.2 or later.

How does it work

Risk Manager works as a generic scripted alert action in Splunk, called risk_handler.py. When an alert fires, the risk_handler.py script catches the alert results from the alert search and analyses the search results for risk objects that have been configured to be monitored, for this particular alert search. If a risk object has been found, a pre-defined risk score is assigned to the risk object. The score will be stored inside a kv store collection. If the risk object already has a score, the new score will be accumulated to the risk object. Each risk scoring event will also be indexed into the "risks" index.

Data generated by Risk Manager

Different kind of data is written by Risk Manager.

Events are written into a configurable index.

  • One metadata event per new risk_scoring with sourcetype risk_scoring (around 500 Bytes per scoring event)

Additionaly, alert results (contributing data) are stored in a collection, size depends on the amount of results returned by the search

The total amount of data generated by Risk Manager depends on number of fired alerts. All event data is written to Splunk through the API and counts towards the license volume.

Indexes used by Risk Manager

By default, Risk Manager creates and uses an index risks. The index name used by the App can be changed during the installation setup.

Technologies used by Risk Manager

As described above, the App writes different data and uses the Splunk framework components to provide comfortable end-user functionality.

  • App Key Value Store
    • Save and track states of incidents
    • Store incident defaults and user settings
    • Store alert results per incident
  • Splunk REST API
    • Write events to the index
    • Add/retrieve data from the App Key Value Store
    • Manage App configuration
  • Splunk JS Stack
    • Extend Splunk dashboards with workflow functionality
    • Extend and enhance Splunk visualization components (Single value, Tables, ...)
    • Provide 3rd party visualizations

Deploy and configure

In this chapter, we provide information how to install the Risk Manager App. Have a look at the Configuration Guide to learn how to get data into the Risk Manager.

Before you install

  1. Decide if you want to use Risk Manager's default index risks or not
  2. Check if your Splunk installation provides the prerequisites

Deployment Matrix

Risk Manager Technology Add-on for Risk Manager (Optional:) Supporting Add-on for Hypercrypto
Search Head x x x
Indexer x

Install the Technology Add-on for Risk Manager

As a first step is to download and install the Risk Manager add-on. The Add-on provides configuration for:

  • Index
  • Event breaking and timestamp recognition configuration for Risk Manager events
  • Field extractions
  1. Download the latest add-on
  2. Unpack and upload the add-on according to the Deployment Matrix
  3. IMPORTANT: Make sure, the App's folder name in $SPLUNK_HOME/etc/apps is TA-risk_manager (Downloading apps from git and uploading them to Splunk will result in wrong folder names)
  4. Configure the Add-on (see the chapter below)
  5. Restart Splunk

Configure the Add-on

If you decided to not use the default index risks, create a copy of $SPLUNK_HOME/etc/apps/TA-risk-manager/default/indexes.conf to $SPLUNK_HOME/etc/apps/TA-risk_manager/local/indexes.conf and disable the index:

[risks]

homePath = $SPLUNK_DB/risks/db

coldPath = $SPLUNK_DB/risks/colddb

thawedPath = $SPLUNK_DB/risks/thaweddb

disabled = true

Install the Risk Manager App

The Risk Manager App contains the core functionality and configurations.

  1. Download the latest App
  2. Unpack and upload the App according to the Deployment Matrix
  3. IMPORTANT: Make sure, the App folder name in $SPLUNK_HOME/etc/apps is risk_manager (Downloading Apps from git and uploading them to Splunk will result in wrong folder names)
  4. Configure the App (see the chapter below)
  5. Restart Splunk

Configure App settings

There are two ways to configure basic App settings:

  1. Through the App settings page
  2. With risk_manager.conf

We recommend to use the App settings page, as there will be a configuration validation. To use the App settings page, restart Splunk after you've installed the App and open the App. If you open the App the first time, the settings page will show up automatically.

Notes:

  • Change the index according to your decision whether to use the default one (named risks) or your custom index. Either change it in the Risk Manager's setup page or in risk_manager.conf
  • Have a look at $SPLUNK_HOME/etc/apps/risk_manager/README/risk_manager.conf.spec for full configuration reference
  • Set is_configured to the value "1" (without quotes) in $SPLUNK_HOME/etc/apps/risk_manager/local/app.conf inside the "[install]" stanza to hide the App's setup page in case you configured the App with the config file

Link the risk_handler.py script

Note: This step is required to get Risk Manager running.

Since Risk Manager works as a scripted alert action and Splunk only accepts global alert scripts in directory $SPLUNK_HOME/bin/scripts, we decided to link the alert script to the global scripts folder. Only with the symbolic link we can ensure that App updates will apply to the alert handler script. If you have any idea how to improve this step, let us know!

For Linux/Unix systems:

  1. Open a command line
  2. Switch to $SPLUNK_HOME/bin/scripts
  3. Create a symlink:

ln -s ../../etc/apps/risk_manager/bin/risk_handler.py risk_handler.py

For Windows systems:

  1. Open a command prompt with administrative privileges (hit "Start", type "cmd", Right-click "cmd.exe", click "Run as administrator"
  2. Switch to $SPLUNK_HOME/bin/scripts
  3. Create a symlink:

mklink risk_handler.py ..\..\etc\apps\risk_manager\bin\risk_handler.py

After finishing this step, you're ready to configure Splunk alerts to appear in Risk Manager. Please proceed to the Configuration Guide for further instructions.

(Optional:) Install the Support Add-on for Hypercrypto

If you decide to hash and encrypt risk event data, you need to download the Support Add-on.

The Add-on provides two custom commands for:

  • Hashing fields (such as usernames)
  • Encrypting fields using public-key encryption
  • Key password management

For detailed information, see https://github.com/my2ndhead/SA-hypercrypto

  1. Download the latest add-on
  2. Unpack and upload the add-on according to the Deployment Matrix
  3. IMPORTANT: Make sure, the App's folder name in $SPLUNK_HOME/etc/apps is SA-hypercrypto (Downloading apps from git and uploading them to Splunk will result in wrong folder names)
  4. Configure the Add-on (https://github.com/my2ndhead/SA-hypercrypto)
  5. Restart Splunk

Clone this wiki locally