The Cisco Secure Malware Analytics Add-On for Splunk leverages the Secure Malware Analytics API to enrich events within Splunk. This occurs by pulling the user's organizational submission data into Splunk making it searchable via timestamps, threat score, user associated with sample submission, and many other options.
-
Installation from Store:
-
Login to your Splunk instance.
-
On the top left of the homescreen click on the "Manage" button
-
On the top right click the "Browse more apps" button
-
Search for "Cisco Secure Malware Analytics Add-on"
-
Click the "Install" button on the Add-on card.
-
Add-on should appear in the Apps bar on homescreen of your Splunk instance.
-
-
Installation from the file:
-
Download Cisco Secure Malware Analytics Add-On for Splunk from Splunkbase here: https://splunkbase.splunk.com/app/4251/
-
Login to your Splunk instance
-
On the top left of the homescreen click on the "App Settings" button
-
On the "Manage" page click the "Install app from file" button on the top right
-
On the Upload app page click the "Choose File" button and select the file from the pop-up
-
Click the "Upload" button
-
Add-on should appear in the Apps bar on homescreen of your Splunk instance.
-
-
In the Apps bar on the homescreen click on the "Cisco Secure Malware Analytics" icon
-
Go to the Configuration tab
-
Click the "Add Account" button
-
Fill out the form to create an Account that will be used for Input Creation:
- Account name - Enter a title for the account.
- Host - Enter the host for your Cisco Secure Malware Analytics instance.
- API Key - Enter API Key from your Cisco Secure Malware Analytics instance.
-
If needed add Proxy settings.
-
Go to the Inputs tab
-
Click the "Create New Input" button
-
Fill out the form to create an Input:
- Name - Enter a name for the input.
- Interval - Enter the time interval in seconds between API queries. Recommended to leave the default value.
- Index - Choose an index in which events will be created.
- After - Enter the period of a lookback for a query. Recommended to leave the default value.
- Global Account - Choose an account you would like to use for the new input.
- Go to Search tab to search for events.
Note: To search for events you can add sourcetype="cisco:sma:data"
or source="cisco_secure_malware_analytics_input://<name_of_the_input>"
expressions to the search.