Contrast Security App for Splunk allows you to visualize the security of your running application like never before. Contrast Security App for Splunk provides actionable and timely application threat intelligence across your entire application portfolio. Contrast Security instrumented applications self-report the following about an attack – the attacker’s IP address, authenticated username, method of attack, which applications, servers, frequency, volume, and level of compromise
Objective
To install our Splunk application and setup Contrast agents to forward Protect events.
Process
1. Install Contrast Security App
- Download the packaged app from Splunk marketplace.
- Click the Settings gear icon next to Apps
- Click install app from file.
(For more guidance installing Splunk applications visit their documentation here)
2. Setup syslog receiver
Contrast Security agents stream SIEM events as UDP syslog events in CEF format.
-
Click on Settings -> Data Input
-
Add new UDP listener
Reuse port 514 or chose a different port Select source_type as contrast_events
3. Setup Contrast agents
Our Splunk integration tracks Protect events, the agent supplies this data directly to the Splunk server. This ensures even with a disruption of service to the Contrast UI, the security events will still be sent to the Splunk server.
Syslog settings can be setup several ways within the Contrast agent.
Single server in Contrast UI
- Under the Server tab, select any server licensed for Protect
- Select the settings icon in the top right corner of the server's dashboard
- Check off Enable output of Protect events to syslog and fill out the connection information and Contrast/syslog mappings.
For all on-boarded servers in Contrast UI
You can also setup default syslog setting for all servers on-boarded with Contrast. Settings here will take effect on all newly introduced servers.
See the previous server-only settings for servers already on-boarded with Contrast.
- As an Administrator under Organizational Settings --> Servers
With Agent configuration files and settings
Syslog settings can also be controlled at the agent level via agent specific settings.
Setting up the YAML file is agent specific but generally will look like the following.
agent:
syslog:
enable: true
ip: splunk.acme.org
port: 8514
facility: 12
# Set the log level of Exploited attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_exploited: CRITICAL
# Set the log level of Blocked attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_blocked: WARNING
# Set the log level of Probed attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_probed: NOTICE
For more details on the agent specific syslog configurations, please see our Open docs site. Below are direct links to each of our agents configurations settings.