How to integrate Contrast with Splunk

  • Updated

Contrast Security App for Splunk allows you to visualize the security of your running application like never before. Contrast Security App for Splunk provides actionable and timely application threat intelligence across your entire application portfolio. Contrast Security instrumented applications self-report the following about an attack – the attacker’s IP address, authenticated username, method of attack, which applications, servers, frequency, volume, and level of compromise 

 

Objective

To install our Splunk application and setup Contrast agents to forward Protect events. 

 

Process

1. Install Contrast Security App

  • Download the packaged app from Splunk marketplace.
  • Click the Settings gear icon next to Apps
  • Click install app from file.

(For more guidance installing Splunk applications visit their documentation here)

2. Setup syslog receiver

Contrast Security agents stream SIEM events as UDP syslog events in CEF format.

  • Click on Settings -> Data Input

  • Add new UDP listener

    Reuse port 514 or chose a different port alt text Select source_type as contrast_events alt text

3. Setup Contrast agents 

Our Splunk integration tracks Protect events, the agent supplies this data directly to the Splunk server. This ensures even with a disruption of service to the Contrast UI, the security events will still be sent to the Splunk server. 

Syslog settings can be setup several ways within the Contrast agent.

Single server in Contrast UI

  • Under the Server tab, select any server licensed for Protect
  • Select the settings icon in the top right corner of the server's dashboard
    settings.jpg
  • Check off Enable output of Protect events to syslog and fill out the connection information and Contrast/syslog mappings.
    mceclip4.png

For all on-boarded servers in Contrast UI

You can also setup default syslog setting for all servers on-boarded with Contrast.  Settings here will take effect on all newly introduced servers. 

See the previous server-only settings for servers already on-boarded with Contrast.

  • As an Administrator under Organizational Settings --> Servers 
    mceclip5.png

With Agent configuration files and settings

 Syslog settings can also be controlled at the agent level via agent specific settings. 

Setting up the YAML file is agent specific but generally will look like the following.

agent:
syslog:
enable: true
ip: splunk.acme.org
port: 8514
facility: 12
# Set the log level of Exploited attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_exploited: CRITICAL

# Set the log level of Blocked attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_blocked: WARNING

# Set the log level of Probed attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
severity_probed: NOTICE

For more details on the agent specific syslog configurations, please see our Open docs site.  Below are direct links to each of our agents configurations settings.

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request