SIRP

SIRP SOAR Add-On for Splunk is the technical add-on (TA) developed by SIRP Labs. This add-on enables Splunk Enterprise users to push high-fidelity alerts and incidents from Splunk to SIRP SOAR, in real time.

This application should be installed on Search Head.

- Splunk version 6.3 or later
- This application should be installed on Search Head.

Standard Splunk configuration of Search Head.

- Standard Splunk configuration of Search Head.

There are three ways to install SIRP Add-on for Splunk:

- Go to Manage Apps &gt; Browse more apps &gt; Search "SIRP". 
 
 

- Locate the SIRP app then Click the "install" button to initiate the installation. 
- Once the process is completed, restart Splunk Service from Settings &gt; Server Controls &gt; Click "Restart Splunk" to finish the installation.

Download the Add-on file from <a href="https://splunkbase.splunk.com/apps" rel="nofollow noopener noreferrer" target="_blank">https://splunkbase.splunk.com/apps</a> and install it from Splunk web UI.

- Go to Manage Apps &gt; Click Install the app from file &gt; Locate and Upload the downloaded .spl file (Check the upgrade box). 
 
 
 
- Once the process is completed restart Splunk Service from Settings &gt; Server Controls &gt; Click "Restart Splunk" to finish the installation.

Download the Add-on file from <a href="https://splunkbase.splunk.com/apps" rel="nofollow noopener noreferrer" target="_blank">https://splunkbase.splunk.com/apps</a> and install it from Splunk console.

1. Download the file on your Splunk server and extract the .spl file into the $SPLUNK_HOME/etc/apps/ folder.
   $tar zxvf splunk-addon-for-SIRP.tgz $SPLUNK_HOME/etc/apps/
    
2. Restart Splunk Service 
   $/opt/splunk/bin/splunk restart
    
    

1. Install from Splunk web UI. 
 - Go to Manage Apps &gt; Browse more apps &gt; Search "SIRP". 
 
 
 
 - Locate the SIRP app then Click the "install" button to initiate the installation. 
 - Once the process is completed, restart Splunk Service from Settings &gt; Server Controls &gt; Click "Restart Splunk" to finish the installation.
 
 
 
 
2. Download the Add-on file from <a href="https://splunkbase.splunk.com/apps" rel="nofollow noopener noreferrer" target="_blank">https://splunkbase.splunk.com/apps</a> and install it from Splunk web UI. 
 - Go to Manage Apps &gt; Click Install the app from file &gt; Locate and Upload the downloaded .spl file (Check the upgrade box). 
 
 
 
 - Once the process is completed restart Splunk Service from Settings &gt; Server Controls &gt; Click "Restart Splunk" to finish the installation.
 
 
 
3. Download the Add-on file from <a href="https://splunkbase.splunk.com/apps" rel="nofollow noopener noreferrer" target="_blank">https://splunkbase.splunk.com/apps</a> and install it from Splunk console. 
 1. Download the file on your Splunk server and extract the .spl file into the $SPLUNK_HOME/etc/apps/ folder.
 $tar zxvf splunk-addon-for-SIRP.tgz $SPLUNK_HOME/etc/apps/
 
 2. Restart Splunk Service 
 $/opt/splunk/bin/splunk restart

Once installed, this add-on will add a new custom alert action named "Push Alerts to SIRP". 

Configuration of the action can be performed at the time of creating and saving a new search.

Click Search and Reporting from the top menu.

Create/write a new search query and press enter. Once satisfied with the results, save your search as an alert by clicking on the "Save As" button.

 In the configuration of the new Alert, click "Add Actions" and choose "Push Alerts to SIRP" from the dropdown. 

- Click Search and Reporting from the top menu. 
 
 
- Create/write a new search query and press enter. Once satisfied with the results, save your search as an alert by clicking on the "Save As" button.
 
 
- In the configuration of the new Alert, click "Add Actions" and choose "Push Alerts to SIRP" from the dropdown.

 Configure the Incident details to define the field mapping between SIRP and Splunk:

Payload – a comma-separated "key":"value" pairs of custom fields. e.g, {"Subject":$event.Title$, "Category":$event.Category$}

Artifacts – a comma- separated "key":"value" pairs of artifacts/IOCs e.g. {"Destination IP":$event.Message$,"Source IP": $event.Message$}

- SIRP's API Key
- SIRP's instance URL
- Subject/Title of the Alert
- Priority
- Severity
- Payload – a comma-separated "key":"value" pairs of custom fields. e.g, {"Subject":$event.Title$, "Category":$event.Category$}
- Artifacts – a comma- separated "key":"value" pairs of artifacts/IOCs e.g. {"Destination IP":$event.Message$,"Source IP": $event.Message$}

Note: $event.field-name$ is a format to define Splunk fields in the "value" against the SIRP fields which are defined as "key".

Once configured successfully, new alerts from Splunk will be pushed to and visible in SIRP's Incident Management module. 

Overview

Requirements

Recommended System Configuration

Installation

New Custom Alert Action

Custom Alert Action Configuration

How to Use Custom Alert Action: