Description

If you're using Splunk, you have the option to integrate that with ConcealBrowse. This allows metrics and data collected by Conceal can be seamlessly transferred into Splunk. This article will guide you through setting up the Splunk portion before integrating with ConcealBrowse.

Procedure

Create an index in Splunk

1.  In your web browser navigate to the following link: https://dev.splunk.com/enterprise/tutorials/module_getstarted/useeventgen/
2. In Splunk Web on the navigation bar at the top, go to Settings > Indexes.
   
3. On the Indexes page on the top right, click the button labeled New Index.
   
4. On the New Index you will need to fill out the fields. Below are suggestions, but you can set these to whatever you'd like:
   - Index Name: Whatever you'd like your index to be called
   - Index Data Type: Events
   - Max raw data size: 10MB
   - Searchable retention (days): 30
   
5. Click the green button labeled Save.

Create HTTP Event Collector
You can also refer directly to Splunk's documentation: Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation

1. Still in your Splunk web instance, on the navigation bar at the top, go to Settings > Data Inputs.
   
2. Click + Add new displayed on right of the row HTTP Event Collector.
   
3. In the Name field, enter a name for the token. The following two fields are optional.
   
4. At the top of the screen click the green button labeled Next.
   
   
5. On the Input Settings screen on the right, you will choose the box labeled Select. Open the Select Source Type Dropdown. Then select Structured -> _json.
   
6. In the Select Allowed Indexes section in the Available Item(s) box, find and select the Index name you created in step 3. This should bring it into the Selected Item(s) box.
   
7. Click the button labeled Review in the top right. 
   
8. Review all of the details on the Review Page. If it all seems correct, click the green button labeled Submit. If not, please hit the Back button and make any necessary changes. Now your HTTP Event Collector has been created.
   

Locate and copy the API Key for Integration

1. Still in your Splunk web instance, on the navigation bar at the top, go to Settings > Data Inputs.
   
2. Click on the HTTP Event Collector link.
3. Locate your HTTP Event Collector that you just created. Copy the Token Value, this will be needed to integrate with ConcealBrowse.
   

There are two parameters you need to set in the Conceal plugin settings: HTTP Event Collector URL & API Key.

HTTP Event Collector URL is in the format <protocol>://<host>:<port>/<endpoint>

To break this down:

• <protocol> is either http or https
• <host> is the Splunk instance that runs Http Event Collector (HEC)
• <port> is the HEC port number, which is 8088 by default, but you can change in the HEC Global Settings
• <endpoint> is the HEC endpoint we want to use. In Conceal integration cases, we use the /services/collector/event endpoint for JavaScript Object Notation (JSON)-formatted events
  • A sample for Splunk Cloud with default settings might look like:
    https://<Splunk Host>.splunkcloud.com:8088/services/collector/event

To retrieve your API Key in your Splunk instance:

• Click Settings > Data Inputs.
• Click HTTP Event Collector.
• API Key is the token value displayed in that table with the corresponding HEC name

Entering Splunk data into your Conceal Dashboard

1. Navigate within a web browser to https://dashboard.conceal.io and login if necessary.
2. Click on the section labeled Integrations on the left hand menu.
   
3. Toward the top, click the SIEM / SOAR tile, locate the Splunk tile and click the button labeled Configure
   
4. This will bring up the form where you will need to enter the HTTP Event Collector URL & API Key retrieved in previous steps. Enter the HTTP Event Collector URL in the first field. For privacy purposes this has been blurred out.
5. Enter the Splunk HTTP Event Collector API Key in the second field.
6. Click to fill the checkbox for Enabled
   
7. If you are using a Splunk Cloud trial account and haven’t installed an SSL certificate, you will need to select the Splunk Cloud Trial option. It allows ConcealBrowse to connect to your Splunk instance without SSL verification, which decreases security, but can be useful for evaluating the plugin on a trial Splunk account.
8. Click the Close button and you now have Splunk integrated with ConcealBrowse! You do not have to do anything else as a user, the integration is complete and the data is automatically sent over.

Reading data in Splunk

1. In your web browser, log into your Splunk instance
2. On the landing page in the menu on the left, click Search & Reporting
   
   
3. In Search bar, enter index="conceal" where “conceal” is the index name created during setup
   
   
4. You will see in the list Events labeled Scanned URLs, dropdown the event for more information.
   

Tip:

Beside the search bar you will see the filter is automatically set to Last 24 Hours. If you'd like to see data by different filters, click the dropdown and you will different options.

If you run into issues, your firewall could be blocking certain IP addresses needed to send the data. Whitelist the following IP addresses if necessary:

18.214.63.36, 44.214.127.25, 44.209.215.8, 3.233.223.50, 34.232.55.106, 52.86.27.48, 3.216.48.116

*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.