Integrating Gigamon Technologies with Splunk Enterprise

Transcription

1 Integrating Gigamon Technologies with Splunk Enterprise

2 COPYRIGHT Copyright 2017 Gigamon. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without Gigamon s written permission. TRADEMARK ATTRIBUTIONS Copyright 2017 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at All other trademarks are the trademarks of their respective owners. Deployment Guide: Gigamon and Splunk 2

3 Table of Contents Overview... 4 Audience... 5 Gigamon IPFIX Metadata Application for Splunk... 5 Requirements... 5 Operational Flow... 6 Installing the Gigamon IPFIX Metadata Application for Splunk... 7 Configure the Gigamon IPFIX Metadata Application for Splunk Extending Splunk Stream to include Gigamon elements Configure Splunk Stream to collect Gigamon metadata Setup the Gigamon IPFIX Metadata Application for Splunk Gigamon Adaptive Response Application for Splunk Adaptive Response Alert Actions Action Fields Key Benefits Requirements Operational Flow Download and Install the Gigamon Adaptive Response Application for Splunk Configuring the Gigamon Adaptive Response Application for Splunk Binding Gigamon Adaptive Response actions to Splunk ES Wire Data: Splunk Stream Installation and Configuration IT Operations Management: Gigamon Visibility App for Splunk Key Benefits Operational Ease of Use Reduced Mean Time to Resolution (MTTR) Requirements Installing the Gigamon Visibility App for Splunk Configuring the Gigamon Visibility App for Splunk Summary Deployment Guide: Gigamon and Splunk 3

4 This document describes the various ways to integrate Gigamon s GigaSECURE Security Delivery Platform with Splunk Enterprise. Depending on the information you want to index within the Splunk platform and the functionality you want to enable, there are a number of integration approaches you may wish to adopt. This document describes the options and how to deploy each one. Today s Security Operations Center (SOC) depends heavily on the ability to collect, correlate and analyze network events to quickly identify and respond to security threats but getting access to the right traffic data from across the network, and without overloading the system, can be a challenge. Splunk Enterprise Security is a Security Information and Event Management (SIEM) solution that provides insight into machine data generated from a wide variety of sources. Of course, to fully utilize the power of this platform, users need to be able to help ensure that the right data from across their network is available and can be easily indexed within the Splunk platform. This is where the GigaSECURE Security Delivery Platform and Gigamon integrated applications for the Splunk solution come in. Integrate metadata generated by the GigaSECURE Security Delivery Platform using the Gigamon IPFIX Metadata Application for Splunk Automate threat hunting and remediation tasks across Splunk Enterprise Security, the Gigamon platform and other supported third-party security tools by leveraging the Splunk Adaptive Response framework with the Gigamon Adaptive Response Application for Splunk Integrate aggregated wire data delivered from the GigaSECURE Security Delivery Platform using Splunk Stream Integrate the workflow for IT Operations Management personnel using the Gigamon Visibility Application for Splunk. Figure 1: Methods of integrating Gigamon GigaSECURE Security Delivery Platform with Splunk Enterprise Deployment Guide: Gigamon and Splunk 4

5 This guide is intended for users who have basic understanding of Splunk. This document expects users to be familiar with Splunk administration, installation of additional Splunk components, administrative permissions to restart services and edit configuration files. This deployment guide covers installation and configuration of a single-instance deployment, where one Splunk Enterprise instance serves as both the search head and indexer running on Linux-based servers. Metadata is data that provides information about other data. In a security context, this is especially useful because security appliances are looking for the needle in the haystack ; that is, to identify the one single sequence of threat packets or flows from the entire mass of network flows. A key benefit of metadata is minimizing the amount of data that has to be searched through which, in turn, reduces the time to detect suspicious threats and anomalous behavior. The GigaSECURE Security Delivery Platform is the ideal platform for generating this metadata because it taps the network and extracts the relevant information at high speeds with high fidelity. In doing so, there is no impact to the users, devices, applications, or network appliances. The generated metadata is packaged in IPFIX format and exported to the Splunk platform for further analysis. The Gigamon IPFIX Metadata Application for Splunk utilizes Splunk Stream TM 1, a wire data collection and analytics solution from Splunk. Splunk Stream passively captures packets, dynamically detects applications, parses the protocols, and sends metadata back to the Indexer. Gigamon leverages Splunk Stream as a protocol parser. There are a few prerequisites in order to have the Gigamon IPFIX Metadata Application for Splunk installed and configured. These are: Splunk Enterprise version 6.5.x, 6.6.x, or 7.0.x Splunk Stream versions 7.0.1, 7.1.0, or You should install Splunk Stream before you start installing and configuring the Gigamon IPFIX app. NOTE: The network card interface (NIC) associated with the IPFIX metadata collection should not be in promiscuous mode. Splunk Stream is being used as a protocol decoder in this configuration only. CIM version 4.8 The Gigamon IPFIX Metadata Application for Splunk version or newer Gigamon visibility node (such as the GigaVUE-HC1, HC2 or HC3) with a GigaSMART module and NetFlow license. Follow the instructions found in the GigaVUE-OS CLI User s Guide to configure the visibility node to export metadata. Search the guide for NetFlow Generation to find the right section. Metadata generation and export can also be configured from GigaVUE-FM, the management and orchestration interface. You can read more in the GigaVUE-FM User s Guide. 1 Deployment Guide: Gigamon and Splunk 5

6 The operational flow of the Gigamon IPFIX Metadata Application for Splunk is as follow (Figure 2): 1. Traffic arrives into a Gigamon visibility node 2. The visibility node is configured to consume the traffic and generate metadata information. This configuration includes records for the traffic of interest (DNS, SSL, HTTP, etc.). the visibility node is a NetFlow/metadata exporter. 3. The Splunk Enterprise instance running the Gigamon IPFIX Metadata Application for Splunk is setup as a collector, requiring it s IP address and UDP port where the metadata will be sent to 4. The metadata, contained in IPFIX format, is sent to the Splunk server where it is extracted by rules in Splunk Stream 5. Extracted data is then indexed according to the requirements set by customer 6. Presentation of the indexed data occurs either in the Search app or the Gigamon IPFIX Metadata Application for Splunk, either using the prebuilt dashboards or custom dashboards created by the customer Figure 2: the Gigamon IPFIX Metadata Application for Splunk operational flow Deployment Guide: Gigamon and Splunk 6

7 Prior to installing the Gigamon IPFIX app, you should verify that Splunk Stream is installed. If it is not, follow the directions described in the Wire Data: Splunk Stream chapter below. The installation steps below apply only to a single server deployment. For distributed deployments, please consult the README.md file included with this application. To install the Gigamon IPFIX Metadata Application for Splunk, follow these steps: 1. Login to the Splunk server. You should be in the main page as shown in Figure 3:. Figure 3: Splunk Enterprise main landing page 2. Verify Splunk Stream s version by clicking on the gear icon right of the Apps label a. The Apps information page opens, as shown in Figure 4. b. The version should be 7.0.1, or Figure 4: verifying Splunk Stream's software version c. If it isn t one of the supported versions, work with your Splunk administrators to update the instance to a supported version, 3. Back on the main page, click the large + to add an application. If you can t see it, scroll down the page. See Figure 5 Deployment Guide: Gigamon and Splunk 7

8 Figure 5: Adding a new Splunk application d. The Browse More Apps page is displayed. e. Search for Gigamon in the upper left search bar. You should see three applications. f. Select the Gigamon IPFIX Metadata Application for Splunk (as shown in Figure 6) by clicking the Install button. Figure 6: Adding the Gigamon IPFIX Metadata Application for Splunk, found on Splunk Base g. A login splash screen will ask for your Splunk login credentials to install the app. h. Enter your credentials and accept the terms by checking the box at the bottom. i. Once installed, you will need to restart the Splunk service as in Figure 7. Figure 7: Restart Splunk services 4. Once service restarted, you will need to log back in. a. Verify the Gigamon IPFIX Metadata Application for Splunk is installed b. You should have a screen similar to the one shown in Figure 8 Deployment Guide: Gigamon and Splunk 8

9 Figure 8: the Gigamon IPFIX Metadata Application for Splunk is installed and visible Deployment Guide: Gigamon and Splunk 9

10 Now that the Gigamon IPFIX Metadata Application for Splunk is installed, we need to configure it as well as Splunk Stream. We first start by extending Splunk Stream to listen to the appropriate IP address and UDP port and add specific Gigamon metadata elements to configuration files. To achieve that, you will modify several files. The Gigamon and Splunk Stream integration requires precise adherence to the instructions. Failure to do so may cause Splunk Stream to not collect the Gigamon IPFIX data appropriately. The Gigamon and Splunk Stream Integration is an advanced configuration technique, designed to extend the protocol decoding abilities of Splunk Stream. As this feature relies on Splunk Stream, Splunk Stream is a requirement and must be installed on your Splunk server(s). Please see the instructions on how to install under the section titled Wire Data: Splunk Stream. In this section, you will copy or modify several files to extend the base installation of Splunk Stream. These files reside in either the splunk_app_stream or Splunk_TA_stream directories. Some files are found in only one location while others might be found in both. One file is streamfwd.conf. This file (found at Splunk_TA_stream/local/) lets you specify system-level data capture parameters for the streamfwd binary. The other file is netflow (found at splunk_app_stream/default/streams). This file defines the different NetFlow (and metadata) elements Splunk Stream can parse. Note that these aforementioned files are related to Splunk Stream. If your organization is already using Splunk Stream to collect and analyze stream-based (wire) data, these files most likely have been modified from their original version and you should take precautionary steps before you modify or over-right them. The base location of the Gigamon-specific configuration files is $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library. $SPLUNK_HOME refers to the install location of Splunk (typically /opt/splunk). 1. Open a console or SSH session to the Splunk server. 2. Change directory to $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library 3. Using a text editor (vim, emacs, etc.), open the file named gigamon_streamfwd.conf a. In the top-most section titled [streamfwd] modify the first two lines to include your server s IP address and port. This is the IP address on the NIC receiving the Gigamon metadata. b. netflowreceiver.0.ip with your Splunk server IP address listening to incoming data. c. netflowreceiver.0.port with the UDP port on which Gigamon will transport metadata to this server. Typically, IPFIX is transported on UDP d. Save the file 4. Copy the file gigamon_streamfwd.conf as streamfwd.conf to 2 locations: a. $SPLUNK_HOME/etc/apps/splunk_app_stream/local/streamfwd.conf b. $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf Deployment Guide: Gigamon and Splunk 10

11 5. While still in the $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library, copy the Splunk Stream version-specific vocabulary file to two destination directories as gigamon.xml. The files are: For Splunk Stream 7.0.1: gigamon_vocabulary_7.0.1.xml For Splunk Stream 7.1.0: gigamon_vocabulary_7.1.0.xml For Splunk Stream 7.1.1: gigamon_vocabulary_7.1.1.xml Copy the appropriate file to the below directories: a. $SPLUNK_HOME/etc/apps/splunk_app_stream/default/vocabularies/gigamon.xml b. $SPLUNK_HOME/etc/apps/Splunk_TA_stream/default/vocabularies/gigamon.xml 6. If you installed and configured Splunk Stream specifically for the consumption and analysis of Gigamon metadata elements you can follow the instructions in this step. If you already have Splunk Stream installed and configured to ingest and process other types of wire data, follow the instructions in step 7. a. Backup the file netflow as netflow.bak located at $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams, by moving it mv netflow netflow.bak b. Go back to $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library and replacethe original netflow file with the gigamon_stream.json by issuing the following command cp gigamon_stream.json $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams/netflow 7. If you already have Splunk Stream installed and configured to ingest and process other types of wire data, you need to follow carefully the instructions in this step. Here you will edit the existing Splunk Stream elements file ($SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams/netflow) and add to it all the Gigamon custom stream decoder elements. This step is extremely sensitive, so you should check your work before committing the changes. It is recommended to back up the original file before you edit it with a text editor such that the you can visually inspect the changes. While still in $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library open the file gigamon_stream.json. a. Look for the first Gigamon element definition. You can find it in line 920 as shown in Figure 9. Figure 9: the 1 st Gigamon stream element as defined in the gigamon_stream.json file b. Each element section starts with a left curly bracket ({) and ends with a right curly bracket followed by comma (},). Deployment Guide: Gigamon and Splunk 11

12 c. Copy all the Gigamon elements from line 919 to the end of the file in line 1345, leaving the last section (starting with the right bracket comma (],) out. See Figure 10 below. Figure 10: the last Gigamon stream element (line 1339) as defined in the gigamon_stream.json file d. Change directory to $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams. e. Open the file named netflow and scroll down to the end of the file. You will see a section starting with a right square bracket comma (],), as seen in Figure 11. Figure 11: the netflow configuration file in Splunk Stream f. Add a comma to the last right curly bracket (}, line 952 in Figure 11 above) before the right square bracket comma (],) and paste the copied lines from step c above. 8. GigaSMART occasionally sends data elements encoded in ASN.1 to Stream. To avoid excessive license usage, we will apply a fix in the props.conf configuration apply the following fix. a. On the system indexing the Stream data (typically where splunk_app_stream is installed), edit the $SPLUNK_HOME/etc/apps/splunk_app_stream/local/props.conf file. b. For the stanza [stream:netflow], add this line of configuration: SEDCMD-remove_nulls_gigamon = s/\\u0000//g. If the stanza doesn't exist, create it. c. This SEDCMD will remove any data that cannot be decoded correctly. 9. Restart Splunk manually and watch for any errors. a. Execute $SPLUNK_HOME/bin/splunk restart Deployment Guide: Gigamon and Splunk 12

13 In this section, we will configure Splunk Stream to start collecting the Gigamon IPFIX metadata. You can find the complete documentation of Splunk Stream including its configuration at The instructions provided here use Splunk Stream as the basis. 1. From Splunk s main page, click on the STM Splunk Stream icon (Figure 12) 2. If this is the first time you launch Splunk Stream, a Welcome to Stream splash screen pops up. You can skip it for now, or take the tour and come back to step 3. Figure 12: Selecting the Splunk Stream (SMT) app 3. On the main Setup Stream page, make sure only the first box is checked, as seen in Figure 13, and click the Let s get started button. You may encounter an issue with permissions of Splunk Stream during installation or configuration. If you encounter an error during the setup of the new data stream, please see the Splunk Stream Installation and Configuration Manual for your Splunk Stream version and look for a section titled Set Splunk_TA_stream permissions. Figure 13: Splunk Stream - Setup Stream page 4. You are now in the Analytics Overview page. From the Splunk Stream navigation bar, select Configuration Configure Streams (Figure 14). Deployment Guide: Gigamon and Splunk 13

14 Figure 14: Splunk Stream - Analytics Overview page NOTE: There are many metadata streams. The default is 52 metadata streams, and no packet or ephemeral streams. If your organization uses Splunk Stream for other reasons than consuming Gigamon metadata information, you should consult your Splunk or Security teams. 5. You are presented with the Configure Stream page (Figure 15). Notice that some streams are enabled, some set to estimate and others disabled. If Splunk Stream is used only to ingest and report on Gigamon metadata elements, disable all the streams Figure 15: Configure Streams page a. Check the box left to Name (Figure 16, 1 below). b. Click on the Disable option (Figure 16, 2 below). Deployment Guide: Gigamon and Splunk 14

15 Figure 16: Disabling all streams c. A confirmation page will pop up. Click on Yes d. You have disabled all streams (Figure 17) and ready to create a new one. Figure 17: All streams are disabled 6. Still in the Configure Streams page, click the green New Stream button on the top right, and select Metadata Stream (Figure 18). Deployment Guide: Gigamon and Splunk 15

16 Figure 18: Selecting the New Stream - Metadata Stream option a. The New Metadata Stream page opens, and you are on the Basic Info section (Figure 19) Figure 19: New Metadata Stream configuration page, Basic Info b. Click on the Protocol button and select Netflow as in Figure 19 c. Give it a name and description (optional) and click Next (Figure 20) Figure 20: Basic Info page with all configuration parameters selected 7. The Aggregation section is now visible in the New Metadata Stream page. Click Next to accept the default of No. For more information on aggregation, consult the Splunk documentation here pes Deployment Guide: Gigamon and Splunk 16

17 8. You are now in the Fields section of the New Metadata Stream. You can enable or disable the different elements as needed, however for this document we will just enable all. Click Next once verified. For more information, consult the Splunk documentation here _fields 9. Click Next in the Filters section. For more information, consult the Splunk documentation here ers. The filters will help you limit the amount of data collected, reducing the license requirements. 10. In the Settings section, you will choose which index will hold the metadata information digested. You can select any index shows in the Index drop down. If you need to create a new index file, please consult the documentation Figure 21: Selecting the index to store Gigamon metadata a. In this guide, we will select a previously created index named gigamon_metadata. Set the Status to Enabled. See Figure 22 below. Figure 22: New Metadata Stream Settings, index selected and enabled b. Click Next 11. You are now in the Groups section. We are not using groups in this guide so you can just click the Create Stream green button. 12. Click the green Done button 13. You are now on the Configure Metadata Stream name of your newly created stream as in Figure 23. Deployment Guide: Gigamon and Splunk 17

18 Figure 23: creation of new metadata stream is complete 14. If you go back to the Configure Streams page, as in Figure 15 above, after a few minutes, you will see that the spark chart displays traffic flow from decoding the incoming metadata traffic. Figure 24 depicts all streams disabled with the exception of the newly created Gigamon_IPFIX_Metadata and the spark chart to its right is showing the rate of incoming traffic. If your spark chart is showing activity (as seen in Figure 24 below), you have successfully configured Splunk Stream with a new NetFlow stream and have it ingesting and decoding the Gigamon metadata. Remember that you should have a Gigamon visibility node transmitting IPFIX flow summaries to Splunk to see the traffic ingested. Figure 24: Newly created metadata stream shows traffic is recieved and ingested Deployment Guide: Gigamon and Splunk 18

19 Now that Splunk Stream is configured and ingesting the Gigamon metadata, we need to complete the setup of the Gigamon IPFIX Metadata Application for Splunk. 1. In Splunk s main page (Figure 8 above) select the Gigamon IPFIX Metadata Application for Splunk. Since this is the first time we re launching it, an App configuration page opens. Click on the Continue to app setup page as in Figure 25. Figure 25: When accessing the Gigamon IPFIX app for first time, users are presented this page 2. The Application Configuration page is loaded, show in Figure 26. a. In the Base Event Type box, enter the name of the index where the Gigamon metadata is kept. Change index=main to your index name. Figure 26: Updating the Base Event Type field to the proper index file name b. Click on the green Update Eventtype button to accept your changes c. Click on the Save button at the bottom of the page 3. Start using the Gigamon IPFIX Metadata Application for Splunk by selecting the IPFIX Overview tab as in Figure 27 Deployment Guide: Gigamon and Splunk 19

20 Figure 27: The Gigamon IPFIX Metadata Application for Splunk main dashboard Metadata information can be used to find diverse types of activities in one s network. Splunk is extremely adept at displaying indexed data in different methods. You can always create new queries and have them visualized as shown in Figure 28 and Figure 29. Figure 28: Custom DNS dashboard using Gigamon's metadata elements Deployment Guide: Gigamon and Splunk 20

21 Figure 29: Custom HTTP return code dashboard using Gigamon's metadata elements In fact, given the standard operating procedures of each security operations center are unique, one is better off creating the unique dashboards that apply to their practices. The power of the application is in exhibiting the different elements generated by Gigamon s metadata engine and provide guidance in creating searches and queries. Deployment Guide: Gigamon and Splunk 21

22 Splunk Adaptive Response helps organizations better combat advanced attacks through a unified defense by leveraging end-to-end context and automated responses to events. Advanced cyber adversaries are continuously leveraging new attack methods that span multiple domains, launching devastating attacks that often leave enterprises vulnerable. Despite advancements in security technologies, most solutions are not designed to work together out-of-the-box, making it challenging to coordinate a response. By leveraging adaptive security architecture, the Adaptive Response framework in Splunk Enterprise Security Suite provides end-to-end context and automated response across many of the world s leading security technologies enabling customers to quickly detect threats and execute response. The Gigamon Adaptive Response Application for Splunk provides Splunk Enterprise administrators with Alert Actions applied on Gigamon Visibility Nodes via GigaVUE Fabric Manager (GigaVUE-FM ). These actions are bound to correlation searches on Splunk Enterprise Security Suite for automated response or executed ad-hoc when Notable events are found. The Gigamon Adaptive Response Application currently supports three actions: 1. Drop traffic This action adds a single drop rule on the GigaVUE visibility node which drops traffic based on the action field selected (see below). This action is typically used when GigaVUE visibility node is placed inline in the network and can act as a policy enforcer. 2. Monitor traffic This action adds a rule to an existing flow map on the GigaVUE visibility node to send a copy of the traffic in question to an out-of-band tool. This action is typically used when the administrator wants to sandbox the anomalous traffic for further analysis. These tools can be honeypots, detonation chambers, packet recorders and many more. 3. Send an alert This action sends a mail alert to a predefined user when an anomaly is detected. This action is typically used to notify a system administrator when anomalies are identified using Splunk s ES correlation searches executed on traffic exported by Gigamon. Rules added to GigaVUE visibility nodes by the DROP and MONITOR actions can be further controlled using the Action Field parameter. Below is the list of options available in the application. 1. Source IP address The source IP will be taken from the Splunk event and a rule will be added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a client querying a malicious URL can be blocked or activity from the client can be monitored and analyzed. 2. Destination IP address The destination IP will be taken from the Splunk event and a rule will be added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, an identified C2 server can be blocked or activity from that server can be sent to a tool to be monitored and analyzed. Deployment Guide: Gigamon and Splunk 22

23 3. Destination service The destination IP and L4 port are taken from the Splunk event and a rule is added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a rogue DNS server identified can be blocked or activity from that server can be monitored and analyzed. 4. Transaction Source IP, Destination IP and destination L4 port are selected from the Splunk event and a rule is added to the visibility node to drop or send a copy of the specified traffic to the desired tool. For instance, a DNS tunneling attempt can be blocked or traffic can be sent to tool for further analysis. Leveraging Splunk s AR framework, one can create automated, preconfigured actions within the Splunk platform or external applications such as GigaVUE-FM. These actions can be automatically triggered by correlating search results or manually run on an ad hoc basis from the Incident Review dashboard. You can also create one or more correlation searches designed to alert on the results of a custom response action and trigger another action. In this way, you can create logical chains of actions that evaluate the results of one action and dynamically react with additional actions or recommendations. The integration relies on Splunk s Common Action Model and Python scripting. There are a few prerequisites in order to have the Gigamon AR app installed and configured. These are: Splunk Enterprise version 6.5.x or 6.6.x Splunk Enterprise Security (ES) Suite Gigamon GigaVUE-FM CIM version 4.8 Any Gigamon visibility nodes Splunk Stream is the recommended method for data ingestion. One can choose other methods to ingest data, but must ensure that the src_ip, dest_ip, src_port, and dest_port fields are present in the raw data. For instance, if using Splunk s add-on for IPFIX ( you may need to create aliases for the above-mentioned fields (i.e. alias SourceIPV4Address as src_ip). The Gigamon AR app processes these four fields found in the raw data to execute any action. If these fields are not present the scripts will not execute. The overall onboarding and provisioning process includes several steps. This guide assumes that the customer has already a functional installation of Splunk Enterprise Security Suite (Splunk ES). The steps to follow are: 1. Download and install the Gigamon Adaptive Response Application for Splunk 2. Configure the Gigamon Adaptive Response Application for Splunk. 3. Bind Gigamon Adaptive Response actions to Splunk ES Deployment Guide: Gigamon and Splunk 23

24 These next sections will guide you through each step. Prior to installing the Gigamon Adaptive Response Application for Splunk, ensure that both Splunk Enterprise and Enterprise Security Suite are installed and configured properly. Refer to the below guides for installing the app on a single server - or a distributed installation - Prior to installing the Gigamon AR app, you should verify that there is a data ingestion method either Splunk Stream or some other method. To verify that Splunk Stream is installed, follow the steps outlined in the section titled Installing the Gigamon IPFIX Metadata Application for Splunk, specifically step 1 and 2. Note: Splunk Stream is not mandatory as the ingestion engine. However, if you are using some other stream ingestion mechanism, you should ensure that the fields src_ip, dest_ip, src_port, and dest_port are present in the record. This exact nomenclature must be followed closely otherwise the AR actions will throw errors. For instance, if you are using the legacy Splunk Add-on for IPFIX ( you will find that src_ip is identified as SrcIPv4Address. You will need to define an alias to convert SrcIPv4Address to src_ip as well as the other fields. To install the Gigamon Adaptive Response Application for Splunk, follow these steps: 1. Log in into your Splunk instance 2. On the main page, click the large + to add an application. If you can t see it, scroll down the page. See Figure 30 Figure 30: Adding a new Splunk application a. The Browse More Apps page is displayed. b. Search for Gigamon in the upper left search bar. You should see three applications. c. Select the Gigamon Adaptive Response Application for Splunk (as shown in Figure 31) by clicking the Install button. Deployment Guide: Gigamon and Splunk 24

25 Figure 31: Gigamon Adaptive Response Application for Splunk d. A login splash screen will ask for your Splunk login credentials to install the app. e. Enter your credentials and accept the terms by checking the box at the bottom. f. Once installed, you will need to restart the Splunk service as in Figure 32. Figure 32: Restart Splunk services 3. Once service restarted, you will need to log back in. a. Verify the Gigamon Adaptive Response Application for Splunk is installed b. You should have a screen similar to the one shown in Figure 33 below. Figure 33: Gigamon Adaptive Response Application for Splunk installed Deployment Guide: Gigamon and Splunk 25

26 Now that the Gigamon Adaptive Response Application for Splunk is installed, we need to complete its setup. The Gigamon Adaptive Response Application for Splunk operates on a single node or cluster. In this section, we will configure logging level of the app, connect it with GigaVUE-FM, and set alert actions up. 1. In Splunk s main page (Figure 33 above) select the Gigamon Adaptive Response Application for Splunk. Since this is the first time we re launching it, an App configuration page opens. Click on the Continue to app setup page as in Figure 34 below. Figure 34: Gigamon AR app configuration page 2. The End User License Agreement page displays and you have to accept the terms of the EULA to continue. a. Scroll to the bottom of the page and check the box stating I agree to be bound by this EULA b. Click the green Save button on the right 3. The Configuration page opens a. On the Logging tab, set the desired logging level as shown in Figure 35. Figure 35: Gigamon Adaptive Response Application for Splunk - Configuration page, Logging tab b. Click the green Save button 4. Click on the Add-on Settings tab refer to Figure 36 below. Deployment Guide: Gigamon and Splunk 26

27 Figure 36: Gigamon Adaptive Response Application for Splunk - Configuration page, Add-on Settings tab a. Enter the GigaVUE-FM IP address in box 1 b. Provide the GigaVUE-FM username in box 2 and the password in box 3. This user should have map editing privileges to the maps configured in boxes 5, 6, and 7. c. The maps entered in boxes 5-7 are referred to when configuring an adaptive response in Splunk ES using either built-in or user-created correlation searches. When a correlation search returns a valid match, the value IP address, URL, etc. are then used to modify the maps. d. Inline Network Map (box 5) this is the inline network map to which a rule will be added to drop malicious or anomalous traffic. e. IPFIX Map (box 6) this is the map generating Gigamon IPFIX/Metadata data feeding Splunk or any other NetFlow collector. A drop rule is added to the map to remove specific traffic from being generated and sent to the collectors. f. Out-of-band Tool Map (box 7) this is the map used to pass traffic to a tool. A pass rule is added to the map and traffic of interest is then sent to an out-of-band tool such as a sandbox, honeypot, detonation chamber, and many others. g. Lastly, enter the username and corresponding password to send alerts when the Alert Action is set to Send an Alert 5. Now that the Gigamon Adaptive Response Application is installed and configured we can bind its actions to Splunk ES pre-existing or new correlation searches. Deployment Guide: Gigamon and Splunk 27

28 In this section, we will take the final steps to operationalize Splunk ES with Gigamon Adaptive Response actions. Recall the actions are either to block traffic, send traffic to a monitoring tool or send an alert Log in into your Splunk instance 2. Among the applications installed, you should see Enterprise Security (ES) as shown in Figure 37. Figure 37: selecting Splunk Enterprise Security for further configuration of Gigamon Adaptive Response actions 3. Once in ES, select the Configure Content Management from the application menu bar (Figure 38Error! Reference source not found.) Figure 38: ES Configure - Content Management menu bar 4. You are presented with Enterprise Security s application specific search objects such as correlation searches, key indicators, reports and more. The Gigamon Adaptive Response Application only binds to correlation searches whether preexisting or custom/user created. Deployment Guide: Gigamon and Splunk 28

29 In this guide, we will select any of the preexisting correlation searches. Figure 39 shows a small sample of existing correlation searches. 5. Select any of the correlation searches this guide will use the Brute Force Access Behavior Detected correlation search as example (Figure 39). Figure 39: ES search objects, sorted by type 6. Clicking on the correlation search will open the Edit Correlation Page, as shown in Figure 40. The search statement is also visible. Figure 40: Edit Correlation Search, top of page 7. If you scroll all the to the bottom of the page, you will see the Adaptive Response Actions section (Figure 41). Deployment Guide: Gigamon and Splunk 29

30 Figure 41: Edit Correlation Search, bottom of page 8. Click on the + Add New Response Action link and a splash window with the available actions is visible as shown in Figure 42. Select the GigaVUE FM Actions. Figure 42: Add New Response Action page with the Gigamon option visible 9. A new GigaVUE FM Actions page is now visible as shown in Figure 43. Figure 43: GigaVUE FM Actions page Deployment Guide: Gigamon and Splunk 30

31 10. At this point, select the desired action (Figure 44) and action field (Figure 45). Make sure to enter a valid recipient address in the case you have selected the send an alert as your action. Figure 44: Gigamon AR Application action options Figure 45: Gigamon AR Application action field options 11. Given that the correlation search is looking for the source of both excessive number of failed login attempts, as well as successful ones, we will use the Source IP as the action field. We can choose to either block (drop) the source s traffic if the Gigamon Visibility node is inline, send the traffic to a monitoring tool, or just send an notifying the search found a match. Deployment Guide: Gigamon and Splunk 31

32 Splunk Stream is a scalable and easy-to-configure software solution that captures real-time streaming wire data from anywhere in a datacenter or from any public cloud infrastructure. Splunk Stream allows security and IT engineers to ingest, process, and analyze wire data (that is, packet data gathered from the network) directly into Splunk Enterprise. Wire data enriches the existing data by adding context to events, isolating current threats and is an important way to do detailed analysis, especially when complemented by metadata. The process of collecting wire data across anywhere in the infrastructure and delivering the wire data into the Splunk platform can be optimized for efficiency, when the Gigamon GigaSECURE Security Delivery Platform is deployed in conjunction with the Splunk platform. The Gigamon solution aggregates wire data from networks operating at any speed (100Mb to 100Gb), virtual infrastructures (workloads running on VMware ESXi, KVM/OpenStack, AWS or Azure), emerging SDN infrastructures (for example, Cisco ACI and VMware NSX), and even traffic from remote sites. Using user-defined rules, only the relevant data is filtered, thereby simplifying the handling of massive volumes of wire data for analytics with fine-grained precision. To narrow the amount of data and increase Splunk efficacy, traffic intelligence applications can be enabled inside the Gigamon fabric using GigaSMART technology. One such example is Application Session Filtering (ASF) that provides a powerful filtering engine to identify applications based on signatures or patterns that can appear across any part of the packet payload. ASF provides a way to search wire data for specific patterns at very high rates. These patterns can be as simple as a static string at a user-configured offset or as complex as an extremely advanced Perl Compatible Regular Expression (PCRE) at a variable offset. The GigaSMART technology supports in addition to ASF other applications such as packet de-duplication, SSL decryption, header removal, packet slicing, and more to optimize traffic before delivering the data to tools such as Splunk. With the combined solution, a complete yet customized set of aggregate data can then be rapidly forwarded to Splunk to gain real time network visibility from anywhere in the infrastructure. 1. A detailed installation and configuration guide for Splunk Stream is available on Splunk s website at 2. Configure a Flow Map on a Gigamon Visibility node to direct raw packets to the Splunk server. 3. Additional optimization can be done by configuring GigaSMART operations (e.g. de-duplication, SSL decryption, Application Session Filtering etc.) to optimize the amount of data sent to Splunk. This optimization enables administrators to focus on the streams to index within Splunk. The Network Interface Card (NIC) associated with the NetFlow collection should not be in promiscuous mode. Stream is being used as a protocol decoder in this configuration only. Deployment Guide: Gigamon and Splunk 32

33 The Gigamon Visibility App for Splunk (Visibility app) allows Splunk Enterprise users and operations teams to collect, store, visualize, and analyze inventory and traffic policy statistics from the Gigamon GigaSECURE Security Delivery Platform. The FlowMaps Explorer helps the Splunk Administrator to visualize and trend the traffic policies that are configured within the Security Delivery Platform. This app sources the data through open RESTful APIs from GigaVUE-FM and allows for first-level visibility and troubleshooting of infrastructure within Splunk. The key benefits of Gigamon Visibility App for Splunk is in operational ease of use and MTTR. Using the Gigamon Visibility App for Splunk enables the administrator to monitor information presented by the GigaSECURE Security Delivery Platform in the context of other information presented within the Splunk user experience. The combination enables single-pane monitoring from the Splunk platform (Figure 46). The Gigamon Visibility App for Splunk presents critical information, such as: Fabric health status, including a complete inventory of the nodes and ports that are available. Top and bottom port stats. GigaSMART statistics for traffic intelligence applications enabled within the Gigamon fabric. Top conversations and applications seen in the Gigamon fabric Chord view allows quick identification of sources and destinations of specific traffic streams (see Figure 47). Figure 46: Gigamon Visibility App for Splunk: Dashboard The application provides first-level visibility, troubleshooting, and root-cause analysis of infrastructure within the Splunk platform. For example, using the information gathered from the Gigamon Visibility App, an administrator can quickly identify source, location, and traffic policy of Deployment Guide: Gigamon and Splunk 33

34 the application or host that triggered a KPI alert. Figure 47: FlowMaps Explorer quickly identify sources and destination of traffic streams There are a few prerequisites in order to have the Visibility app installed and configured. These are: Splunk Enterprise version 6.5.x, 6.6.x or 7.0.x Gigamon GigaVUE-FM Any Gigamon visibility nodes To install the application, follow these steps: 1. Log in into your Splunk instance 2. On the main page, click the large + to add an application. If you can t see it, scroll down the page. See Figure 48 below. Deployment Guide: Gigamon and Splunk 34

35 Figure 48: Adding a new Splunk application a. The Browse More Apps page is displayed. b. Search for Gigamon in the upper left search bar. You should see three applications. c. Select the Gigamon Visibility App for Splunk (as shown in Figure 49) by clicking the Install button. Figure 49: Installing the Gigamon Visibility App for Splunk d. A login splash screen will ask for your Splunk login credentials to install the app. e. Enter your credentials and accept the terms by checking the box at the bottom. f. Once installed, you will need to restart the Splunk service as in Figure 50. Figure 50:Restart Splunk services Deployment Guide: Gigamon and Splunk 35

36 3. Once service restarted, you will need to log back in and verify the Gigamon Visibility App for Splunk is installed a. You should have a screen similar to the one shown in Figure 51 below.figure 8 Figure 51: Gigamon Visibility App for Splunk installed Now that the Gigamon Visibility App for Splunk is installed, we need to complete its setup. In this section, we will connect with a GigaVUE-FM host and generate the lookups so the app can display data. 1. In Splunk s main page (Figure 51 above) select the Gigamon Visibility App for Splunk. Since this is the first time we re launching it, an App configuration page opens. Click on the Continue to app setup page as in Figure 52 below. Figure 52: Gigamon Visibility app configuration page 2. The End User License Agreement page displays and you must accept the terms of the EULA to continue. a. Scroll to the bottom of the page and check the box stating I agree to be bound by this EULA b. Click the green Save button on the right 3. You are presented with the application main page Overview (Figure 53). No data is showing in any of the graphs and that is expected as the app is not connected to GigaVUE-FM yet. Deployment Guide: Gigamon and Splunk 36

37 Figure 53: Gigamon Visibility App - Overview page 4. Click on the Administration Configuration tab as in Figure 54. Figure 54: The Configuration tab under Administration 5. A submenu open when you click on Configuration a. Select the GigaVUE-FM option Figure 55: select GigaVUE-FM from the administration configuration tab 6. The Configure GigaVUE-FM hosts page opens, and you are on the Add GigaVUE-FM tab, as shown in Figure 56: Deployment Guide: Gigamon and Splunk 37

38 Figure 56: Configure GigaVUE-FM Hosts page a. Enter the IP address or fully qualified domain name of you GigaVUE-FM host in box 1 b. Enter the GigaVUE-FM username and password in boxes 2 and 3 respectively. The user needs to have administrative rights. c. Select the time interval the Visibility App for Splunk will query the GigaVUE-FM. These queries are carried over the RESTful API. The interval can be set as low as 30 seconds and as high as 3600 seconds (one hour). d. Next, select which element information the app will query for in box 5. e. Lastly, select the version of GigaVUE-FM in box 6. If you are running GigaVUE-FM version 3.3 or above select the bottom radio button marked as 3.3.X and Above. f. Once all information is entered, click the green Add GigaVUE-FM button g. After adding the GigaVUE-FM information, you should restart Splunk. From the top menu, select Settings Server Controls and click the green Restart Splunk button. h. If you made a mistake, you can delete the GigaVUE-FM host clicking the Delete GigaVUE- FM tab. The Gigamon Visibility App for Splunk can support multiple GigaVUE-FM hosts. To add more, repeat steps a-f above. 7. Click on the orange banner at the top of the page, select Administration Configuration Generate Lookups as shown in Figure 57. The page refreshes and takes you to the Generate Lookups page. Figure 57: Configuration page, Administration Configuration Generate Lookups 8. One must repeat step 7 above each time a new GigaVUE-FM is added to the Visibility app. Once Lookups are generated (Figure 58), you can start using the app. Deployment Guide: Gigamon and Splunk 38

39 Figure 58: Gigamon Visibility App for Splunk, Generate Lookups page 9. You can explore the different charts by selecting any of the top orange banner menu options: a. Overview general information about nodes, software distribution, port utilization, and more as shown in Figure 46 above. b. Health i. Obtain connected GigaVUE-FM information ii. Nodes and clusters information iii. GigaSMART information and statistics c. Trending single port or map statistics and information d. Exploration i. FlowMaps Explorer an aggregate information on all maps seen by GigaVUE-FM, with ability to filter down to a specific node/cluster, map, or map type ii. Syslog Explorer enables you to hone on specific syslog hosts and events Note GigaVUE-FM does not send syslog information of individual visibility nodes without configuring the nodes to send syslog data to Splunk. 10. To populate syslog data in Splunk and have the syslog explorer functional please follow the next step to configure a visibility node to send syslog data. a. Log in to GigaVUE-FM and select the node of interest. b. In the node s dashboard, select Settings Global Settings Logging (Figure 59) Deployment Guide: Gigamon and Splunk 39

40 Figure 59: A visibility node's Settings page c. Click the Add button (Figure 60) Figure 60: The Logging page where syslog sinks are added d. In the Add Logging Settings, select UDP as the Logging Protocol, add the Splunk IP or FQDN and set the logging level as seen in Figure 61 Figure 61: Adding a syslog destination server information e. Repeat steps a d above for each visibility node you want to send its syslog to Splunk. Deployment Guide: Gigamon and Splunk 40

41 11. Now that we are sending syslog data to Splunk, we need to add a syslog data input in Splunk. This step may be skipped if Splunk already consumes syslog. a. In Splunk, select Settings Data Inputs (Figure 62) Figure 62: Selecting Settings Data Inputs in Splunk Enterprise b. In the Data Inputs page, select the UDP option (Figure 63) Figure 63: Data Inputs page, selecting UDP from the Local Inputs option c. A new screen opens, titled UDP as in Figure 64. Click the New button. Figure 64: the UDP page of the Data Inputs option d. The Add Data page opens. Here, we add a UDP service for which Splunk will be listening for. Follow Figure 65 to select UDP (1), enter the port on which syslog is transported (default is 514, however many systems including GigaVUE-OS, allow users to select a different port) in box 2. Lastly click the Next button. Deployment Guide: Gigamon and Splunk 41

42 Figure 65: The Add Data page e. The Input Settings page opens as in Figure 66. In the Source type make sure to click the Select button (1). Next click on the drop-down menu to select a source type (2) and scroll down to Operating System (3). Lastly, scroll down on the sidebar until you see syslog (4) and select it. Figure 66: Input Settings page where we define additional parameters of the UDP flow f. Next, we select the App Context drop down as in Figure 67 below. Scroll down until you see the Gigamon Visibility App For Splunk (GigamonForSplunk) and select it. Deployment Guide: Gigamon and Splunk 42

43 Figure 67: Input Settings, selecting the App Context for the new data source g. In the Host option, you can select IP or DNS as the method (1) as shown in Figure 68. You can click on the Learn More link to get more information. Figure 68: Input Settings, setting the Host Method h. A summary page, titled Review is now visible (Figure 69). Review the new data source and if all looks good click the Submit button. Deployment Guide: Gigamon and Splunk 43

44 Figure 69: Add Data Review page i. Now that we have syslog data sent from a visibility node and we have configured the syslog data input on Splunk we can turn to the Gigamon Visibility App for Splunk Exploration Syslog Explorer menu to see visualization of the syslog data as shown in Figure 70. Figure 70: Gigamon Visibility App for Splunk, populated Syslog Explorer dashboard Deployment Guide: Gigamon and Splunk 44