Agari App for Splunk Quick-Start Guide

Similar documents
Cisco Threat Intelligence Director (TID)

This chapter provides information to help you manage reports. Table 1: Unified CM reports that display in Cisco Unified Reporting

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

Adobe Marketing Cloud Bloodhound for Mac 3.0

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

VARONIS APP FOR SPLUNK. User Guide

Acronis Data Cloud Version 7.8

SharePoint General Instructions

Comodo SecureBox Management Console Software Version 1.9

Installation Guide for. nopmobile Connector Plugin & nopmobile App

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Enabling the Bullhorn and Calendar Integration with Google Apps

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Deploy Cisco Directory Connector

Symantec Advanced Threat Protection App for Splunk

Mozy User Guide Document Revision Date: Sept. 18, 2013

ForeScout Extended Module for Splunk

DSS User Guide. End User Guide. - i -

WEB ANALYTICS HOW-TO GUIDE

WhatsUp Gold 2016 Application Performance Monitoring

Workspace Secure Container for Mobile Devices

USM Anywhere AlienApps Guide

TIBCO LiveView Web Getting Started Guide

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Anchor User Guide. Presented by: Last Revised: August 07, 2017

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Cisco Threat Intelligence Director (TID)

Sync User Guide. Powered by Axient Anchor

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

F5 Analytics and Visibility Solutions

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Partner Integration Portal (PIP) Installation Guide

End User Manual. December 2014 V1.0

Integrate Microsoft Office 365. EventTracker v8.x and above

GRS Enterprise Synchronization Tool

CommzGate Cloud SMS User Guide

Workshare Client Extranet. Getting Started Guide. for Mac

User Guide. Issued July DocAve Backup for Salesforce User Guide

CDP Data Center Console User Guide CDP Data Center Console User Guide Version

Cloud Compute. Backup Portal User Guide

ForeScout Extended Module for Splunk

Tyler Dashboard. User Guide Version 6.3. For more information, visit

The Vectra App for Splunk. Table of Contents. Overview... 2 Getting started Setup... 4 Using the Vectra App for Splunk... 4

KYOCERA Net Admin User Guide

VARONIS DATALERT APP FOR IBM QRADAR

SAP Roambi SAP Roambi Cloud SAP BusinessObjects Enterprise Plugin Guide

MarkLogic Server. Monitoring MarkLogic Guide. MarkLogic 9 May, Copyright 2017 MarkLogic Corporation. All rights reserved.

RSA NetWitness Platform

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Cox Business Online Backup Administrator Guide. Version 2.0

ZENworks Reporting System Reference. January 2017

NTP Software VFM. Administration Web Site for EMC Atmos User Manual. Version 6.1

Data Protection Guide

Google Authenticator User Guide

ZENworks 2017 Audit Management Reference. December 2016

ArcGIS Enterprise: Advanced Topics in Administration. Thomas Edghill & Moginraj Mohandas

12/05/2017. Geneva ServiceNow Security Management

Using vrealize Operations Tenant App as a Service Provider

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

Detector Service Delivery System (SDS) Version 3.0

McAfee Security Management Center

This guide covers the installation, setup, and configuration of Sertifi for Salesforce CPQ.

KYOCERA Device Manager User Guide

ForeScout App for Splunk

CityVault Client Manual

Dell SupportAssist Version 1.0 For Microsoft System Center Operations Manager User's Guide

Vodafone Mobile Wi-Fi Monitor. Android Troubleshoot Guide

Welcome to Applause! Table of Contents: Welcome to Mobile Beta Management

User Guide. Version R92. English

What is the Marketo Leads integration?

DomainTools for Splunk

USPS USPS Provisioning Services

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0

Taylor & Francis ebooks. A World of Knowledge and Information from Taylor & Francis

PowerSchool Student and Parent Portal User Guide. PowerSchool Student Information System

Service Manager. Ops Console On-Premise User Guide

Remote Desktop Services

How to configure the LuxCloud WHMCS plugin (version 2+) Version: 2.2

WhatsUp Gold 2016 Distributed Edition

CPM User Guide V2.4.0

Agent and Agent Browser. Updated Friday, January 26, Autotask Corporation

Message Tracker User Guide. June 2017

CPM User s Guide V2.3.0

HYCU SCOM Management Pack for F5 BIG-IP

Sophos Central Partner. help

Apptix Online Backup by Mozy User Guide

Object Storage Service. Client Guide (OBS Browser) Issue 10 Date HUAWEI TECHNOLOGIES CO., LTD.

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

VMware AirWatch Content Gateway Guide for Windows

DocAve for Salesforce 2.1

Sticky Notes for Cognos Analytics by Tech Data BSP Software

2. D3 Cyber Incident Response Integration for Splunk

VMware vcloud Air User's Guide

MultiSite Manager. User Guide

BriCS. University of Bristol Cloud Service Simulation Runner. User & Developer Guide. 1 October John Cartlidge & M.

Transcription:

Agari App for Splunk Quick-Start Guide Initial Release (v1.1.0) This document describes how to get started with the Agari App for Splunk. This release is available to Agari customers via SplunkBase (https://splunkbase.splunk.com/app/3568/). The Agari App for Splunk includes the following: A setup script that installs and configures the application A python-based data input script that retrieves data from the Agari REST API A reference set of Splunk search queries, reports, and dashboards that can be used to view/explore the data Installing the Agari App for Splunk The Agari App for Splunk can be installed from Splunkbase by either browsing for apps directly from your Splunk software (Figure I1/I2), or by downloading the app package via a web browser, then uploading via Splunk software (Figure I3). Figure I1: Click Browse more apps to browse Splunkbase. Click Install app from file to install a downloaded app package Figure I2: The Agari App for Splunk can be located via the search string agari

If installing via a downloaded app package, you may need to click the box labeled Upgrade app to overwrite the existing installed app if you have a previous version installed. (Figure X) Figure I3: Manual upload of the Agari App for Splunk package Configuring the Agari App for Splunk After installing the Agari App for Splunk, click Set up now to go the app configuration screen. (Figure C1) Figure C1: Post-install setup required notification Enter the setup information for the Agari app. (Figure C2) At a minimum, this requires copy/pasting your API Client ID and Client Secret credentials which are obtained from the Agari Customer Protect portal. See the next section for details on obtaining your API credentials.

Optionally, a Proxy Address URL (with or without HTTP Basic auth) can be configured. SSL verification is enabled by default (recommended) but can be disabled if needed by deselecting the Verify SSL option. Additionally, a custom CA_BUNDLE can be configured by entering the filepath to a valid CA_BUNDLE file or folder. Note that the use of a custom CA_BUNDLE requires the Verify SSL option to be enabled. Figure C2: Agari App for Splunk configuration screen Obtaining/generating API credentials API access credentials are generated on a per-user basis and must be obtained from within the Agari Customer Protect portal located at https://my.agari.com. You may use the credentials of an existing user account, or you can create a new Splunk user account (recommended). 1. From within the Agari portal, navigate to Admin > Users 2. Click an existing user, or select Add New User 3. Click Generate API Credentials to create new credentials OR click Regenerate API Client Secret to regenerate a new client secret for an existing user. (Note: A user account must accept the invitation for a brand new account before the Generate API Credentials links is available.) (Figure C3) 4. Copy/Paste the Client ID and Client Secret to the Agari App for Splunk configuration page

5. Be sure to hit the Update button after generating/recording API credentials to save the user s profile with the newly generated credentials! Figure C3: Generation of an API Client ID and API Client Secret via the Agari Customer Protect portal That s it! You can now use the Agari App for Splunk link from the Splunk landing page to launch the app. (Figure C4) Figure C4: Agari App for Splunk can be accessed from the Splunk home screen

Specifying a Dedicated Agari Index (Optional) The Agari App for Splunk installation will use the default index that has been specified in your Spunk environment. If you are ingesting a lot of data into your default index, you may consider creating (or switching to) a separate index to host the Agari data, which will improve search performance. Index creation should be managed by your Splunk administrator and done in accordance with Splunk documentation and best practices. A process overview follows. 1. Create a new index 1. Select Settings / Indexes 2. Click New Index 3. Enter your index configuration ( Index Name at a minimum) (Figure O1) Note: If Splunk is running in a distributed environment, it may be necessary to replicate the newly-created index on the other indexers in the environment. Figure O1: Configuration of an index specific for Agari data

2. Configure the Agari data input to use the desired index 1. Select Settings / Data inputs / Script s 2. Click $SPLUNK_HOME/etc/apps/agari/bin/agari_cp.py to edit the input script configuration 3. Click More settings 4. Select the desired index from the Index drop-down (Figure O2) Figure O2: Assignment of the agari index to the Agari input script 3. Modify the Agari search macro 1. From within the Agari app select Settings / Advanced Search / Search macros 2. Click macro_agari_index to edit the index macro

3. Modify the macro Definition accordingly (Figure O3) Figure O3: Modification of the macro_agari_index macro to refer to the newly-created index Note: There are 3 macros created by the Agari App for Splunk. Only macro_agari_index should be modified, as the others will inherit this change. (Figure O4) Figure O4: Only 1 macro must be edited to reflect the newly-created index Using the Agari App for Splunk The Agari App for Splunk consists of a background data input script that harvests Agari Customer Protect data (events) using the Agari REST API, and a number of preconfigured searches, reports and dashboards that can be used to view and explore the data. Data Input Script The data input script is scheduled to run automatically in the background every 15 minutes. When the app is first installed the script will backfill data for the previous two weeks (in 12hr

increments). As such, a complete backfill of data will take about 7 hours of uninterrupted operation. The data ingested into Splunk consist of Agari Customer Protect alert events, which include: Infrastructure alerts Threat Spike alerts Authentication Spike alerts SPF Record Changed DMARC Record Changed New Sender alert Brand Spoofing alert Other ingested data include: Failure Sample data that is specific to certain alert events (i.e. Threat Spike, Authentication Spike, and Brand Spoofing alerts) API Service status Log data from the data input script Dashboards The Agari App for Splunk includes a number of dashboards that provide views of your alert activity. Click the Dashboards menu item from within the Agari app to view the list of available dashboards. (Figure U1) Figure U1: Pre-built dashboards are provided by the Agari App for Splunk

There are two top-level summary dashboards. The Alert Dashboard: All Alerts: 1 Day dashboard provides a daily snapshot of alert activity. (Figure U2) Clicking on the bar chart will drill-down into a more detailed dashboard view for the specific alert type. Figure U2: Alert Dashboard: All Alerts: 1 Day The Alert Dashboard: All Alerts: 2 Week dashboard provides a 2 week snapshot of recent alert activity. (figure U3) Clicking on the bar chart will drill-down into a more detailed dashboard view for the specific alert type. You can use the timepicker control to modify the time period for the alerts. Figure U3: Alert Dashboard: All Alerts: 2 Weeks

In addition to the top-level summary dashboards, there are dashboards that display more specific information for each alert type. Clicking on the bar chart from within one of the alert-specific dashboards displays summary information for the specified alert(s). Additional details can be displayed by clicking on a row from the summary table. Reports The Agari App for Splunk includes a number of reports. Click the Reports menu item from within the Agari app to view the list of available reports. (Figure U4) Figure U3: Report list Report: Agari Log contains debugging information and error messages generated by the data input script. If you encounter any problems importing data, please check this Agari Log report. Report: All Alerts is similar to the Alert Dashboard: All Alerts: 2 Week dashboard. It is included here to provide an example of a report-packaged view. Report: Service Status shows the service status of the Agari API. Each invocation of the data input script should result in a new entry in this report.

Search If you would like explore the Agari alert data by using Splunk s built-in search engine, you can do so by selecting the Search menu item. (Figure U4) Figure U3: Searching raw Agari data using Splunk s built-in search engine At a minimum, you will need to indicate the index where the Agari data reside. This can be done by referencing the Agari CP macro in the search bar : `macro_agari_cp` Note: use backticks to enclose the reference to macro_agari_cp Upon a successful search you will see a list of Selected Fields in the left frame of search page. You can click the various fields to further refine your search. Example: view all alert events `macro_agari_cp` event_type=alert_detail dedup event_data.id Example: view all infrastructure alerts `macro_agari_cp` event_type=alert_detail event_data.alert_type=infrastructure dedup event_data.id Example: view the failure samples that correspond to the alert event with an ID of 2535933 `macro_agari_cp` index=agari event_type=failure_samples alert_id=2535933

Troubleshooting Not receiving data If you are not receiving any Agari alert data, first check the Agari Log for possible errors. The Agari Log is available from within the Agari App for Splunk by clicking the Reports menu. This following error in the Agari Log report indicates that a problem with the API credentials provided during setup: Auth error: [401] https://api.agari.com/oauth/token: Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method. Please review the information in the section titled Obtaining/generating API credentials and ensure you have entered your API credentials correctly into Splunk. If necessary, you can regenerate a new Client Secret value. If you need to enter/reenter your credentials into Splunk: 1. Click the Blue Gear icon from the main Splunk page 2. Locate the Agari App in the list of apps 3. Click Set up 4. Enter the (new) Client ID and Client Secret values 5. Click Save HTTPSConnectionPool Error in Agari Log The following error in the Agari Log report indicates that the data input script was not able to communicate with the Agari API server: Auth exception: HTTPSConnectionPool(host='api.agari.com', port=443): Max retries exceeded with url: /oauth/token If this error occurs repeatedly (i.e. back-to-back), then there likely is a network security configuration which is disallowing outbound access via port 433 (SSL). Please check your network configuration. If this error occurs infrequently or intermittently, then Splunk host may be going into sleep or hibernation mode. This is often the case if Splunk is running on a personal laptop. In this situation, normal operation should resume when the system awakens from sleep or hibernation mode.

Dashboards and Reports are slow Sharing the Agari index with other high-volume data source can cause the Agari App for Splunk to be slow when displaying Dashboard and Report data. By default, the Agari setup will use the default index in your Splunk configuration. If there are other high-volume data sources using the default index, you may need to configure a separate/dedicated index to hold the Agari data. Please see the section titled Specifying a Dedicated Agari Index (Optional) for more information. Providing Feedback to Agari We would like your feedback and suggestions for ways we can improve the Agari App for Splunk. Please contact your Agari Customer Success representative if you would like to provide feedback, or if you otherwise require assistance.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback