icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CloudPassage App for Splunk Enterprise
SHA256 checksum (cloudpassage-app-for-splunk-enterprise_350.tgz) d2d79d5aefa7e0b415e67c242cd883ade4757818bffd777e2fa79b998050d055 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_331.tgz) 237509ae1370ed5df938957cde2536b2f995462a7993d312dccca4c650d07099 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_320.tgz) 7a9334e234943be0f3fdd2610e5e6e8cf321a5a5d3a3be5844b5df0ae34b15a1 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_31.tgz) 399ce0c7613f97183615b1a60b372ee783056d271badc43c5588d0609cf66684 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_30.tgz) 3d319261e9addcfac77e506ebbe958839ad65a1cf48f3a0f95c4df7c4ee66ee4 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_21.tgz) 33286c95f21421017af363a4950998899ac57820623e9fc90be16853f796507f SHA256 checksum (cloudpassage-app-for-splunk-enterprise_20.tgz) 6c681f794c623abff3922d40037e9818555fc65de8e16c90d8e16b1e734d3c0e SHA256 checksum (cloudpassage-app-for-splunk-enterprise_19.tgz) 5fa488a59180f64fad34827dc0a332f101924190fe92642e44fadc6611ffb992 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_18.tgz) 2a17c7c50a27c329d68f5b2c9b55b610150fba9f2f21d00588d7ed4777517762 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_17.tgz) 13df05de1dc365ebe23bcccc23df21857fac5e2dd2a9bab3a27e600a3f0467e8 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_16.tgz) 2e8657bfe4d9586b7d66f731337f714f3bd0dc31d76c7e0a1dd015dbae0e970f SHA256 checksum (cloudpassage-app-for-splunk-enterprise_15.tgz) 65917059dd016ef211e100313ec95b027df80569c10319a298beafb01fce1637 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_14.tgz) df661c8f44ea800d17d078a997dbf9cddad1aa105868b28b37b5a933bc5a8550 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_13.tgz) 8093d5b842b182d9ef5e826c9a47d8d585fa4e1f8e72a68776a640bd48072626 SHA256 checksum (cloudpassage-app-for-splunk-enterprise_12.tgz) 6d8d3f1166fa5594a35b9782883b3c39170f32a94e7410a45ab859c7a1eac96d SHA256 checksum (cloudpassage-app-for-splunk-enterprise_11.tgz) d8815f7a2e706659f88bc43f5dcce8ab248d09aca553875cc80f4642bdd9b5cd SHA256 checksum (cloudpassage-app-for-splunk-enterprise_10.tgz) bacee8837e88fc00e04a715df0223f391bc7bcf77fd8eb8f241d1dc86a74d368
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CloudPassage App for Splunk Enterprise

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The CloudPassage App for Splunk Enterprise is a solution to help detect security violations and look for threats across your complex cloud infrastructure, through analysis of massive volumes of Halo event data.

CloudPassage’s Halo platform records over eighty different types of security events about your Halo-managed infrastructure, whether you deploy into public cloud environments or your private data center. These events deliver information about your infrastructure and include critical security alerts for firewall changes, access changes, configuration changes, and file integrity changes, and more.

The CloudPassage App for Splunk Enterprise leverages the security visibility provided by CloudPassage's Halo platform with Splunk's correlation and visualization capabilities to deliver a security reporting and analysis tool. This app enables security operators and administrators to correlate security events across their Halo-managed infrastructure.

CloudPassage App for Splunk Enterprise

Getting Started With the CloudPassage App

This document describes the CloudPassage App for Splunk Enterprise and explains how to set up, configure, and get started using the App.

How the CloudPassage App Works

The purpose of the CloudPassage App for Splunk Enterprise is to import Halo event data into Splunk Enterprise and allow it to be manipulated by Splunk users and displayed on Halo-specific pages within Splunk Enterprise. The App includes several Halo specific event display screens for reporting event results and summaries.

For event import, the App uses the script-based Modular Input tool. The Modular Input script retrieves event data from a CloudPassage Halo account and imports it into Splunk Enterprise for further processing.

Retrieving events. The script is designed to execute repeatedly, keeping Splunk up-to-date with Halo events as time passes and new events occur:
The first time the script runs, it by default retrieves all logged events within the past 90 days from a single Halo account. Then the script creates a file, writes the timestamp of the last-retrieved event in it, and saves it as a checkpoint. You may find the checkpoint file in /Splunk/var/lib/splunk/modinputs.
Every subsequent time the script runs, it retrieves only those events that were created after the timestamp stored in the checkpoint.
During any script run, if no new events have occurred since the last run, no events are retrieved or imported into Splunk.

Output formats. The script receives event data from Halo in Halo's native JavaScript Object Notation (JSON) format, which you can view in Splunk after the data has been imported.

Authentication to the Halo API. CloudPassage Halo requires the Modular Input script to pass a valid Halo API key pair in order to obtain event data. You can find the Halo API key pair in CloudPassage Halo Portal. We recommend using an auditor (read-only) API key pair with the necessary server group scope.

Prerequisites

To get started, you must have the following:

  • An active CloudPassage Halo subscription. If you don't have one, Register for CloudPassage to receive your credentials and further instructions by email.

  • Access to your CloudPassage API key. Best practice is to create a new read-only key specifically for use with this script.

  • Splunk Enterprise Server 7.0 or later. You can download Splunk Enterprise Server from here.

A. Install the CloudPassage App

You can obtain the CloudPassage app through Splunkbase.

Get the App from Splunk Apps

To install the CloudPassage App for Splunk Enterprise, first log into Splunk Enterprise. After you have successfully logged in, click on the gear icon next to Apps on the top left of your screen then click on Browse more apps, this will take you to the Splunk Apps page.

On the Splunk Apps page, search for “CloudPassage” to find the “CloudPassage App for Splunk Enterprise”. Click Install to install the app.

Verify the Installation

Regardless of how you install the CloudPassage App, once you are successful it appears in the Splunk Enterprise dashboard, like this:

Create cloudpassage Index

All events will be written to an index named "cloudpassage". Make sure to create the index via the Splunk GUI before activating the CloudPassage App.

For Splunk Cloud:

For Splunk Enterprise:

The index name must be "cloudpassage", all other parameters is up to the user to decide.

B. Configure and Activate the CloudPassage App

After installing the CloudPassage App, configure it by obtaining required Halo information, specifying the Modular Input configuration settings in a configuration file, and entering additional data input settings within Splunk Enterprise. Once you have done that, execution of the App is automatic.

Retrieve and save your CloudPassage API key

The Modular Input is a python script that makes calls to the CloudPassage API. The script is required to authenticate itself to Halo during every session; therefore, you (as a Halo user) need to make your CloudPassage API Key available to the script.

  1. To retrieve your CloudPassage API key, log into the CloudPassage Portal and navigate to Environment > Settings > Site Administration and click the API Keys tab. (If you haven’t generated an API key yet, do so by clicking Actions > New Api Key.)

If you do create an API key, we recommend that, as a best practice, you create a read-only key. A read-only key is all that you need to be able to retrieve Halo event data.

  1. Retrieve both the Key ID and the Secret Key values for the API key. Click Show for your key on the API Keys tab to display both values.

Configure the App in Splunk

Now integrate your installed CloudPassage App into Splunk Enterprise.

Log into your Splunk Enterprise installation. Choose Data Inputs from the Settings menu.

Click on CloudPassage Splunk Connector dialog box opens.

You add new types of data to Splunk Enterprise by telling it about them. There are a number of ways you can specify a data input, either in terms of its type or by its source. The Modular Input script is a source that collects data for Splunk by connecting to the CloudPassage Grid and using the Halo Event API. That is the source type that you will select.
Click on the Add new dialog box opens:

Fill in these fields:

  • Name: Enter a display name for your App, such as "CloudPassage Halo". This name appears on the App's data input summary page.
  • CloudPassage Halo API Key: Copy your saved Halo API key ID and paste it into this field.
  • CloudPassage Halo API Secret: Copy your saved Halo API key secret and paste it into this field.
  • Starting Date/Time: Optionally enter the starting date-time of events to be retrieved from your Halo account. Use ISO-8601 format; for example 2013-09-19T17:34:28.808886Z. All events newer than this date-time will be retrieved the first time the script runs; on each subsequent run, only events newer than the newest previously retrieved event will be retrieved.Putting a value in this field is optional; if you leave it blank, the first execution of the script will retrieve all defined events from your Halo account within 90 days prior.
    Please Note:
    • If checkpoint exists, it will take precedence. You can find the checkpoint in /Splunk/var/lib/splunk/modinputs.
    • CloudPassage Halo has a 90 days data retention period.
  • API Hostname: By default this is set to api.cloudpassage.com. If your CloudPassage API hostname is different from the default setting, please specify here.
  • Proxy Host: Copy your proxy host ip address and paste it into this feild. (Optional)
  • Proxy Port: Copy your proxy port and paste it into this field. (Optional)
  • Set sourcetype. Choose "Manual".
  • Select source type from list. Select the source type value that you specified in the Splunk props.conf file (for example, [cp_halo]; see Set up props.conf).

Click Save.

When it has finished adding the new data source, Splunk displays a success message:
You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.

C. View Halo Events in Splunk

The CloudPassage App provides several interactive pages that allow you to view and manipulate your Halo data from many different perspectives. Once the script runs successfully and is incorporating event data into Splunk, you will see Halo events such as the following appear in your CloudPassage App within Splunk Enterprise.You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.

The Halo Dashboard page:

120510

The Violation Dashboard page:

120509

Release Notes

Version 3.5.0
May 16, 2018

CS-537: add per_page as modular input, default=100, max=500
CS-538: fix Not supported proxy scheme None

Version 3.3.1
Feb. 21, 2018

Version 3.2.0
Jan. 23, 2018

Version 3.1
Jan. 22, 2018

Version 3.0
Jan. 19, 2018

Version 2.1
May 12, 2017

Read api hostname from data input

Version 2.0
May 11, 2017

Fixed issue where latest event duplicates on interval runs.

Version 1.9
May 1, 2017

Added SDK retry logic into App.
Delayed retry up to 5 times if grid returns a 500 on Api request.

Version 1.8
Jan. 31, 2017

Able to retrieve all events from 90 days ago.
Does not have 5000 event daily limit count.

Version 1.7
April 17, 2015

The CloudPassage App for Splunk is now proxy-aware. If you connect outbound via a proxy server in your environment, you can now specify the IP address or FQDN of the proxy server for Splunk to connect to.

Version 1.6
Feb. 22, 2015

The CloudPassage Halo Secret key input field is now asterisked and not in clear text.

Version 1.5
Dec. 9, 2014

Minor bug fixes.

Version 1.4
April 18, 2014

Fixed issue while trying to regenerate authentication token.

Version 1.3
Jan. 7, 2014

Fixed issue where the Halo Event Search dashboard was not displaying drill-downs correctly for all event types.

Version 1.2
Jan. 7, 2014

Fixed an issue where Halo Event Search was not displaying events correctly on drill-down.

Version 1.1
Dec. 31, 2013

Version 1.0
Nov. 7, 2013

33
Installs
885
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.