The Tripwire IP360 Add-on for Splunk enables a Tripwire IP360 administrator to collect vulnerability and scan events from IP360, maps them to the Splunk® Common Information Model (CIM), and inputs the data into Splunk. You can visualize the data with other Splunk apps, such as the Splunk App for Enterprise Security and the Splunk App for PCI Compliance. You can download the companion app to this add-on here: https://splunkbase.splunk.com/app/2682/.
1. Added support for Splunk DB Connect V3 on Splunk Enterprise v6.1 and above
1. Fixed an issue with applications.
1. Added support for IP360 versions 8.0.0 and above.
2. Fixed an issue with OS groups.
3. Fixed an issue with ip360_scan_status input rising column.
1. Fixed an issue with pulling in network groups
2. Renamed the Add-on to comply with Splunk Enterprise Security naming conventions
1. Added a stand-alone TA for Tripwire IP360
Unzip the tripwire-ip360-add-on-for-splunk_300.zip file. This file contains the .spl file you will install.
Configuring the IP360 VnE to accept remote connections
In order to connect the Tripwire IP360 Add-on for Splunk Enterprise to an IP360 VnE, you will need to configure "Remote Access to the Database" on the source IP360 VnE. This setting allows IP360 to easily integrate with other products from the Tripwire product line. Remote access enables access to IP360 with a read-only database account, Tripwire uses SSL (Secure Socket Layer) to safely transmit your data. Only Tripwire IP360 Administrators are able to change database settings.
Configuring Remote Access to the IP360 Database
a. In the IP360 VnE console, navigate to Administer: System > Database > Remote Access
b. Check "Enable Remote Access"
c. Enter a secure password for read-only access to the database.
d. Enter the sources from which the database can be remotely accessed. Sources can be hostnames, IP addresses, and CIDRs. Each source should be entered on a separate line.
e. Click Submit to save your changes. When you click submit, the top of the pane will display the information that will assist you configure the remote PostgreSQL client.
For more information about configuring Remote Access please review the "IP360 Administrators Guide".
Install the Splunk DB Connect application
a. Download Splunk DB Connect from https://splunkbase.splunk.com/ (version 1.2.2 or above OR version 2.1.1 or above OR version 3.1.3 or above)
b. Follow the Splunk DB Connect installation instructions ensuring that the PostgreSQL drivers are installed
c. After installation is complete, create an Identity to connnect to the IP360 database in Splunk DB Connect.
i. Ensure that the Username field is "readonly" and the password matches the setting configured in step 2: "Remote Access to the Database".
d. In Splunk DB Connect, set up the database connection to the IP360 database by clicking the "External Databases" link
i. If you have already set up the database connection it will be listed here, otherwise click the "New" button to set up the connection
ii. Fill in the host, port, username, and password to the settings for IP360
iii. For the following fields use these settings:
Database Type: PostgreSQL
Transaction Isolation Level: DATABASE_SETTING
Read only: checked
Validate Database Connection: checked
iv. "Name" can be anything as long as it matches what will be entered on the Tripwire IP360 "Set up" screen. "ice" is the default and recommended name.
Avoid using spaces in this field.
v. Click Save
Uninstall Old Tripwire IP360 Add-on for Splunk
a. If version 2.0 of the Tripwire IP360 Add-on for Splunk or lower is installed, the old version MUST be uninstalled before upgrading the Add-on.
b. Remove "TA_tripwire_IP360" from the $SPLUNK_HOME/etc/apps/ directory and restart Splunk Enterprise
Install Tripwire IP360 Add-on for Splunk
a. In Splunk Enterprise, Navigate to "Manage Apps" then "Install app from file"
b. Select the ".spl" file containing the Tripwire IP360 Add-on for Splunk and click upload
c. Restart Splunk Enterprise as prompted
Configure Tripwire IP360 Add-on for Splunk
i. Upon the first time opening the Tripwire IP360 Add-on for Splunk, you will be automatically directed to set up the app. This can also be found by manually navigating to "Manage Apps", "Tripwire IP360 Add-on for Splunk", then "Set up".
a. Select Splunk DB Connect v1, v2, or v3
b. Enter the name for the database connection that was set up in Splunk. This must match what was entered in the "Name" field.(e.g. "ice")
c. Enter the number of days desired to import IP360 historical data
d. Specify the IP360 score range for each severity value.
e. Upon clicking "Save" these parameters will save and the data will begin indexing.
The Tripwire IP360 Add-on for Splunk and Splunk DB Connect must be installed together when deploying on a heavy forwarder or dedicated search head. This installation performs all of the data importation from the IP360 VnE source.
a. The TA should not be configured to import data in a search head pool as each search head will keep track of the last value of the queries and cause data duplication. See step 3 below for more information.
i. The Tripwire IP360 App for Splunk can be installed in a search head pool for visualizations, the Tripwire IP360 TA should not be installed in a search head pool.
b. It is not recommended to deploy either the Splunk DB Connect app or the Tripwire IP360 TA that is configured to import data due to additional complexities.
i. Issues with this include requiring pre-configuration of the apps as well as synchronization of the Splunk secret keys.
ii. Outside of this one instance all other Splunk instances may utilize the Splunk deployment server.
c. If following the recommended approach of a manual install for a heavy forwarder or dedicated search head importing the data, follow the above installation instructions.
d. The actual forwarding of this data will need to be directed by additional Splunk configurations.
Install the TA, "Tripwire IP360 Add-on for Splunk" to the indexers through your preferred approach of using the deployment server, the cluster master, or manually. No configurations need to be done within this TA.
For all other search heads, outside of the one potentially used for importing Tripwire IP360 data, deploy the Tripwire IP360 Add-on for Splunk including those in search head pooling configurations. This step prepares a deployable version of the TA by changing one setting.
a. These search heads are not required to have DB Connect installed.
b. The setup screen used for the Tripwire IP360 TAfor Splunk Enterprise pulling in data does not apply to these search heads. To handle this, when deploying the TA edit the "app.conf" within the "local" folder of TA_tripwire_IP360. Modify the value for is_configured to be 1 as shown here:
is_configured = 0
If properly configured, the data should be searchable from any search head.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.