The Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add-on activity, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard.
The Avalon Add-On for Splunk can be installed directly from Splunkbase within your Splunk instance (Apps > Find more apps) or by uploading the file downloaded outside of Splunk (Apps > Manage Apps > Install app from file).
IMPORTANT In distributed Splunk architectures, the add-on must be installed at the search head tier. The search commands that interact with Avalon run on the search head only. Some commands will result in data being indexed to the avalon index. To allow for indexing to occur in a distributed environment, create the avalon index on your indexer(s).
Once installed, login to your Splunk instance and update the add-on configuration (add-on set up link in Manage Apps) and define the following:
The Avalon Add-On for Splunk provides the following custom search commands for interacting with Avalon inside of Splunk Enterprise:
Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon create_workspace command.
Consider the following example:
index=apache clientip=10.10.5.* | dedup clientip | table clientip | avalon create_workspace=”httpd”
This search would result in all 10.10.5.* client IP addresses being added to a new workspace named httpd. The new workspace will be immediately available in Avalon.
When data is sent to Avalon, an event is written to the avalon index. To review the indexed data, run the following search over the desired time range:
Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon update_workspace command.
Consider the following example:
index=apache clientip=10.10.7.* domain=*.gov | dedup clientip domain | table clientip domain | avalon update_workspace=”httpd”
This search would result in all 10.10.7.* client IP addresses and .gov domain values being added to the httpd workspace previously created. Based on the prior example, the httpd workspace would now contain nodes reflecting the 10.10.7.* and the 10.10.5.* client IP addresses, as well as the .gov domains.
When data is sent to Avalon, an event is written to the avalon index. To review the indexed data run the following search over the desired time range:
Run the pullnodes command by itself with either a workspace ID or title to retrieve node and workspace metadata.
| pullnodes id=123 would retrieve node data and workspace meta from the workspace with an ID of 123.
| pullnodes title=”httpd” would retrieve node data and workspace meta from the httpd workspace.
The search command will show the data that was returned in the Splunk interface. It also writes an event to the avalon index. To review the indexed data run the following search over the desired time range:
Run the pullworkspaces command to retrieve a list of available workspaces and metadata.
Beyond providing the means to quickly view what workspaces are available, the command is also called hourly via saved search to populate a lookup containing the workspace ID and workspace title.
The Avalon Summary dashboard provides visibility and insight into the add-on’s operation. The dashboard panels are as follows and are scoped by workspace, node type, and time range unless otherwise indicated:
The avalon_nodes lookup can be used with your other searches, reports, and alerts to add context or otherwise enrich data in Splunk. For example, an alert could be created that sends an email or performs another action when a particular node value appears in your indexed data.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.