icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Avalon Add-on for Splunk
SHA256 checksum (avalon-add-on-for-splunk_101.tgz) 51c12b80d31134f679648773524f947cea8e739b271d6a88ebaac5885c66098f SHA256 checksum (avalon-add-on-for-splunk_100.tgz) e6758fd716f26ca16b5eafc866147734b007bccb8c837df128b162af7ae16f0e
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Avalon Add-on for Splunk

Overview
Details
King & Union's Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add-on activities, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard. Retrieved data can be filtered and configured for inclusion in a Splunk ES instance as a custom threat feed for further alerting.

Request a demo of Avalon at https://www.kingandunion.com/splunk

Avalon Add-On for Splunk

Overview

The Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add-on activity, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard. Retrieved data can be filtered and configured for inclusion in a Splunk ES instance as a custom threat feed for further alerting.

For more information or to request a demo, please visit www.kingandunion.com/splunk.

Installation & Configuration

The Avalon Add-On for Splunk can be installed directly from Splunkbase within your Splunk instance (Apps > Find more apps) or by uploading the file downloaded outside of Splunk (Apps > Manage Apps > Install app from file).

IMPORTANT In distributed Splunk architectures, the add-on must be installed at the search head tier. The search commands that interact with Avalon run on the search head only. Some commands will result in data being indexed to the avalon index. To allow for indexing to occur in a distributed environment, create the avalon index on your indexer(s).

Once installed, login to your Splunk instance and perform the following configurations:

Step 1 - Add API Key:

  1. On the Avalon App installed Splunk instance, navigate to Apps > Avalon Add-on.
  2. Inside the Add-on, Navigate to the Configuration tab > add-on settings:
  3. Enter your Avalon Account’s API key from your Avalon User Profile avalilable here
  4. Enter the Avalan URL you use to login to avalonand click save - this most commonly is: https://avalon.kingandunion.com. (Leave the URL as default If unsure) Image showing the Avalon Add-on Configuration Tab and Add-on Tab Selected

Step 2 - Create Avalon Index:

  1. Navigate to Settings from the menu bar and click on indexes. Image showing a screenshot of Splunk Settings with the Indexes link highlighted

  2. In the indexes Page, click New Index and create a new index with the name avalon. Leave all other settings as their defaults and click save. Image showing a screenshot of a user creating a new index called avalon

Step 3 - Create Add Avalon Nodes Input:

  1. Navigate back to the Avalon Add-on from Apps > Avalon Add-on
  2. Inside the Add-on navigate to the Inputs tab in the Add-on and click on the Create New Input button.
  3. Give the input a name - any name will do.
  4. Enter a refresh interval, 3600 is recommended.
  5. Select index as avalon, created in Step 2 above. If you wish, you can use a different index, but be sure to slease select the Use a different Index checkbox.
  6. With these settings click on the Add button. The input should be added without any errors. Image showing a screenshot of the input creation for Add Avalon Nodes

Step 4 - Verify Functionality:

  1. Navigate to Avalon Summary tab.
  2. Scroll down to the All Workspaces table and wait for loading to finish.
  3. Verify that you see workspace ID and Title from each workspace your user can see in Avalon.
  4. By clicking on a workspace Title in this table, you can open the Avalon workspace in a new browser tab.
  5. By clicking on an ID in this table, you will be able to index nodes data for each workspace from Avalon. Try clicking on few IDs to pull nodes from those workspaces.
  6. Once the data is pulled, the nodes data and Workspace details should be visible throughout the dashboard. Image showing a screenshot of the All Workspaces table with some IDs highlighted

ES Integration

The Avalon Add-on for Splunk is capable of pulling nodes with tags from Avalon. If your Splunk Instance hosts the Enterprise Security app, you can now automatically send node data from Avalon into ES as a Threat Feed for better detection. Since investigations in Avalon may contain data that is not alwasy malicious but merely provides context to the investigaiton, tagging must be used by the analyst in order to take advantage of this automation. It is recommended that an organization develop a specific tagging shcema for IOCs that they wish to pull into Splunk ES as follows:

Step 1 - Creating Tags In Avalon:

  1. Inside Avalon, while an analyst is performing an investigation, select 1 or more nodes > double click a node > click on tags
  2. In the box, type in a tag like IsThreat and click create "IsThreat" to add the tag to the nodes. Imaging showing the tagging modal in Avalon wtih the Add Tags text box highlighted

Step 2 - Configuring the Threat Feed for Splunk ES:

  1. Back in the Avalon Add-on for Splunk, pull the nodes from the workpace in Step 1
  2. Once these nodes are pulled into the Avalon Add-on by clicking on the workspace ID in the All Workspaces table, or by using the |pullnodes id=<workspace ID> command in the Splunk search bar.
  3. Click on the ES Integration tab. This will open the ES Integration Dashboard.
  4. Choose the tags that will need to be added to the ES Threat Feed. Image showing a screenshot of the ES Integration Dashbaord wtih isThreat checked
  5. Once selected, verify the nodes are showing up in the ES Integration Dashboard. Once added here, the nodes will be forwarded as Threat Artifacts into ES app. This process is scheduled to run every hour. Image showing the Threat Artifacted in the Splunk ES table

Operation

The Avalon Add-On for Splunk provides the following custom search commands for interacting with Avalon inside of Splunk Enterprise:

  • avalon: Create or update workspaces with data from a Splunk search.
  • pullworkspaces: Retrieve workspace data from Avalon.
  • pullnodes: Retrieve node data from Avalon.

Creating a Workspace

Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon create_workspace command.
Consider the following example:

index=apache clientip=10.10.5.* | dedup clientip | table clientip | avalon create_workspace=”httpd”

This search would result in all 10.10.5.* client IP addresses being added to a new workspace named httpd. The new workspace will be immediately available in Avalon.

When data is sent to Avalon, an event is written to the avalon index. To review the indexed data, run the following search over the desired time range:

index=avalon sourcetype=avalon_push

Updating a Workspace

Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon update_workspace command.

Consider the following example:

index=apache clientip=10.10.7.* domain=*.gov | dedup clientip domain | table clientip domain | avalon update_workspace=”httpd”

This search would result in all 10.10.7.* client IP addresses and .gov domain values being added to the httpd workspace previously created. Based on the prior example, the httpd workspace would now contain nodes reflecting the 10.10.7.* and the 10.10.5.* client IP addresses, as well as the .gov domains.

When data is sent to Avalon, an event is written to the avalon index. To review the indexed data run the following search over the desired time range:

index=avalon sourcetype=avalon_push

Retrieving Node Data

Run the pullnodes command by itself with either a workspace ID or title to retrieve node and workspace metadata.

| pullnodes id=123 would retrieve node data and workspace meta from the workspace with an ID of 123.

| pullnodes title=”httpd” would retrieve node data and workspace meta from the httpd workspace.

The search command will show the data that was returned in the Splunk interface. It also writes an event to the avalon index. To review the indexed data run the following search over the desired time range:

index=avalon sourcetype=avalon_nodes

Retrieving Workspace Data

Run the pullworkspaces command to retrieve a list of available workspaces and metadata.

| pullworkspaces

Beyond providing the means to quickly view what workspaces are available, the command is also called hourly via saved search to populate a lookup containing the workspace ID and workspace title.

Reporting

The Avalon Summary dashboard provides visibility and insight into the add-on’s operation. The dashboard panels are as follows and are scoped by workspace, node type, and time range unless otherwise indicated:

  • Total Nodes: The distinct count of nodes retrieved by the pullnodes command and indexed in Splunk.
  • Overlapping Nodes: The number of nodes that exist in more than one workspace.
  • Total Pulls: The number of times the pullnodes command was run.
  • Total Pushes: The number of times the avalon create_workspace and avalon update_workspace commands were run.
  • Last Pull: The most recent timestamp of the last pullnodes execution.
  • Last Push: The most recent timestamp of the last avalon create_workspace or avalon update_workspace execution.
  • Nodes by Workspace over Time: The count of nodes by workspace.
  • All Workspaces: The list of all available workspaces, workspace meta, and node count. The list is pulled from indexed events and also the workspaces lookup table.
  • Clicking on a value in the Last Pull or ID columns will open a new window and run the pullnodes search command for the particular workspace.
  • Clicking on the Title or Node Count values will open the workspace in Avalon.
  • Count by Node Type: A chart showing a breakdown of nodes by node type and workspace.
  • Activity over Time: A chart showing all “push” and “pull” activity between Splunk and Avalon.
  • Nodes: A list of nodes with node type and the workspace(s) the node is found in. The list may be further refined by entering a value in the Node Search field.
  • Clicking on a table row will drill down to search for the node in your indexed data.
  • Clicking the Node Search link will search for all nodes in your indexed data.
  • Clicking the Update Lookup link will write the results in the Nodes table to the avalon_nodes lookup.

The avalon_nodes lookup can be used with your other searches, reports, and alerts to add context or otherwise enrich data in Splunk. For example, an alert could be created that sends an email or performs another action when a particular node value appears in your indexed data.

Release Notes

Version 1.0.1
Dec. 28, 2020
  1. Updated for compatibility to Splunk Enterprise 8.x and Splunk Cloud.
  2. Added the ability to directly ingest Avalon data into Splunk ES as Threat Artifacts to be used as a custom threat feed for alerting.
  3. Usability enhancements
Version 1.0.0
Aug. 16, 2019

Initial release

0
Installs
102
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.