The Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add-on activity, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard. Retrieved data can be filtered and configured for inclusion in a Splunk ES instance as a custom threat feed for further alerting.
For more information or to request a demo, please visit www.kingandunion.com/splunk.
The Avalon Add-On for Splunk can be installed directly from Splunkbase within your Splunk instance (Apps > Find more apps) or by uploading the file downloaded outside of Splunk (Apps > Manage Apps > Install app from file).
IMPORTANT In distributed Splunk architectures, the add-on must be installed at the search head tier. The search commands that interact with Avalon run on the search head only. Some commands will result in data being indexed to the avalon index. To allow for indexing to occur in a distributed environment, create the avalon index on your indexer(s).
Once installed, login to your Splunk instance and perform the following configurations:
https://avalon.kingandunion.com. (Leave the URL as default If unsure)
Navigate to Settings from the menu bar and click on indexes.
In the indexes Page, click New Index and create a new index with the name avalon. Leave all other settings as their defaults and click save.
avalon, created in Step 2 above. If you wish, you can use a different index, but be sure to slease select the Use a different Index checkbox.
The Avalon Add-on for Splunk is capable of pulling nodes with tags from Avalon. If your Splunk Instance hosts the Enterprise Security app, you can now automatically send node data from Avalon into ES as a Threat Feed for better detection. Since investigations in Avalon may contain data that is not alwasy malicious but merely provides context to the investigaiton, tagging must be used by the analyst in order to take advantage of this automation. It is recommended that an organization develop a specific tagging shcema for IOCs that they wish to pull into Splunk ES as follows:
The Avalon Add-On for Splunk provides the following custom search commands for interacting with Avalon inside of Splunk Enterprise:
Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon create_workspace command.
Consider the following example:
index=apache clientip=10.10.5.* | dedup clientip | table clientip | avalon create_workspace=”httpd”
This search would result in all 10.10.5.* client IP addresses being added to a new workspace named httpd. The new workspace will be immediately available in Avalon.
When data is sent to Avalon, an event is written to the avalon index. To review the indexed data, run the following search over the desired time range:
Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon update_workspace command.
Consider the following example:
index=apache clientip=10.10.7.* domain=*.gov | dedup clientip domain | table clientip domain | avalon update_workspace=”httpd”
This search would result in all 10.10.7.* client IP addresses and .gov domain values being added to the httpd workspace previously created. Based on the prior example, the httpd workspace would now contain nodes reflecting the 10.10.7.* and the 10.10.5.* client IP addresses, as well as the .gov domains.
When data is sent to Avalon, an event is written to the avalon index. To review the indexed data run the following search over the desired time range:
Run the pullnodes command by itself with either a workspace ID or title to retrieve node and workspace metadata.
| pullnodes id=123 would retrieve node data and workspace meta from the workspace with an ID of 123.
| pullnodes title=”httpd” would retrieve node data and workspace meta from the httpd workspace.
The search command will show the data that was returned in the Splunk interface. It also writes an event to the avalon index. To review the indexed data run the following search over the desired time range:
Run the pullworkspaces command to retrieve a list of available workspaces and metadata.
Beyond providing the means to quickly view what workspaces are available, the command is also called hourly via saved search to populate a lookup containing the workspace ID and workspace title.
The Avalon Summary dashboard provides visibility and insight into the add-on’s operation. The dashboard panels are as follows and are scoped by workspace, node type, and time range unless otherwise indicated:
The avalon_nodes lookup can be used with your other searches, reports, and alerts to add context or otherwise enrich data in Splunk. For example, an alert could be created that sends an email or performs another action when a particular node value appears in your indexed data.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.