With the SOC Prime CCM App for Splunk, you can continuously stream new rules and update the existing ones in the cloud environment or in your on-premise Splunk instance. Leveraging the SOC Prime Continuous Content Management (CCM) module, rules can be streamed directly into your Splunk environment from the specified Content Lists as part of the CCM capabilities. Optionally, security performers can specify rule Presets, Custom Field Mapping profiles, and Filters.
This guide describes how to set up integration for the SOC Prime CCM App for Splunk to enable streaming of detection content directly into the customer’s environment via the CCM module powered by the SOC Prime’s platform.
To obtain rules from a specific Content List via the CCM module and stream them into the Splunk environment, security performers need to have an enabled access to the SOC Prime Threat Detection Marketplace API. For more details on how to configure and enable API access, download the guide for the latest version of the TDM API Integration Tool here: https://tdm.socprime.com/tdm/info/MZ42X5G1sSsG/#splunk-pack.
SIEM: Splunk v. 8.x or higher, or Splunk Cloud.
Note: In distributed Splunk environments, this app should be installed in the search head.
There are two ways of installing the app: via the Splunk app listing or manually with the add-on package.
To install the app via the listing, follow these steps:
To install the add-on manually, follow these steps:
After successful installation, the app should appear as "SOC Prime CCM App for Splunk" in Splunk’s "Apps" menu.
After installation, configure the rule import with the "Data Inputs" menu:
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.