The NodeZero App for Splunk comes bundled with the NodeZero Add-on for Splunk built in, which contains the modular input for pulling NodeZero pentests results into the Splunk index of your choosing. There is no need to install both on a standalone instance.
There exists a sample dashboard,
NodeZero Operations, to demonstrate how one might view summary information across all penetration tests visible in Splunk, then drilldown through specific weaknesses to see exactly what operations NodeZero took against certain hosts during a specific time range.
Weakness data has been mapped to the CIM Vulnerability datamodel
An API key is required to access the API. The key is tied to an existing user account with
Org Admin privileges in the Horizon3.ai portal.
(At this time, API keys are manually provisioned by Horizon3.ai. If you don’t have an API key, please contact your Horizon3.ai representative to acquire one.)
Configuration page, click the
Add button on the
Nameis a simple name that gets used by the
Descriptionis for any notes/details about the API Key/Account
API Keyis an encrypted field for saving the NodeZero API Key
On the 'Inputs' tab, click "Create New Input"
Name(required) is a simple name that gets used by the modular input
Description(optional) is for any notes about the modular input
API Account(required) is a dropdown single select to choose the account for which you wish to pull data
Index(required) the index to which you would like to ingest NodeZero data
Polling Interval(optional) Default is 86400 seconds (daily). How frequently you want to poll for new data
Once the input is saved, it immediately begins attempting to pull data from the NodeZero API
For the sample dashboard to work, it relies on a macro called:
h3_index. The default value for this macro is:
(), and will only work if your events are being sent do the
default index (usually
main). Set the macro (via
Settings > Advanced Search > Search Macros) to whatever index you selected when defining your modular input (e.g.,
To make sure the modular input is doing its job, you can run the following search:
`h3_index` | stats values(sourcetype) as st
You should see three sourcetypes:
h3:nodezero:api:action_logs h3:nodezero:api:host_export_csv h3:nodezero:api:weakness_export_csv
There is also a non-navigable dashboard at
/en-US/app/nodezero/kvstore_state that will show a table based on the KVstore the modular input uses to store app state. This can be used during troubleshooting to see what data has been pulled for each pentest.
For troubleshooting information, view
ExecProcessor logs and the nodezero logs:
index=_internal (sourcetype=splunkd nodezero component=ExecProcessor) OR sourcetype="nodezero-*"
Note: Don't forget the asterisk on the end of
sourcetype=nodezero*, as they often show up as
For more logs: set
DEBUG in the Configuration tab
Email firstname.lastname@example.org with any questions, comments, or concerns. Feedback is greatly appreciated!
Initial release to Splunkbase
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.