How do I integrate with Splunk?

1) Introduction

The Splunk App allows a customer to lookup the number of vulnerabilities per severity for a network asset using its IP (IPv4/IPv6) directly inside of Splunk.

The lookup is done against Holm Security VMP using its REST API to retrieve information about the asset. The app works both for SaaS and On-Premise installations of Holm Security VMP.

Example use case:
To get more context about an network asset and understand what the security risk is on it. Use the search lookup command to get enhanced information about it using this app that integrates with Holm Security.

Severity levels:

  • Critical
  • High
  • Medium
  • Low
  • Info

2) Prerequisites

This guide assumes that the Splunk app package (tar.gz) is available for the customer and that customer has access to install apps on their Splunk instance as well as editing the files provisioned by the Splunk app inside of the apps directory.

3) Install

Login to splunk and install the new app using the tar.gz file

4) Configure

Edit app config To configure the app you will need to edit the app config inside the bin/holm.py of the app.

  • Splunk\etc\apps\holm-security\bin
  • open for edit: holm.py
  • Replace xyz with your API TOKEN
  • Replace ABC with your API HOST + PORT
  • Save holm.py

5) Use The App

In the search field: | holm asset_ip=x.x.x.x

6) Limitations

There is a UI for configuring the app but it is not functional. Configure the app using the described steps above.

Note : The integration with Splunk is also located in this link :

https://github.com/holmsecurity/api-examples/tree/master/integrations/splunk

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.